Postfix SASL Socket and saslauthd

If you want to run postfix with SASL authentication, using saslauthd, so you can authenticate mail users against a PAM database, you need postfix to know where to look for the saslauthd socket. The documentation seems to leave out this essential bit of information, perhaps assuming you’re not installing saslauthd from source (this all just works on a Fedora Core install, for instance).

<p>Anyway, the socket needs to be at:</p>
<p>  /var/state/saslauthd/mux</p>
<p>which you specify with the -m option to saslauthd.</p>
<p>Now, since you’re interested in this topic, you’ll probably need to configure postfix for SASL and setup PAM.</p>
<p>Here are some postfix configuration options to get you started:</p>
<p>smtpd_sasl_auth_enable = yes<br />

smtpd_sasl_application_name = smtpd
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
smtpd_sasl_security_options =
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

<p>And you’ll need to have an /etc/pam.d/smtpd file that looks something like this:</p>
<p>#%PAM-1.0<br />

auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth

<p>It’s probably best to duplicate an existing simple PAM service on your system than to use this example as PAM configurations evolve over time.</p>
<p>Here’s how to debug similar problems.</p>
<p>First, connect to postfix:</p>
<p>  telnet localhost 25</p>
<p>You’ll see the postfix banner.  Tell it you know how to use ESMTP:</p>
<p>  EHLO bfccomputing.com</p>
<p>It will come back with a list of its capabilities.  You hopefully have setup your /usr/local/lib/sasl2/smtpd.conf file with:</p>
<p>  pwcheck_method: saslauthd<br />

mech_list: login plain

<p>so it should report that it can do AUTH PLAIN as one of the capabilites.  So we’ll try that:</p>
<p>  AUTH PLAIN YmZjY29tcHV0aW5nAGJmY2NvbXB1dGluZwBwYXNzd29yZA==</p>
<p>At this point, you’re allowed to freak out and say, “huh?”  So, this authentication needs a Base-64 encoded representation of your username and password.  Here’s how to get that:</p>
<p><code> printf 'bfccomputing</code>