I've long used pop-before-smtp to allow authenticated users a short window in which to send mail, but now that I've setup postfix 2.8.14 I want to also setup secure submission on port 587 with ssl and something like Kerberos 5 or MD5 challenge/response (or, frankly, even password) over SSL.
I built postfix with: make -f Makefile.init makefiles 'CCARGS=-DHAS_MYSQL -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/usr/local/include/mysql -I/usr/local/include/sasl' 'AUXLIBS=-L/usr/local/lib/mysql -lmysqlclient -lz -lm -lssl -lcrypto -L/usr/local/lib -lsasl2' Seems to work: # postconf -a cyrus dovecot # postconf -A cyrus Also, the SASL Readme says: Cyrus SASL version 2.x searches for the configuration file in /usr/lib/sasl2/. Cyrus SASL version 2.1.22 and newer additionally search in /etc/sasl2/. (I am running 2.1.22_2) But of course, my configuration is in /usr/local/lib/sasl2/ as in the make line, should I link this directory to /etc/? my saslauthd process looks like: /usr/local/sbin/saslauthd -a pam -m /var/run/authdaemond but # testsaslauthd -u <user> -p <password> connect() : No such file or directory On the other hand, all the LOGIN lines in postfix are from ssl. # cat /usr/local/lib/sasl2/smtpd.conf pwcheck_method: authdaemond mech_list: PLAIN LOGIN authdaemond_path=/var/run/authdaemond/socket log_level: 3 I haven't enabled any sasl settings in postfix yet, because I don't think the back-end is actually working for it, though TLS is working for stmpd at least. postconf -n alias_database = hash:$config_directory/aliases alias_maps = hash:$config_directory/aliases, hash:/usr/local/mailman/data/aliases allow_percent_hack = no body_checks = pcre:$config_directory/body_checks.pcre bounce_size_limit = 10240 command_directory = /usr/local/sbin config_directory = /etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 disable_vrfy_command = yes header_checks = pcre:$config_directory/header_checks.pcre header_size_limit = 10240 home_mailbox = Maildir/ html_directory = /usr/local/share/doc/postfix inet_interfaces = all mail_owner = postfix mailbox_command = /usr/local/bin/procmail -t -a $EXTENSION mailbox_size_limit = 52428800 mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man maps_rbl_reject_code = 521 message_size_limit = 26214400 mime_header_checks = pcre:$config_directory/mime_headers.pcre mydestination = $myhostname, localhost.$mydomain, $mydomain, localhost, ns1.$mydomain, ns2.$mydomain, mail.$mydomain, www.$mydomain, webmail.$mydomain mydomain = covisp.net myhostname = mail.covisp.net mynetworks = 75.148.117.88/29, 127.0.0.0/8 myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases postscreen_access_list = permit_mynetworks, cidr:$config_directory/postscreen_access.cidr postscreen_dnsbl_sites = zen.spamhaus.org*2 queue_directory = /var/spool/postfix readme_directory = /usr/local/share/doc/postfix recipient_delimiter = + sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop show_user_unknown_table_name = no smtpd_banner = $myhostname ESMTP $mail_name $mail_version smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, check_sender_access hash:$config_directory/backscatter permit smtpd_error_sleep_time = 28 smtpd_hard_error_limit = 8 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, permit smtpd_recipient_limit = 100 smtpd_recipient_restrictions = reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_invalid_hostname, permit_mynetworks, check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient, reject_unlisted_sender, reject_unknown_reverse_client_hostname, warn_if_reject reject_unknown_client_hostname, check_client_access cidr:/var/db/dnswl/postfix-dnswl-permit check_sender_access pcre:$config_directory/sender_access.pcre, check_client_access pcre:$config_directory/check_client_fqdn.pcre, check_recipient_access pcre:$config_directory/recipient_checks.pcre, check_client_access hash:$config_directory/access, reject_rbl_client zen.spamhaus.org, permit smtpd_sender_restrictions = check_client_access hash:$config_directory/pbs, permit_sasl_authenticated, permit_mynetworks smtpd_soft_error_limit = 4 smtpd_starttls_timeout = 90s smtpd_tls_cert_file = /etc/postfix/server.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_loglevel = 2 smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:$data_directory/smtpd_sessions smtpd_tls_session_cache_timeout = 1800s soft_bounce = no swap_bangpath = no transport_maps = hash:/etc/postfix/transport undisclosed_recipients_header = To: List of Bcc addresses:; unknown_local_recipient_reject_code = 550 virtual_alias_domains = kreme.com virtual_alias_maps = hash:$config_directory/virtual pcre:$config_directory/virtual.pcre, pcre:$config_directory/virtual_sql.pcre, proxy:mysql:$config_directory/mysql_virtual_alias_maps.cf virtual_gid_maps = static:89 virtual_mailbox_base = /usr/local/virtual virtual_mailbox_domains = proxy:mysql:$config_directory/mysql_virtual_domains_maps.cf virtual_mailbox_maps = proxy:mysql:$config_directory/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 89 virtual_transport = procmail virtual_uid_maps = static:89 -- I'm not old, I'm chronologically challenged.
