SMTP AUTH for Postfix

This is yet another SMTP AUTH setup guide. It is based on my experiences using Postfix 2.1.5 and CMU Cyrus SASL (saslauthd) 2.1.19 on a Debian (Sarge) system to authenticate against an OpenLDAP server. I'm assuming that Postfix and LDAP are already configured.

Installing saslauthd

I installed the SASL packages in Debian by running:

  apt-get install sasl2-bin libsasl2-modules

Alternately, you can obain the cyrus-sasl source from and build saslauthd yourself:

  tar xzvf cyrus-sasl.tag.gz 
  cd cyrus-sasl
  ./configure --with-ldap
  make install

Configuring saslauthd

In Debian, configuration defaults for startup scripts are often in /etc/default/. saslauthd is no exception. Edit /etc/default/saslauthd as needed, e.g.:

  # This needs to be uncommented before saslauthd will be run automatically

  # You must specify the authentication mechanisms you wish to use.
  # This defaults to "pam" for PAM support, but may also include
  # "shadow", "sasldb", "kerberos5", etc.
  # See saslauthd(8) for more mechanisms. 

  # Location of main config file

Then edit /etc/saslauthd.conf to specify the LDAP servers and search base:

  ldap_servers: ldap://
  ldap_search_base: dc=example,dc=edu

Running saslauthd

Now you're ready to run saslauthd. In Debian, the init script is /etc/init.d/saslauthd Start saslauthd with /etc/init.d/saslauthd start. (To stop saslauthd, run /etc/init.d/saslauthd stop.)

First verify that saslauthd is running with ps aux | grep sasl. (Note: for LDAP support the process should be running as /usr/sbin/saslauthd -a ldap.)

Then use testsaslauthd to test authentication against the LDAP server. Run:

  testsaslauthd -u username -p password

If it's working, you should see

  0: OK "Success."0: OK "Success."

Configuring Postfix

In Debian postfix is run by user postfix, whose home directory is /var/spool/postfix/. The postfix user must have access to saslauthd. Use vigrp to add user postfix to the sasl group and move the saslauthd directory:

  mkdir -p /var/spool/postfix/var/run
  mv /var/run/saslauthd /var/spool/postfix/var/run

Specify the password check method by editing /etc/postfix/sasl/smtpd.conf:

  pwcheck_method: saslauthd

Finally, edit /etc/postfix/ Add the following lines:

  smtpd_sasl_auth_enable = yes
  smtpd_sasl_security_options = noanonymous
  smtpd_sasl_local_domain = 
  broken_sasl_auth_clients = yes

Additionally, you must add permit_sasl_authenticated to the smtpd_receipient_restrictions stanza. For example:

  smtpd_recipient_restrictions =

Check the postfix configuration syntax by running /etc/init.d/postfix check. If there is no output, the configuration is valid. Restart postfix with /etc/init.d/postfix restart (or reload the configuration with /etc/init.d/postfix reload and wait for the config file to be reloaded).


Verify that postfix is running and has authentication enabled by telneting to port 25 on the mail server (telnet 25). You should see something like:

  Connected to mail.
  Escape character is '^]'.
  220 ESMTP Postfix (Debian/GNU)

Once connected, type ehlo localhost You should see something like:
  250-SIZE 31457280
  250 8BITMIME

The important part is the AUTH lines. Use ^] to disconnect.

The last step is to test with a mail client. mutt requires a patch, so I used pine. This required me to change one line in my existing .pinerc config file:

(where username is a valid username).

While testing, use tail -f /var/log/mail.log to watch for errors.

See also