Documentation< Previous | Contents | Next >
1.3. SMTP Authentication
SMTP-AUTH allows a client to identify itself through an authentication mechanism (SASL). Transport Layer Security (TLS) should be used to encrypt the authentication process. Once authenticated the SMTP server will allow the client to relay mail.
1. Configure Postfix for SMTP-AUTH using SASL (Dovecot SASL):
sudo postconf -e 'smtpd_sasl_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth' sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous' sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes' sudo postconf -e 'smtpd_recipient_restrictions = \
permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
The smtpd_sasl_path configuration is a path relative to the Postfix queue directory.
2. Next, generate or obtain a digital certificate for TLS. See Section 5, “Certificates” [p. 198] for details. This example also uses a Certificate Authority (CA). For information on generating a CA certificate see Section 5.5, “Certification Authority” [p. 200].
MUAs connecting to your mail server via TLS will need to recognize the certificate used for TLS. This can either be done using a certificate from a commercial CA or with a self-signed certificate that users manually install/accept. For MTA to MTA TLS certficates are never validated without advance agreement from the affected organizations. For MTA to MTA TLS, unless local policy requires it, there is no reason not to use a self-signed certificate. Refer to Section 5.3, “Creating a Self-Signed Certificate” [p. 200] for more details.
3. Once you have a certificate, configure Postfix to provide TLS encryption for both incoming and outgoing mail:
sudo postconf -e 'smtp_tls_security_level = may' sudo postconf -e 'smtpd_tls_security_level = may'
sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/server.key' sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/server.crt' sudo postconf -e 'smtpd_tls_loglevel = 1'
sudo postconf -e 'smtpd_tls_received_header = yes' sudo postconf -e 'myhostname = mail.example.com'
4. If you are using your own Certificate Authority to sign the certificate enter:
sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
Again, for more details about certificates see Section 5, “Certificates” [p. 198].
After running all the commands, Postfix is configured for SMTP-AUTH and a self-signed certificate has been created for TLS encryption.
Now, the file /etc/postfix/main.cf should look like this:
# See /usr/share/postfix/main.cf.dist for a commented, more complete
# version
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) biff = no
# appending .domain is the MUA's job. append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
myhostname = server1.example.com alias_maps = hash:/etc/aliases alias_database = hash:/etc/aliases myorigin = /etc/mailname
mydestination = server1.example.com, localhost.example.com, localhost relayhost =
mynetworks = 127.0.0.0/8
mailbox_command = procmail -a "$EXTENSION" mailbox_size_limit = 0
recipient_delimiter = + inet_interfaces = all smtpd_sasl_local_domain = smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_mynetworks,reject _unauth_destination smtpd_tls_auth_only = no
smtp_tls_security_level = may smtpd_tls_security_level = may smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/ssl/private/smtpd.key smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
The postfix initial configuration is complete. Run the following command to restart the postfix daemon:
sudo systemctl restart postfix.service
Postfix supports SMTP-AUTH as defined in RFC25541. It is based on SASL2. However it is still necessary to set up SASL authentication before you can use SMTP-AUTH.