# Help for simple postfix - dovecot - smtpd relay setup

## Tae_kyon

I have a small server which runs postfix and dovecot and currently does not allow any relaying at all.

Received mail is served to clients through ssl imap.

I need to change my configuration to keep on doing exactly what it is doing now for most users, but to allow a list of users (for the moment, just one) to do a secure login and to use my postfix server to relay their outgoing mail.

I looked at the various sources of postfix - sasl - smptd documentation, but it seems mostly outdated and conflicting. My first attempt was long and unsuccessful. 

Can anybody give me pointers for this or does someone know a simple guide? As I already have amavisd and other things configured and working, I'd like to mess about as little as possible. 

Thanks.

----------

## cach0rr0

a few things you'll want to do 

-set up saslauthd to authenticate against your IMAP server (dovecot), done in /etc/conf.d/saslauthd

-set up postfix sasl to use saslauthd (/etc/sasl2/smtpd.conf)

-set up postfix to use sasl auth - ideally only over TLS - via main.cf

So the auth chain sorta goes: postfix asks saslauthd if $whatevercredentials are valid, saslauthd asks whatever you've configured it to use if $whatevercredentials are valid (in your case, it will be asking dovecot, but you could set it to use pam, ldap, mysql, whatever)

So, /etc/sasl2/smtpd.conf would look like:

```

pwcheck_method: saslauthd                                                                                                                                                                                                                    

mech_list: PLAIN LOGIN                                                                                                                                                                                                                       

sql_select: dummy

```

For /etc/conf.d/saslauthd, which is where you tell saslauthd which backend to use, 'man saslauthd' has some good doco, as do the comments in that file. 

You would want something like:

```

SASLAUTHD_OPTS=""

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -a rimap"

SASLAUTHD_OPTS="${SASLAUTHD_OPTS} -O localhost"

```

Change 'localhost' to some other host, if youre authing to a remote IMAP server. 

And lastly, your main.cf should have something like these lines somewhere in there:

```

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_authenticated_header = yes

broken_sasl_auth_clients = yes

smtpd_tls_auth_only = yes

```

and then in your smtpd_recipient_restrictions block, you should have:

```

permit_sasl_authenticated

```

that *should* be all it takes. Give a shout if you're stuck.

----------

## cach0rr0

errr, scratch that. you only want *some* users to be able to do this, but not others? 

the above would allow all users who are valid on your IMAP server to be able to auth. 

If you want only some users but not all, you need to have a list *somewhere* of which users are allowed to use ESMTP auth. Something besides your IMAP server, since your IMAP server will have *everyone* in it

That list can be a mysql db, ldap, or even a separate SASL database (with usernames/passwords maintained via saslpasswd2)

One way or another it's a separate list that you're going to have to maintain. If you put that list in mysql, you could conceivably write a pretty little frontend for users that need to reset their passwords. If you're happy to manually maintain things yourself, set the password yourself, and just tell the user "hey, user, this is your new password; if you want something different, tell me what it is!", then sasl database will do just fine. If you want some complex mixture of things, LDAP does work, but it's a bit more tenuous to set up. 

Having said all that? The only thing that really impacts from my prior post is what you set for options in /etc/conf.d/saslauthd

To that end, decide how you want to maintain users' accounts/passwords, and I can probably prod you in the right direction in terms of how to fiddle with /etc/conf.d/saslauthd. 

One other bit to add to my first post, you'll note the auth mechanisms i select in smtpd.conf are plaintext; i do this, because in postfix i dont even offer the AUTH banner unless someone's connected via TLS (smtpd_tls_auth_only = yes).

----------

## Tae_kyon

Thanks, that looks awesome and totally different from what I was trying to do. I'll look into it ASAP.

----------

