This step is now largely deprecated since I discovered that Dovecot is capable of doing SASL authentication. Not really sure how I missed that for so many years either. Skip this step.
saslauthd is used to force people sending email to authenticate. That way, the mail server doesn't just send out mail willy nilly and doesn't get added to DNSBL. As we already have a working authentication mechanism in the form of IMAP (Dovecot), why waste time trying to configure another. Just set saslauthd to use your IMAP server. Because on Debian boxes Postfix is jailed (chrooted), we need to do some crazy things.
First, setup saslauthd config (notice the last line in the config).
/etc/default/saslauthd # # Settings for saslauthd daemon # Please read /usr/share/doc/sasl2-bin/README.Debian for details. # # Should saslauthd run automatically on startup? (default: no) START=yes # Description of this saslauthd instance. Recommended. # (suggestion: SASL Authentication Daemon) DESC="Farm Yard SASL Authentication Daemon" # Short name of this saslauthd instance. Strongly recommended. # (suggestion: saslauthd) NAME="saslauthd" # Which authentication mechanisms should saslauthd use? (default: pam) # # Available options in this Debian package: # getpwent -- use the getpwent() library function # kerberos5 -- use Kerberos 5 # pam -- use PAM # rimap -- use a remote IMAP server # shadow -- use the local shadow password file # sasldb -- use the local sasldb database file # ldap -- use LDAP (configuration is in /etc/saslauthd.conf) # # Only one option may be used at a time. See the saslauthd man page # for more information. # # Example: MECHANISMS="pam" MECHANISMS="rimap -r -O localhost" # Additional options for this mechanism. (default: none) # See the saslauthd man page for information about mech-specific options. MECH_OPTIONS="" # How many saslauthd processes should we run? (default: 5) # A value of 0 will fork a new process for each connection. THREADS=5 # Other options (default: -c -m /var/run/saslauthd) # Note: You MUST specify the -m option or saslauthd won't run! # # WARNING: DO NOT SPECIFY THE -d OPTION. # The -d option will cause saslauthd to run in the foreground instead of as # a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish # to run saslauthd in debug mode, please run it by hand to be safe. # # See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information. # See the saslauthd man page and the output of 'saslauthd -h' for general # information about these options. # # Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd" #OPTIONS="-c -m /var/run/saslauthd" OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Now pop saslauthd into the postfix jail
# mkdir -p /var/spool/postfix/var/run # mv /var/run/saslauthd /var/spool/postfix/var/run
And now link the original location to the new
# ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthautd
Now add the user postfix to the group sasl
# usermod -a -G sasl postfix
Lastly, open the fil /etc/postfix/sasl/smtpd.conf or create it if you don't already have it and put the following in it:
pwcheck_method: saslauthd mech_list: plain login
Now restart postfix, and saslauthd to enable the changes.
saslauthd is enabled in the postfix main.cf file, so should you run into trouble, saslauthd can be disabled by hashing out the below lines.
smtpd_sasl_local_domain = $mydomain, uplinkzero.com smtpd_sasl_auth_enable = yes smtpd_sasl2_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_authenticated_header = yes
Testing
salsauthd can be tested with the command testsaslauthd
testsaslauthd: usage: testsaslauthd -u username -p password
[-r realm] [-s servicename]
[-f socket path] [-R repeatnum]If everything is working correctly, it should look like this:
# testsaslauthd -u user@example.com -p myPassw0rd 0: OK "Success."
