This howto is a step by step configuration guide to setup a postfix SMTP server with STARTTLS and SASL authentication.

apt-get install postfix-tls sasl2-bin libsasl2-2 libsasl2-modules

smtpd_tls_cert_file=/etc/postfix/ssl/cert.pem
smtpd_tls_key_file=/etc/postfix/ssl/priv.pem
smtpd_tls_CAfile=/etc/postfix/ssl/ca.pem
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_tls_loglevel=3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_auth_only = yes

cert.pem (server certificate), priv.pem (private key, not encrypted) and ca.pem must be in PEM format.

To extract non encrypted version of the private key :

openssl rsa -in private-enc.pem  > priv.pem

ssmtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options=noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_delay_reject = yes
broken_sasl_auth_clients = yes

pwcheck_method: saslauthd

saslauthd -a shadow
postfix start

• In this example, saslauthd is used with shadow authentication mechanism. For this to work, you need to setup unix accounts for smtp clients.
• Disable antivirus e-mail security scanning if client says server does not support STARTTLS.
• E-mail clients software must be setup to use STARTTLS and password authentication (Examples here)

Labels: unix, services, security