written by Luca Gibelli (nervous at

About this document

This document is released under the Creative Commons, Attribution - No commercial - NoDerivs 2.5 licence.

You can always download the latest version at:


The present document describes my experience with enabling SMTP-AUTH on Postfix using the latest Debian stable (sarge) packages.


You are running Debian Sarge 3.1 .
Your mail server is hosting multiple domains as described in . You are using MySQL as a backend for user authentication as described in

Your users can authenticate on your pop3/imap server as:

pass test123

You want to allow them to authenticate with SMTP-AUTH using the very same credentials.
The passwords of your users' pop3/imap accounts are stored in the database in encrypted form (md5 in this example). You want to authenticate on a secure channel (TLS).

You want to run Postfix's "smtp" service chroot'ed, i.e. you have a line like this in /etc/postfix/

smtp inet n - - - - smtpd

What you need

Install the following packages:

# apt-get install postfix-tls sasl2-bin libsasl2 libsasl2-modules libpam-mysql openssl

How to set up the whole thing

Create the file /etc/pam.d/smtp with the following content:
auth required user=postfix passwd=yourpass host= db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1
account sufficient user=postfix passwd=yourpass host= db=postfix table=mailbox usercolumn=username passwdcolumn=password crypt=1 md5=1

Change "yourpass" to match your grant table.

Create /etc/postfix/sasl/smtpd.conf with the following content:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN
log_level: 5

Edit the file /etc/default/saslauthd, change START to "yes" and MECHANISMS to "pam".

Edit the file /etc/init.d/saslauthd and add the "-r" flag to PARAMS, like this:


Move saslauthd's socket dir inside Postfix's chroot and create a link to keep everybody happy:

# mv /var/run/saslauthd /var/spool/postfix/var/run/saslauthd
# ln -s /var/spool/postfix/var/run/saslauthd /var/run/saslauthd

Add the postfix user to the sasl group:

# adduser postfix sasl

Add the following lines to /etc/postfix/

smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes

Also remember to add "permit_sasl_authenticated" under "smtpd_recipient_restrictions".

Open /etc/init.d/postfix, search for the FILES variable and add etc/postfix/sasl/smtpd.conf to the list:

FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
etc/nsswitch.conf etc/postfix/sasl/smtpd.conf"

Restart Postfix and start saslauthd:

# /etc/init.d/postfix restart
# /etc/init.d/saslauthd start

Enable TLS

Finally create the SSL certificate needed by TLS:

# mkdir /etc/postfix/tls
# cd /etc/postfix/tls
# openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
# openssl req -new -key smtpd.key -out smtpd.csr

Note: leave "challenge password" empty.

# openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

# openssl rsa -in smtpd.key -out smtpd.key.unencrypted

# mv -f smtpd.key.unencrypted smtpd.key

# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Then add the following lines to /etc/postfix/

smtpd_use_tls = yes
#smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/postfix/tls/smtpd.key
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.crt
smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Restart Postfix:

# /etc/init.d/postfix restart

Random thoughts

Q.: Can Postfix query the MySQL db directly?
A.: No.

Q.: Why do you use libpam-mysql? saslauthd natively supports SQL.
A.: Because saslauthd only supports unencrypted password if you use a sql db as an authentication backend. That's the reason for interfacing saslauthd with PAM. PAM, in turn, can use just anything.

Q.: My friend told me that /etc/postfix/sasl/smtpd.conf should contain

 "pwcheck_method: pam"

A.: That was true for SASL < 2.x. Now you have to use saslauthd.

Q.: Why do you run saslauthd with the -r flag?
A.: Because my users authenticate as "user@domain", not "user". If you are in trouble check /var/log/auth.log .

Q.: Why did you move saslauthd's socket to


A.: Because the smtp service runs chroot'ed.

Q.: Why did you add etc/postfix/sasl/smtpd.conf to the FILES variable?
A.: Because Postfix needs to access that file from inside the chroot. The init.d script copies the latest copy of that file inside the chroot at every restart.

Q.: How does the authentication chain work?
A.: Postfix connects to saslauthd via socket, which in turn asks PAM to authenticate the user which in turn queries the relevant MySQL table.

Q.: Are there any alternatives to libpam-mysql?
A.: Perhaps it's possible to use authdaemon from the Courier package.

Q.: Why do you use instead of localhost?
A.: In order to use a TCP socket instead of a unix socket. This way we don't have to put MySQL's unix socket inside Postfix's chroot.

Similar documents:

RedHat/CentOS version of this HOWTO provided by Sebastien Wains (

Thanks to:

SASL2: BJ Dierkes (

TLS: Falko Timme (