How to use Postfix SASL authentication


SMTP servers must decide whether an SMTP client is authorized to send e-mail that the server is responsible for.

Simple Authentication and Security Layer (SASL) Integration Postfix

This guide describes how to extend an MTA (Mail Transport Agent) Postfix on CentOS 7 with CyrusSASL for SMTP authentication (SMTP-Auth). After that, clients can send e-mail using SMTP-Auth. This manual is checked under CentOS Linux release 7.7.1908 (Core), with Postfix v2.10.1 and Cyrus-SASL 2.1.26. It is assumed that the postfix is already configured and Transport Layer Security (TLS) is implemented.

Postfix does not implement the SASL Library itself, but uses existing implementations as building blocks. This means that some SASL-related configuration files belong to Postfix, while other configuration files belong to the specific SASL implementation that Postfix will use.

How to Install Cyrus-SASL

When root install the packages with the following command:

The individual SASL mechanisms are installed as RPMs.

The following is the integration for Postfix, for this purpose make the modification in the file /etc/postfix/

For Postfix to work with SASL, Postfix must not run in the chroot directory, line smtps at position 5 (n).

Configure SMTP-Auth for local users, we edit the Postfix file /etc/postfix/

Cyrus-SASL is configured by two files. The first file /etc/sysconfig/saslauthd can be transferred:

The SASL mechanisms PLAIN and LOGIN, CRAM-MD5 and DIGEST-MD5 are often used, for which the configuration file /etc/sasl2/smtpd.conf is responsible, the deployment was also performed during installation:

Now start Cyrus-SASL Library Daemon and activate the systemd autostart, then re-start Postfix:

SMTP Submission Support on port 587 is now enabled, and this can be verified with the following command:

To authenticate to the SMTP gateway, a user is now created to send e-mail through the MTA:

 A local UserID is sufficient for our request here, Cyrus-SASL continues to support LDAP and SQL to interact with, for example, Kopano or an AD directory service.

Testing Cyrus-SASL SMTP-Auth

The mechanisms for authentication within STARTTLS can be verified with OpenSSL:

In the output of openssl pass an EHLO:

If OpenSSL is not available, telnet can also be used for this purpose, it is connected to the gateway via port 587, PuTTY or KiTTY can also be used for this purpose.

Now we want to authenticate to the gateway (MTA). The user name and password must be transferred to the SMTP gateway in base64 encoded format, and enter the following command lines to obtain the base64 encoding for the user name and password.

The SASL SMTP-Auth configuration and authentication is checked as follows by running the following lines in the terminal, after entering AUTH LOGIN to insert the user name encoded with Base64 and the password.

The SMTP-Auth edition of Postfix with Cyrus-SASL.

Insert the above encoded credentials at the 334 prompts, here at line 24 as userxy and at line 26 our password.

 A 250 STARTTLS in the output shows the prerequisites that the plaintext username with password is transmitted to the SMTP gateway protected by STARTTLS.

Another easy way to test an SMTP gateway is SMTPConsole.


How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply

Your email address will not be published. Required fields are marked *