Basic mailserver configuration on RHEL derivates (part 2) SMTP auth

From Fvettore-WIKI
Revision as of 09:39, 22 July 2025 by Administrator (talk | contribs) (Created page with "<pre> '''WARNING''' wrote this article in 2014, most of the configurations are still working fine on Rocky linux 9, but should be updated </pre> In this article we will configure our server for authenticated smtp. In the <a href="http://blog.vettore.org/?p=859">previuos part</a> we have alredy setup database and tables. <!--more--> <strong>FIRST METHOD: CYRUS-SASL AUTH (saslauthd daemon)</strong> Now we have to install the following packages in order to enable sasl2...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
'''WARNING'''  wrote this article in 2014, most of the configurations are still working fine on Rocky linux 9, but should be updated

In this article we will configure our server for authenticated smtp.

In the <a href="http://blog.vettore.org/?p=859">previuos part</a> we have alredy setup database and tables.


FIRST METHOD: CYRUS-SASL AUTH (saslauthd daemon)

Now we have to install the following packages in order to enable sasl2 authentication:

cyrus-sasl cyrus-sasl-devel cyrus-sasl-plain cyrus-sasl-sql: 


yum install cyrus−sasl cyrus−sasl−devel cyrus−sasl−plain cyrus−sasl−sql

edit your /etc/sasl2/smtpd.conf : 

pwcheck_method: auxprop
mech_list: PLAIN
auxprop_plugin: sql
sql_usessl: no
sql_engine: mysql
sql_hostnames: localhost
sql_user: postfix
sql_database: mailserver
sql_passwd: yoursecretpassword
sql_select: select password from users where username = '%u'
log_level: 3

you need a SSL certifcate. For a production server it is adviceable to purchase one. Otherwise you can build a self-signed certificate this way: generate your key 

openssl genrsa -out ca.key 2048

Now generate your CSR (certificate request). Answer to all questions and press return (no password) to create it 

openssl req -new -key ca.key -out postfix.csr

Now you can get your self-signed certificate signing your request: 

openssl x509 -req -days 3650 -in postfix.csr -signkey ca.key -out postfix.crt

move them 

mv postfix.crt /etc/pki/tls/certs/
mv ca.key /etc/pki/tls/private/
mv postfix.csr /etc/pki/tls/private/

Adding the following lines to your /etc/postfix/main.cf should complete your configuration. 

smtpd_tls_key_file =  /etc/pki/tls/private/ca.key
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt
smtpd_use_tls = yes

smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Don't forget to enable and start saslauthd service: 

systemctl enable saslauthd
systemctl  start saslauthd


SECOND METHOD: use dovecot to authenticate postfix

This method doesn't require the installation of external modules. So it is simplier. But it has the disadvantage you cannot easilly separate IMAP and SMTP users. So all your IMAP users will be enabled to send email trough your SMTP. If this is OK for you, you can go this way and save time and server resources. Configuration is very simple. You should add a dovecot listener. Add this to your /etc/dovecot/conf.d/10−master.conf under service auth section : 

 # Postfix smtp−auth
 unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 }

Postfix configuration is very similar to the one supplied above. Add the following two line to the above config: 

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

restart your services and remember this time the auth username matches your email address.

Retrieved from "http://10.99.0.100:8087/index.php?title=Basic_mailserver_configuration_on_RHEL_derivates_(part_2)_SMTP_auth&oldid=94"