Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Postfix Documentation
Previous Page Home Next Page

Enabling SASL authentication in the Postfix SMTP client

Turn on client-side SASL authentication, and specify a table with per-host or per-destination username and password information. Postfix first searches the table for an entry with the server hostname; if no entry is found, then Postfix searches the table for an entry with the next-hop destination. Usually, that is the right-hand part of an email address, but it can also be the information that is specified with the relayhost parameter or with a transport(5) table. 

/etc/postfix/
main.cf:
    
smtp_sasl_auth_enable = yes
    
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    
smtp_sasl_type = cyrus

/etc/postfix/sasl_passwd:
    foo.com                     username:password
    bar.com                     username
    [mail.myisp.net]            username:password
    [mail.myisp.net]:submission username:password

Postfix version 2.3 supports-per-sender SASL password information. To search the Postfix SASL password by sender before it searches by destination, specify: 

/etc/postfix/
main.cf:
    
smtp_sender_dependent_authentication = yes
    
smtp_sasl_auth_enable = yes
    
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

/etc/postfix/sasl_passwd:
    [email protected]            username:password
    bar.com                     username
    [mail.myisp.net]            username:password
    [mail.myisp.net]:submission username:password

Note: some SMTP servers support PLAIN or LOGIN authentication only. By default, the Postfix SMTP client does not use authentication methods that send plaintext passwords, and defers delivery with the following error message: "Authentication failed: cannot SASL authenticate to server". To enable plaintext authentication specify, for example: 

/etc/postfix/
main.cf:
    
smtp_sasl_security_options = noanonymous

The Postfix SASL client password file is opened before the SMTP server enters the optional chroot jail, so you can keep the file in /etc/postfix.

Note: Some SMTP servers support authentication mechanisms that, although available on the client system, may not in practice work or possess the appropriate credentials to authenticate to the server. It is possible via the smtp_sasl_mechanism_filter parameter to further restrict the list of server mechanisms that the smtp(8) client will take into consideration: 

/etc/postfix/
main.cf:
    
smtp_sasl_mechanism_filter = !gssapi, !external, static:all

In the above example, Postfix will decline to use mechanisms that require special infrastructure such as Kerberos.

The Postfix SMTP client is backwards compatible with SMTP servers that use the non-standard "AUTH=method..." syntax in response to the EHLO command; there is no Postfix client configuration needed to work around it.

Postfix Documentation
Previous Page Home Next Page