~~NOTOC~~
~~NOCACHE~~

====== Postfix STARTTLS with SASL authentication how to ======

This howto is a step by step configuration guide to setup a postfix SMTP server with STARTTLS and SASL authentication. 




===== Install the packages =====

<code>
apt-get install postfix-tls sasl2-bin libsasl2-2 libsasl2-modules
</code>




===== SSL setup (main.cf) =====

<code>
smtpd_tls_cert_file=/etc/postfix/ssl/cert.pem
smtpd_tls_key_file=/etc/postfix/ssl/priv.pem
smtpd_tls_CAfile=/etc/postfix/ssl/ca.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_tls_loglevel=3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes
</code>

cert.pem (server certificate), priv.pem (private key, not encrypted) and ca.pem must be in PEM format.

To extract non encrypted version of the private key :

<code>
openssl rsa -in private-enc.pem  > priv.pem
</code>

===== SASL authentication =====

 
==== main.cf ====

<code>
ssmtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options=noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_delay_reject = yes
broken_sasl_auth_clients = yes
</code>


==== /etc/postfix/sasl/smtpd.conf ====

<code>
pwcheck_method: saslauthd
</code>

===== Start the daemons =====

<code>
saslauthd -a shadow
postfix start
</code>

===== Notes : =====

  * In this example, saslauthd is used with shadow authentication mechanism. For this to work, you need to setup unix accounts for smtp clients.
  * Disable antivirus e-mail security scanning if client says server does not support STARTTLS.
  * E-mail clients software must be setup to use STARTTLS and password authentication ([[http://www.math.uwaterloo.ca/mfcf/announcements/STARTTLS.shtml|Examples here]])

{{tag>unix services security}}


~~DISCUSSION~~