https://onnocenter.or.id/wiki/index.php?action=history&feed=atom&title=Postfix%3A_SMTP_Authentication_for_Clients_%28en%29 2026-05-13T12:57:12Z Revision history for this page on the wiki MediaWiki 1.35.4 https://onnocenter.or.id/wiki/index.php?title=Postfix:_SMTP_Authentication_for_Clients_(en)&diff=71396&oldid=prev 2025-01-04T00:19:37Z

<p>Created page with &quot;==Prepare Dovecot== Edit to configure Dovecot as the authentication server for Postfix: vim /etc/dovecot/conf.d/10-master.conf Ensure the following: ## The listener is a...&quot;</p> <p><b>New page</b></p><div>==Prepare Dovecot==<br /> <br /> Edit to configure Dovecot as the authentication server for Postfix:<br /> <br /> vim /etc/dovecot/conf.d/10-master.conf<br /> <br /> Ensure the following:<br /> <br /> ## The listener is added under the service auth section ##<br /> service auth { <br /> unix_listener /var/spool/postfix/private/auth {<br /> mode = 0660<br /> user = postfix<br /> group = postfix<br /> } ##end listener<br /> } ## end service auth<br /> <br /> The definition above will open the socket /var/spool/postfix/private/auth with permission 0660 for Postfix.<br /> <br /> vim /etc/dovecot/conf.d/10-auth.conf<br /> <br /> auth_mechanisms = plain login<br /> <br /> Plain authentication mechanism for Postfix.<br /> <br /> Restart Dovecot:<br /> <br /> service dovecot restart<br /> <br /> ==Generate Certificate==<br /> <br /> Create a certificate for SSL:<br /> <br /> mkdir /etc/postfix/ssl<br /> cd /etc/postfix/ssl/<br /> openssl req -new -nodes -keyout onnocenter.id.key -out onnocenter.id.csr<br /> <br /> You will see:<br /> <br /> Generating a 2048 bit RSA private key<br /> ......................+++<br /> ..................+++<br /> writing new private key to 'onnocenter.id.key'<br /> -----<br /> You are about to be asked to enter information that will be incorporated<br /> into your certificate request.<br /> What you are about to enter is what is called a Distinguished Name or a DN.<br /> There are quite a few fields but you can leave some blank<br /> For some fields there will be a default value,<br /> If you enter '.', the field will be left blank.<br /> -----<br /> Country Name (2 letter code) [AU]:ID<br /> State or Province Name (full name) [Some-State]:DKI<br /> Locality Name (eg, city) []:Jakarta<br /> Organization Name (eg, company) [Internet Widgits Pty Ltd]:OnnoCenter<br /> Organizational Unit Name (eg, section) []:IT<br /> Common Name (e.g. server FQDN or YOUR name) []:onnocenter.id<br /> Email Address []:onno@onnocenter.id<br /> <br /> Please enter the following 'extra' attributes<br /> to be sent with your certificate request<br /> A challenge password []:password<br /> An optional company name []:OnnoCenter<br /> <br /> ==Preparing Postfix==<br /> <br /> Insert SASL parameters into the config file:<br /> <br /> vim /etc/postfix/main.cf<br /> <br /> #### SASL ####<br /> <br /> ## specify SASL type ##<br /> smtpd_sasl_type = dovecot<br /> <br /> ## path to the SASL socket relative to postfix spool directory i.e. /var/spool/postfix ##<br /> smtpd_sasl_path = private/auth<br /> <br /> ## postfix appends the domain name for SASL logins that do not have the domain part ##<br /> smtpd_sasl_local_domain = $myhostname<br /> <br /> ## SASL default policy ##<br /> smtpd_sasl_security_options = noanonymous<br /> <br /> ## for legacy application compatibility ##<br /> broken_sasl_auth_clients = yes<br /> <br /> ## enable SMTP auth ##<br /> smtpd_sasl_auth_enable = yes<br /> <br /> ## smtp checks ##<br /> ## these checks are based on first match, so sequence is important ##<br /> smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination<br /> <br /> Summarized as:<br /> <br /> smtpd_sasl_type = dovecot<br /> smtpd_sasl_path = private/auth<br /> smtpd_sasl_auth_enable = yes<br /> smtpd_sasl_security_options = noanonymous<br /> smtpd_sasl_local_domain = $myhostname<br /> broken_sasl_auth_clients = yes<br /> ...<br /> smtpd_recipient_restrictions = <br /> permit_sasl_authenticated, <br /> permit_mynetworks, <br /> check_relay_domains<br /> <br /> Insert SSL/TLS parameters into the config file:<br /> <br /> vim /etc/postfix/main.cf<br /> <br /> #### SSL/TLS parameters ####<br /> <br /> ## 'encrypt' will enforce SSL. Not recommended for live servers ##<br /> smtpd_tls_security_level = may <br /> #smtpd_tls_security_level = encrypt <br /> <br /> smtpd_tls_received_header = yes <br /> smtpd_tls_auth_only = no <br /> <br /> ## loglevel 3 or 4 can be used during troubleshooting ##<br /> smtpd_tls_loglevel = 1 <br /> <br /> ## path to certificate and key file ##<br /> smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key<br /> smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt<br /> smtpd_use_tls=yes <br /> <br /> ## server will announce STARTTLS ##<br /> smtp_tls_note_starttls_offer = yes <br /> <br /> smtpd_tls_session_cache_timeout = 3600s <br /> tls_random_source = dev:/dev/urandom<br /> <br /> Summarized as:<br /> <br /> smtpd_tls_security_level = encrypt <br /> smtpd_tls_received_header = yes <br /> smtpd_tls_auth_only = yes<br /> smtpd_tls_loglevel = 1 <br /> smtpd_tls_key_file = /etc/postfix/ssl/onnocenter.id.key<br /> smtpd_tls_cert_file = /etc/postfix/ssl/onnocenter.id.crt<br /> smtpd_use_tls=yes <br /> smtp_tls_note_starttls_offer = yes<br /> smtpd_tls_session_cache_timeout = 3600s <br /> tls_random_source = dev:/dev/urandom<br /> <br /> ==Restart Postfix==<br /> <br /> service postfix restart<br /> <br /> ==Check Relay==<br /> <br /> $ telnet mail.example.tst 25<br /> <br /> ehlo mail.example.tst<br /> 250-mail.example.tst<br /> 250-PIPELINING <br /> 250-SIZE 10240000 <br /> 250-VRFY <br /> 250-ETRN <br /> 250-STARTTLS <br /> 250-AUTH PLAIN LOGIN <br /> 250-AUTH=PLAIN LOGIN <br /> 250-ENHANCEDSTATUSCODES <br /> 250-8BITMIME <br /> 250 DSN <br /> <br /> ==Check SMTP AUTH Support==<br /> <br /> Perform:<br /> <br /> telnet onnocenter.id 25<br /> <br /> You should see:<br /> <br /> Connected to onnocenter.id.<br /> Escape character is '^]'.<br /> 220 onnocenter.id ESMTP<br /> ehlo onnocenter.id<br /> 250-onnocenter.id<br /> 250-PIPELINING<br /> 250-SIZE 10240000<br /> 250-VRFY<br /> 250-ETRN<br /> 250-STARTTLS<br /> 250-AUTH PLAIN LOGIN<br /> 250-AUTH=PLAIN LOGIN<br /> 250-ENHANCEDSTATUSCODES<br /> 250-8BITMIME<br /> 250 DSN<br /> <br /> Generate password:<br /> <br /> printf 'username\0username\0password' | mmencode<br /> <br /> or<br /> <br /> perl -MMIME::Base64 -e 'print encode_base64(&quot;username\0username\0password&quot;);'<br /> <br /> Proceed as:<br /> <br /> printf 'test\0test\0testpass' | mmencode<br /> dGVzdAB0ZXN0AHRlc3RwYXNz<br /> <br /> Then, dGVzdAB0ZXN0AHRlc3RwYXNz is the Base64 encoded string that contains username and password.<br /> <br /> Test authentication:<br /> <br /> Connected to localhost.<br /> Escape character is '^]'.<br /> 220 onnocenter.id ESMTP<br /> ehlo onnocenter.id<br /> 250-onnocenter.id<br /> 250-PIPELINING<br /> 250-SIZE 10240000<br /> 250-VRFY<br /> 250-ETRN<br /> 250-STARTTLS<br /> 250-AUTH PLAIN LOGIN<br /> 250-AUTH=PLAIN LOGIN<br /> 250-ENHANCEDSTATUSCODES<br /> 250-8BITMIME<br /> 250 DSN<br /> AUTH PLAIN dGVzdAB0ZXN0AHRlc3RwYXNz<br /> 235 2.7.0 Authentication successful<br /> quit<br /> 221 2.0.0 Bye<br /> <br /> ==References== <br /> <br /> * http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html<br /> * http://xmodulo.com/enable-user-authentication-postfix-smtp-server-sasl.html<br /> * http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html<br /> * http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html</div>

Onnowpurbo