Skip to content

Enabling authentication and SSL for Postfix on Debian

I used this document as main source. This blogpost is also useful.

First install libsasl2 and configure it. Enable it in /etc/default/sasl.

First make the sasl config file in /etc/postfix/sasl which says:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Then configure the ssl paramters in postfix (the following is deprecated. See aforementioned official postfix docs for good way):

# According to official docs, this should be in one pem file.
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
# This should be smtp_tls_security_level = may, because use_tls is deprecated.
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
# I don't know if this one is also needed.
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. 
smtpd_tls_auth_only=yes

Then enable the three smtps lines in master.cf:

smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Then you need to do some hacking to get the jailed postfix to access /var/run/saslauthd:

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
# Add user postfix to group sasl
adduser postfix sasl

Then you should be good to go. Start all daemons.


    No Comments ( Add comment / trackback )