Postfix - Authentication configuration (SASL) for a connection to the SMTP server (587)

About

This page shows you yow to configure Postfix to enable remote connections to the Postfix SMTP server on the port 587 (submission port) with authentication.

Postfix used SASL as authentication library and this instructions shows how to set it up with the default authentication mechanism (ie PAM)

As only the submission port should allow authentication, all configuration should not be written in the /etc/postfix/main.cf file but has a command line argument in the /etc/postfix/master.cf below the submission line. We will see that further in the steps.

Once a client is authenticated, a server generally give the “same network” privileges.

Articles Related

SASL

implementations supported

Postfix support the following SASL implementations (ie compiled into Postfix)

# SASL support in the SMTP server
postconf -a 
# or SASL support in the SMTP+LMTP client
# postconf -A

cyrus
dovecot

By default the Postfix SMTP server uses the Cyrus SASL implementation.

Cyrus SASL

Communication between Postfix and Cyrus SASL takes place by calling functions in the SASL library (The Postfix SMTP server is linked with the Cyrus SASL library libsasl)

Steps

Cyrus SASL Smtp configuration file

This steps shows just how it works. If you are good with the default mechanism , you don't need to change anything

The file name is set in a configuration property that depends of the Postfix version

# for postfix >= 2.3
echo The name of the configuration is the $(postconf -h smtpd_sasl_path).conf
# for postfix < 2.3
# echo The name of the configuration is the $(postconf -h smtpd_sasl_application_name).conf

The name of the configuration is the smtpd.conf

The directory depends of the version and the compilation (generally in /etc/sasl2/ or usr/lib/sasl2 ). The content of the configuration file is:

# Cyrus SASL Version in /etc/sasl2/
cat /etc/sasl2/smtpd.conf
# or /usr/lib/sasl2/smtpd.conf

# list of mechanisms used to verify passwords
pwcheck_method: saslauthd
# Whitespace separated list of mechanisms to allow
mech_list: plain login
# Whitespace separated list of mechanisms to allow
log_level: 7

where:

All Cyrus SASL configuration are described in this page: Options for Cyrus SASL

the SASL password check mechanism used is the saslauthd mechanism that used itself by default PAM as backend. See SASL - saslauthd server (Cyrus SASL)
Plaintext mechanisms (PLAIN, LOGIN) send credentials unencrypted. This information should be protected by an additional security layer such as a TLS-encrypted SMTP session

Posfix conf

In the master file, uncomment the submission

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Ssl must be already configured to support smtpd_tls_security_level=encrypt) in order to encrypt the password in transit (otherwise they are send in clear).

See this article that shows how to do it: Postfix - TLS (SSL) configuration

Services

SASL server and mechanism

Be sure that saslauthd is on

systemctl status saslauthd
# if not
# systemctl start saslauthd

saslauthd.service - SASL authentication daemon.
   Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-06-20 14:14:57 CEST; 5min ago
  Process: 26967 ExecStart=/usr/sbin/saslauthd -m $SOCKETDIR -a $MECH $FLAGS (code=exited, status=0/SUCCESS)
 Main PID: 26968 (saslauthd)

Install the plain text SASL mechanism

yum install cyrus-sasl-plain

Postfix

Restart postfix

systemctl restart postfix
systemctl status postfix

postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-06-20 14:15:00 CEST; 4min 16s ago
  Process: 26999 ExecStop=/usr/sbin/postfix stop (code=exited, status=0/SUCCESS)
  Process: 27014 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
  Process: 27012 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
  Process: 27010 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
 Main PID: 27087 (master)
    Tasks: 6
   Memory: 6.4M
   CGroup: /system.slice/postfix.service
           ├─27087 /usr/libexec/postfix/master -w
           ├─27088 pickup -l -t unix -u
           ├─27089 qmgr -l -t unix -u
           ├─27093 showq -t unix -u
           ├─27120 tlsmgr -l -t unix -u
           └─27121 anvil -l -t unix -u

Test

Port 587 bound

Verify that the port is now bound to the master process with netstat

netstat -tulpn | { read header; read header2; echo $header; echo $header2; grep master; }

Below we can see that the port 587 and 25 are bound to the master process

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      27087/master
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      27087/master
tcp6       0      0 :::25                   :::*                    LISTEN      27087/master
tcp6       0      0 :::587                  :::*                    LISTEN      27087/master

saslauthd test

Test the configuration of saslauthd to see if you can connect

testsaslauthd -u username -p password -s smtp

0: OK "Success."

SMTP authentication

testing with SMTP command

connect to your server with openssl

openssl s_client -connect server:587 -starttls smtp

250 DSN

EHLO server

250-server
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN  # The auth is advertised
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

In another console (terminal), compute the authentication string (It's just a base64 string with name and password)

printf '\0%s\0%s' 'user' 'pwd' | openssl base64

AHVzZXIAcHdk

Authenticate

AUTH PLAIN TheBase64String
# example
# AUTH PLAIN AHVzZXIAcHdk

235 2.7.0 Authentication successful

Log

When making a connection with openssl, you should see a log that looks like that:

tail -f /var/log/maillog

Jun 20 21:03:33 server01 postfix/submission/smtpd[13032]: connect from unknown[x.x.x.x]
Jun 20 21:03:33 server01 postfix/submission/smtpd[13032]: Anonymous TLS connection established from unknown[x.x.x.x]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 20 21:03:43 server01 postfix/submission/smtpd[13032]: lost connection after UNKNOWN from unknown[x.x.x.x]
Jun 20 21:03:43 server01 postfix/submission/smtpd[13032]: disconnect from unknown[143.176.206.82]
Jun 20 21:03:53 server01 postfix/submission/smtpd[13032]: connect from unknown[143.176.206.82]
Jun 20 21:03:54 server01 postfix/submission/smtpd[13032]: Anonymous TLS connection established from unknown[x.x.x.x]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jun 20 21:11:05 server01 postfix/submission/smtpd[13032]: lost connection after AUTH from unknown[x.x.x.x]
Jun 20 21:11:05 server01 postfix/submission/smtpd[13032]: disconnect from unknown[x.x.x.x]