Smokes your problems, coughs fresh air.

Tag: sasl

Postfix, SASL and rimap: making sure the domain is not stripped from the user name

When you want to use your IMAP account as authentication for Postfix, you can set the SASL mechanism to “rimap”. However, by default, it will not supply the realm (domain) and therefore will authenticate with an incomplete username (john instead of

To fix that, you need to add “-r” to the options in /etc/default/saslauthd (in Debian based distro’s):

OPTIONS="-r -c -m /var/run/saslauthd"

Enabling authentication and SSL for Postfix on Debian

I used this document as main source. This blogpost is also useful.

First install libsasl2 and configure it. Enable it in /etc/default/sasl.

First make the sasl config file in /etc/postfix/sasl which says:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Then configure the ssl paramters in postfix (the following is deprecated. See aforementioned official postfix docs for good way):

# According to official docs, this should be in one pem file.
# This should be smtp_tls_security_level = may, because use_tls is deprecated.
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
# I don't know if this one is also needed.
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. 

Then enable the three smtps lines in

smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Then you need to do some hacking to get the jailed postfix to access /var/run/saslauthd:

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
# Add user postfix to group sasl
adduser postfix sasl

Then you should be good to go. Start all daemons.

© 2024 BigSmoke

Theme by Anders NorenUp ↑