Postfix with SASL & OpenLDAP Authentication

Plugging Postfix into SASL and the backend OpenLDAP database provides an easy method to expand mail services. Multiple servers can use the same OpenLDAP backend, combine with high availability storage to build a very solid platform.

Configure saslauthd Running

Options vary on each distribution, maybe /etc/conf.d/saslauthd or maybe /etc/default/saslauthd. Find this file and determine the environment. Then start saslauthd, presumably with /etc/init.d/saslauthd start or similar.

root@host # ps -e -o command |grep sasl
/usr/sbin/saslauthd -a getpwent pam ldap -c -m /var/run/saslauthd -n 5
/usr/sbin/saslauthd -a getpwent pam ldap -c -m /var/run/saslauthd -n 5
/usr/sbin/saslauthd -a getpwent pam ldap -c -m /var/run/saslauthd -n 5
/usr/sbin/saslauthd -a getpwent pam ldap -c -m /var/run/saslauthd -n 5
/usr/sbin/saslauthd -a getpwent pam ldap -c -m /var/run/saslauthd -n 5

From this we can see that SASL is mux file in /var/run/saslauthd. Prove it.

root@host # stat /var/run/saslauthd/mux
  File: `/var/run/saslauthd/mux'
  Size: 0         	Blocks: 0          IO Block: 4096   socket
Device: 11h/17d	Inode: 537338      Links: 1
Access: (0777/srwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2010-02-17 19:42:57.244139063 -0800
Modify: 2010-02-17 19:42:57.244139063 -0800
Change: 2010-02-17 19:42:57.244139063 -0800

Configure Postfix to Use SASL

First, run postconf to get a copy of the complete defaults and existing configuration.

root@host # postconf -d > /etc/postfix/main.cf-dist
root@host # postconf > /etc/postfix/main.cf-full
root@host # postconf -n

This example plugs Cyrus SASL into Postfix. Paths may need to be adjusted based on distribution, these examples are on Gentoo. The annotated example below provides guidelines on more of the advanced configuration options

# Enable this if you have broken clients (Microsoft Products <= 2005)
broken_sasl_auth_clients = no
# Point to the specific SASL configuration, blank is SASL default
cyrus_sasl_config_path =
smtpd_sasl_auth_enable = yes
smtpd_sasl_exceptions_networks = 
smtpd_sasl_local_domain = edoceo.com 
smtpd_sasl_path = /var/run/saslauthd/mux
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = cyrus


If clients are still having problems with authentication it may be broken, try this.

broken_sasl_auth_clients = yes

Loading Comments from Disqus...