Basic mailserver configuration on RHEL derivates (part 2) SMTP auth

WARNING  wrote this article in 2014, most of the configurations are still working fine on Rocky linux 9, but should be updated

In this article we will configure our server for authenticated smtp.

In the previous part we have alredy setup database and tables.

Now we have to install the following packages in order to enable sasl2 authentication:

cyrus-sasl cyrus-sasl-devel cyrus-sasl-plain cyrus-sasl-sql:

yum install cyrus−sasl cyrus−sasl−devel cyrus−sasl−plain cyrus−sasl−sql

edit your /etc/sasl2/smtpd.conf :

pwcheck_method: auxprop
mech_list: PLAIN
auxprop_plugin: sql
sql_usessl: no
sql_engine: mysql
sql_hostnames: localhost
sql_user: postfix
sql_database: mailserver
sql_passwd: yoursecretpassword
sql_select: select password from users where username = '%u'
log_level: 3

you need a SSL certifcate. For a production server it is adviceable to purchase one. Otherwise you can build a self-signed certificate this way: generate your key

openssl genrsa -out ca.key 2048 

Now generate your CSR (certificate request). Answer to all questions and press return (no password) to create it

openssl req -new -key ca.key -out postfix.csr

Now you can get your self-signed certificate signing your request:

openssl x509 -req -days 3650 -in postfix.csr -signkey ca.key -out postfix.crt

move them

mv postfix.crt /etc/pki/tls/certs/
mv ca.key /etc/pki/tls/private/
mv postfix.csr /etc/pki/tls/private/

Adding the following lines to your /etc/postfix/main.cf should complete your configuration.

smtpd_tls_key_file =  /etc/pki/tls/private/ca.key
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt
smtpd_use_tls = yes

smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Don't forget to enable and start saslauthd service:

systemctl enable saslauthd
systemctl  start saslauthd

This method doesn't require the installation of external modules. So it is simplier. But it has the disadvantage you cannot easilly separate IMAP and SMTP users. So all your IMAP users will be enabled to send email trough your SMTP. If this is OK for you, you can go this way and save time and server resources. Configuration is very simple. You should add a dovecot listener. Add this to your /etc/dovecot/conf.d/10−master.conf under service auth section :

 # Postfix smtp−auth
 unix_listener /var/spool/postfix/private/auth {
 mode = 0666
 }

Postfix configuration is very similar to the one supplied above. Add the following two line to the above config:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

restart your services and remember this time the auth username matches your email address.