/munetakaJupyterHub/Computer/2024/Postfix/01-03-00-SASL-postfix.md

§2024-04-28

Configure SMTP authentication

¶SMTP authentication

SMTP-AUTH allows a client to identify itself through the Simple Authentication and Security Layer (SASL) authentication mechanism, using Transport Layer Security (TLS) to encrypt the authentication process. Once it has been authenticated, the SMTP server will allow the client to relay mail.

To configure Postfix for SMTP-AUTH using SASL (Dovecot SASL), run these commands at a terminal prompt:

sudo postconf -e 'lsmtpd_sas_type = dovecot'
sudo postconf -e 'smtpd_sasl_path = private/auth'
sudo postconf -e 'smtpd_sasl_local_domain ='
sudo postconf -e 'smtpd_sasl_security_options = noanonymous,noplaintext'
sudo postconf -e 'smtpd_sasl_tls_security_options = noanonymous'
sudo postconf -e 'broken_sasl_auth_clients = yes'
sudo postconf -e 'smtpd_sasl_auth_enable = yes'
sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'

check

alexlai@h2Jammy:/etc/postfix$ grep smtpd_sas_type main.cf
lsmtpd_sas_type = dovecot

alexlai@h2Jammy:/etc/postfix$ grep  broken_sasl_auth_clients main.cf
broken_sasl_auth_clients = yes

alexlai@h2Jammy:/etc/postfix$ grep  smtpd_recipient_restrictions  main.cf
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

alexlai@h2Jammy:/etc/postfix$ grep smtpd_sasl_ main.cf                                   
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_auth_enable = yes

Note: The smtpd_sasl_path config parameter is a path relative to the Postfix queue directory.

There are several SASL mechanism properties worth evaluating to improve the security of your deployment. The options “noanonymous,noplaintext” prevent the use of mechanisms that permit anonymous authentication or that transmit credentials unencrypted.

2024-04-30, main.cf

alexlai@h2Jammy:~$ sudo nano /etc/postfix/main.cf
[sudo] password for alexlai: 
alexlai@h2Jammy:~$ grep smttpd_ /etc/postfix/main.cf
alexlai@h2Jammy:~$ grep smtpd_ /etc/postfix/main.cf
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_tls_cert_file = /etc/letsencrypt/live/h2jammy.yushei.net/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/h2jammy.yushei.net/privkey.pem
smtpd_tls_security_level = may
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
# smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination
lsmtpd_sas_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous,noplaintext
smtpd_sasl_tls_security_options = noanonymous
# smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
# smtpd_client_restrictions parameter:
# smtpd_recipient_restrictions =


alexlai@h2Jammy:~$ grep broken /etc/postfix/main.cf
broken_sasl_auth_clients = yes