Introduction
This guide will guide you through the steps needed to enable Postfix to use the SASL implementation provided by Dovecot. This is an alternative to configuring Postfix to use the Cyrus SASL implementation.
Installation
Everything you need to configure Postfix to use Dovecot SASL is included when you install the dovecot-common and postfix packages from the Main repository. You will probably also want to install dovecot-imapd or dovecot-pop3d which provide IMAP and POP3 services.
See the Dovecot guide for more information on setting up Dovecot.
Configuration
Dovecot
First let's configure Dovecot to provide SASL client authentication.
To accomplish this on 12.04 (Precise) and newer version, edit the Dovecot configuration /etc/dovecot/conf.d/10-master.conf:
... service auth { ... # Postfix smtp-auth unix_listener /var/spool/postfix/private/auth { mode = 0666 } ... }
Enable LOGIN authentication, edit the configuration file /etc/dovecot/conf.d/10-auth.conf and add the login authentication mechanism:
auth_mechanisms = plain login
If you're using Ubuntu 7.10 (Gutsy) or a later version until 11.10 (Oneiric), edit configuration file /etc/dovecot/dovecot.conf. Your configuration should look like this:
auth default { mechanisms = plain login socket listen { #master { # Master socket provides access to userdb information. It's typically # used to give Dovecot's local delivery agent access to userdb so it # can find mailbox locations. #path = /var/run/dovecot/auth-master #mode = 0600 # Default user/group is the one who started dovecot-auth (root) #user = #group = #} client { # The client socket is generally safe to export to everyone. Typical use # is to export it to your SMTP server so it can do SMTP AUTH lookups # using it. path = /var/spool/postfix/private/auth-client mode = 0660 user = postfix group = postfix } } }
The /etc/dovecot/dovecot.conf file on Ubuntu 6.06 (Dapper) is slightly different:
auth default_with_listener { mechanisms = plain login passdb pam { } userdb passwd { } socket listen { # master { #path = /var/run/dovecot-auth-master # WARNING: Giving untrusted users access to master socket may be a # security risk, don't give too wide permissions to it! #mode = 0600 # Default user/group is the one who started dovecot-auth (root) #user = #group = # } client { path = /var/spool/postfix/private/auth-client mode = 0660 user = postfix group = postfix } } }
Note: you will need to install the Postfix version in dapper-backports in order to use Dovecot SASL on Ubuntu 6.06. See UbuntuBackports for more information.
Once you've configured Dovecot to provide SASL you'll need to restart it:
sudo /etc/init.d/dovecot restart
Postfix
After you've configured Dovecot to provide SASL authentication it's time to configure Postfix to use it.
First edit the /etc/postfix/main.cf configuration file. You can do this with a text editor or by using the postconf -e command:
sudo postconf -e 'smtpd_sasl_type = dovecot' sudo postconf -e 'smtpd_sasl_auth_enable = yes' sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
You then need to configure the path to the authentication client. On 12.04 (Precise) and newer:
sudo postconf -e 'smtpd_sasl_path = private/auth'
on versions older than 12.04 (Precise):
sudo postconf -e 'smtpd_sasl_path = private/auth-client'
Note: the smtpd_sasl_path configuration needs to be a path relative to the Postfix queue directory.
Now restart Postfix to enable the new configurations:
sudo /etc/init.d/postfix restart
Testing
To see if Dovecot SASL is working properly run the following command:
telnet localhost 25
After you have established the connection to your postfix mail server type
ehlo localhost
If you see the lines
250-AUTH PLAIN LOGIN
among others, everything is working.
Type quit to return to the system's shell.
Note: this guide has been tested on Ubuntu 6.06 (Dapper Drake), Ubuntu 7.10 (Gutsy Gibbon), Ubuntu 14.04 (Trusty Tahr) and Ubuntu 15.10 (Wily Werewolf).