Monthly Archives: December 2006




written by Luca Gibelli (nervous at


About this document

This document is released under the Creative Commons, Attribution – No commercial – NoDerivs 2.5 licence.
You can always download the latest version at:


The present document describes my experience with enabling SMTP-AUTH on Postfix using the latest Debian stable (sarge) packages.


You are running Debian Sarge 3.1 .
Your mail server is hosting multiple domains as described in . You are using MySQL as a backend for user authentication as described in

Your users can authenticate on your pop3/imap server as:

pass test123

You want to allow them to authenticate with SMTP-AUTH using the very same credentials.
The passwords of your users’ pop3/imap accounts are stored in the database in encrypted form (md5 in this example). You want to authenticate on a secure channel (TLS).

You want to run Postfix’s “smtp” service chroot’ed, i.e. you have a line like this in /etc/postfix/

smtp inet n – – – – smtpd

What you need

Install the following packages:

How to set up the whole thing

Create the file /etc/pam.d/smtp with the following content:

Change “yourpass” to match your grant table.Create /etc/postfix/sasl/smtpd.conf with the following content:

Edit the file /etc/default/saslauthd, change START to “yes” and MECHANISMS to “pam”.

Edit the file /etc/init.d/saslauthd and add the “-r” flag to PARAMS, like this:


Move saslauthd’s socket dir inside Postfix’s chroot and create a link to keep everybody happy:

Add the postfix user to the sasl group:

Add the following lines to /etc/postfix/

Also remember to add “permit_sasl_authenticated” under “smtpd_recipient_restrictions”.

Open /etc/init.d/postfix, search for the FILES variable and add etc/postfix/sasl/smtpd.conf to the list:

Restart Postfix and start saslauthd:

Enable TLS

Finally create the SSL certificate needed by TLS:

Note: leave “challenge password” empty.

# openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

# openssl rsa -in smtpd.key -out smtpd.key.unencrypted

# mv -f smtpd.key.unencrypted smtpd.key

# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

Then add the following lines to /etc/postfix/

Restart Postfix:

Random thoughts

Q.: Can Postfix query the MySQL db directly?
A.: No.

Q.: Why do you use libpam-mysql? saslauthd natively supports SQL.
A.: Because saslauthd only supports unencrypted password if you use a sql db as an authentication backend. That’s the reason for interfacing saslauthd with PAM. PAM, in turn, can use just anything.

Q.: My friend told me that /etc/postfix/sasl/smtpd.conf should contain

A.: That was true for SASL < 2.x. Now you have to use saslauthd.

Q.: Why do you run saslauthd with the -r flag?
A.: Because my users authenticate as “user@domain”, not “user”. If you are in trouble check /var/log/auth.log .

Q.: Why did you move saslauthd’s socket to

A.: Because the smtp service runs chroot’ed.

Q.: Why did you add etc/postfix/sasl/smtpd.conf to the FILES variable?
A.: Because Postfix needs to access that file from inside the chroot. The init.d script copies the latest copy of that file inside the chroot at every restart.

Q.: How does the authentication chain work?
A.: Postfix connects to saslauthd via socket, which in turn asks PAM to authenticate the user which in turn queries the relevant MySQL table.

Q.: Are there any alternatives to libpam-mysql?
A.: Perhaps it’s possible to use authdaemon from the Courier package.

Q.: Why do you use instead of localhost?
A.: In order to use a TCP socket instead of a unix socket. This way we don’t have to put MySQL’s unix socket inside Postfix’s chroot.

Similar documents:

RedHat/CentOS version of this HOWTO provided by Sebastien Wains (

Thanks to:

SASL2: BJ Dierkes (

TLS: Falko Timme (