web analytics

Postfix SMTP GSSAPI authentication howto

This howto explains how to install and configure the Postfix mail transfer agent with GSSAPI authentication.

Non authenticated smtp servers relay e-mails only from a predefined network locations addresses/ prefixes. Using authentication in general allows two things (1) The smtp server can relay e-mails coming from any IP address as long as the client is capable of authenticating itself. (2) e-mails are encrypted when sent from the client to the postfix smtp server. GSSAPI authentications in particular provides a (3)rd advantage which is the single sign-on feature that allows using the same Kerberos credentials for accessing several services without the need to type the user password more than once.

Building and installing postfix

Install cyrus-sasl-2.1.22

To enable GSSAPI authentication, we need to first install the cyrus SASL library. This is a generic way to compile cyrus-sasl library that can be used with cyrus imap server as well as with postfix.

  • Install
/configure --sysconfdir=/usr/local/etc --with-cyrus-user=cyrus --with-cyrus-group=cyrus --with-sasl=/usr/local --with-bdb-libdir=/usr/local/lib --with-bdb-incdir=/usr/local/include/db3 --with-bdb=db3 --with-saslauthd --enable-plain
make install

Install postfix

  • Make sure /usr/lib/sasl2 exists and that it has sasl libraries or points to sasl libraries eg.g /usr/local/lib/sasl2
  • Add user/group postfix with nologin
  • Create agroup postdrop ( add postdrop:*:54321: to /etc/group)
  • Build and install :
make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL  -I/usr/local/include/sasl" AUXLIBS="-L/usr/local/lib -lsasl2"
make install

Edit configuration files

The configuration files reflect the use GSSAPI for authentication and cyrus as imap server, all e-mails to local accounts will be forwarded to cyrus.


The two parameters that you need to change are “myhostname” and “mynetworks”.

queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix

# CHANGE myhostname

myhostname = codealias.info
mydomain = $myhostname
myorigin = $mydomain
unknown_local_recipient_reject_code = 550

# CHANGE mynetworks

mynetworks =,


mailbox_transport  = cyrus
fallback_transport = cyrus
debug_peer_level = 2
debugger_command =
	 ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/local/man
sample_directory = /etc/postfix
readme_directory = /usr/local/share/postfix-readme


smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd


If you are not using the cyrus imap server, then ignore this file.

If you want to use cyrus imap server (assuming it is installed and running), then uncomment the following lines in master.cf.

cyrus     unix  -       n       n       -       -       pipe
 user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}

Create an smtp Kerberos service

Since we will be using GSSAPI/Kerberos5 authentication, the smtp server must be registered as a Kerberos service and the keytab must be made available to the postfix server.

On the Kerberos KDC, add a new service and extract the keytab

kadmin -l
add smtp/codealias.info@CODEALIAS.INFO
ext_keytab --keytab=/tmp/smtp smtp/codealias.info@CODEALIAS.INFO

You need to transfer the keytab /tmp/smtp to the host running postfix and place it under /etc/keytab

Start postfix

postalias /etc/aliases
postfix start


1- You can test the GSSAPI authentication using Evolution.

2- This procedure was tested on FreeBSD6.2