Before we can configure Postfix to allow relaying of mail for authenticated users we first have to configure the authentication mechanism we shall be using. The Postfix daemon does not perform any authentication itself instead it uses the Cyrus SASL (Simple Authentication and Security Layer) libraries provided by the dev-libs/cyrus-sasl package which was automatically installed as a dependency.
As usual the dev-libs/cyrus-sasl package installed an example configuration file in place of a usable one so our first task is to move the existing configuration file to another location, so that it is still available in the event we wish to examine it at a later date, and open a new blank configuration file which we can fill with our own settings. The commands below can be used to perform these tasks.
Once we have an empty configuration file open we can configure the connection between the Cyrus SASL library and the PostgreSQL database we are using to store our account details. As you can see from the configuration example below only three settings are required.
The first line in our configuration file specifies the method that the Cyrus SASL library should use to perform authentication. As you can see from the example we are using the authdaemond method. This method allows authentication to be performed by the authentication daemon we have already configured for use with Courier in the Providing access to stored mail using POP and IMAP section of this document.
The second line indicates which authentication methods the Postfix daemon will offer to clients. In our example we have specified the PLAIN and LOGIN methods. As both of these methods send the passwords over the network in clear-text it is important to follow the instructions in the Using SSL/TLS with Postfix SMTP and Courier POP3/IMAP section of this guide.
The third line beneath in our configuration file simply provides the path to the socket which should be used when communicating with the Courier authentication daemon.
pwcheck_method: authdaemond
mech_list: PLAIN LOGIN
authdaemond_path: /var/lib/courier/authdaemon/socket
With the Cyrus SASL library configured to access authentication data from our database we are now ready to configure the Postfix daemon to use the Cyrus SASL library to perform authentication of our users. To do this we need to add the following block of configuration settings to the configuration file we have already created for the Postfix daemon.
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination
The effect of the configuration settings in the above example are all fairly obvious. The first line enables SASL authentication. The second line disables anonymous login as an acceptable form of identification. The third line enables support for some email clients which have a broken SASL authentication process. The final line changes the default relay restrictions, which are usually just set to reject_unauth_destination, to allow SASL authenticated users to relay mail.
With those additions made to our configuration file we need to instruct the Postfix daemon to reload the configuration file so that these settings will be used. This can be performed using the command below.
Although it would be nice to think that our configuration will work first time it is always prudent to conduct a test of our newly configured functionality to ensure that everything is working as expected. Before we can do this however we need to convert our email address and password into a base-64 encoded string so that we can use it later during our telnet session to the Postfix server. This can easily be performed using the command below remembering to replace the email address with whatever you have been using thus far.
AHNwYW1jYXRjaGVyQGhhY2tpbmcuY28udWsAcGFzc3dvcmQ
Now that we have our encoded email address and password combination we can test the authentication functionality using the telnet application as in previous examples. This time however we shall issue an EHLO greeting to indicate that we wish to use the extended functionality of the ESMTP protocol. The complete exchange is detailed below.
Trying 127.0.0.1...
Connected to mail.hacking.co.uk.
Escape character is '^]'.
220 mail.hacking.co.uk ESMTP Postfix
EHLO client.example.com
250-mail.localdomain
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AHNwYW1jYXRjaGVyQGhhY2tpbmcuY28udWsAcGFzc3dvcmQ
235 2.0.0 Authentication successful
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
Assuming all went well Postfix is now configured to allow authenticated users to relay mail messages through this server to any destination.