此内容没有您所选择的语言版本。
2.2.7.5. Configuring Postfix to Use SASL
The Red Hat Enterprise Linux version of Postfix can use the Dovecot or Cyrus
SASL
implementations for SMTP Authentication (or SMTP AUTH). SMTP Authentication is an extension of the Simple Mail Transfer Protocol
. When enabled, SMTP
clients are required to authenticate to the SMTP
server using an authentication method supported and accepted by both the server and the client. This section describes how to configure Postfix to make use of the Dovecot SASL
implementation.
To install the Dovecot
POP
/IMAP
server, and thus make the Dovecot SASL
implementation available on your system, issue the following command as the root
user:
~]# yum install dovecot
The Postfix
SMTP
server can communicate with the Dovecot SASL
implementation using either a UNIX-domain socket or a TCP socket. The latter method is only needed in case the Postfix and Dovecot applications are running on separate machines. This guide gives preference to the UNIX-domain socket method, which affords better privacy.
In order to instruct Postfix to use the Dovecot
SASL
implementation, a number of configuration changes need to be performed for both applications. Follow the procedures below to effect these changes.
Setting Up Dovecot
- Modify the main Dovecot configuration file,
/etc/dovecot/conf.d/10-master.conf
, to include the following lines (the default configuration file already includes most of the relevant section, and the lines just need to be uncommented):service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 user = postfix group = postfix } }
The above example assumes the use of UNIX-domain sockets for communication between Postfix and Dovecot. It also assumes default settings of the PostfixSMTP
server, which include the mail queue located in the/var/spool/postfix/
directory, and the application running under thepostfix
user and group. In this way, read and write permissions are limited to thepostfix
user and group.Alternatively, you can use the following configuration to set up Dovecot to listen for Postfix authentication requests viaTCP
:service auth { inet_listener { port = 12345 } }
In the above example, replace12345
with the number of the port you want to use. - Edit the
/etc/dovecot/conf.d/10-auth.conf
configuration file to instruct Dovecot to provide the PostfixSMTP
server with theplain
andlogin
authentication mechanisms:auth_mechanisms = plain login
Setting Up Postfix
In the case of Postfix, only the main configuration file,
/etc/postfix/main.cf
, needs to be modified. Add or edit the following configuration directives:
- Enable SMTP Authentication in the Postfix
SMTP
server:smtpd_sasl_auth_enable = yes
- Instruct Postfix to use the Dovecot
SASL
implementation for SMTP Authentication:smtpd_sasl_type = dovecot
- Provide the authentication path relative to the Postfix queue directory (note that the use of a relative path ensures that the configuration works regardless of whether the Postfix server runs in a chroot or not):
smtpd_sasl_path = private/auth
This step assumes that you want to use UNIX-domain sockets for communication between Postfix and Dovecot. To configure Postfix to look for Dovecot on a different machine in case you useTCP
sockets for communication, use configuration values similar to the following:smtpd_sasl_path = inet:127.0.0.1:12345
In the above example,127.0.0.1
needs to be substituted by theIP
address of the Dovecot machine and12345
by the port specified in Dovecot's/etc/dovecot/conf.d/10-master.conf
configuration file. - Specify
SASL
mechanisms that the PostfixSMTP
server makes available to clients. Note that different mechanisms can be specified for encrypted and unencrypted sessions.smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous
The above example specifies that during unencrypted sessions, no anonymous authentication is allowed and no mechanisms that transmit unencrypted usernames or passwords are allowed. For encrypted sessions (usingTLS
), only non-anonymous authentication mechanisms are allowed.See http://www.postfix.org/SASL_README.html#smtpd_sasl_security_options for a list of all supported policies for limiting allowedSASL
mechanisms.
Additional Resources
The following online resources provide additional information useful for configuring Postfix SMTP Authentication through
SASL
.
- http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL — Contains information on how to set up Postfix to use the Dovecot
SASL
implementation for SMTP Authentication. - http://www.postfix.org/SASL_README.html#server_sasl — Contains information on how to set up Postfix to use either the Dovecot or Cyrus
SASL
implementations for SMTP Authentication.