Mail server_SMTP authentication - SomethingWithHorizons/mailserver GitHub Wiki

Configure Postfix to use Dovecot as its authorization mechanism.

Procedure

1. Edit /etc/dovecot/conf.d/10-master.conf to have it create a authentication [socket file][3] for the user/group postfix with 660 as its user permissions (so only "postfix" can "talk to" the socket file): :

     service auth {
     ...
   
     # Postfix smtp-auth
     #unix_listener /var/spool/postfix/private/auth {
     #  mode = 0666
     #}
   + unix_listener /var/spool/postfix/private/auth {
   +   mode = 0660
   +   user = postfix
   +   group = postfix
   + }
   

2. Make Postfix use Dovecot for sasl authentication:

   postconf -e "smtpd_sasl_type=dovecot"
   postconf -e "smtpd_sasl_path=private/auth"
   postconf -e "smtpd_sasl_auth_enable=yes"
   

3. Edit /etc/postfix/master.cf to make Postfix use the submission port (587) (instead of the old-school SMTP port (25))*:

     #submission inet n       -       y       -       -       smtpd
     #  -o syslog_name=postfix/submission
     #  -o smtpd_tls_security_level=encrypt
     #  -o smtpd_sasl_auth_enable=yes
     #  -o smtpd_reject_unlisted_recipient=no
     #  -o smtpd_client_restrictions=$mua_client_restrictions
     #  -o smtpd_helo_restrictions=$mua_helo_restrictions
     #  -o smtpd_sender_restrictions=$mua_sender_restrictions
     #  -o smtpd_recipient_restrictions=
     #  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
     #  -o milter_macro_daemon_name=ORIGINATING
   + submission inet n - - - - smtpd 
   +   -o syslog_name=postfix/submission 
   +   -o smtpd_tls_security_level=encrypt
   +   -o smtpd_sasl_auth_enable=yes
   +   -o smtpd_sasl_type=dovecot
   +   -o smtpd_sasl_path=private/auth
   +   -o smtpd_sasl_security_options=noanonymous
   +   -o smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf,mysql:/etc/postfix/mysql-virtual-alias-maps.cf
   +   -o smtpd_sender_restrictions=reject_sender_login_mismatch
   +   -o smtpd_sasl_local_domain=$myhostname
   +   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   +   -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
   

   :information_source: *Port 25 (SMTP) is used for server to server e-mail submission. This was historically also used for human - server e-mail relaying, however because SMTP port 25 does not necessarily require authentication many ISPs block port 25 to prevent erroneously configured (open) relay servers that are infamous to be used for spammers. Submission (587) requires authentication in all cases, therefore this is the safer option to use.

4. Reload Dovecot and Postfix to effectuate the changes:

   service dovecot reload
   service postfix reload