# postfix SMTP authentication

## CoderMan

Hi. Recently I have been trying to set up a new e-mail server (my first attempt) with postfix for SMTP and courier-imap. I can receive e-mail at the server just fine, and I can access it remotely with IMAP. However, I am having some issues with sending e-mail.

I can send e-mail just fine, but only if I use an anonymous SMTP login. For days I have been scouring the documentation and playing with the main.cf settings, but this does not change. This is problematic because I am not trying to set up a public SMTP server, but I only want a few authenticated people to be able to use it.

If I telnet in, the server tells me that authentication is not enabled: (I've "snipped" out identifying information.)

```
$ telnet [snip] 25

Trying [snip]...

Connected to [snip].

Escape character is '^]'.

220 [snip] ESMTP Postfix

EHLO [snip]

250-[snip]

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-STARTTLS

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

AUTH

503 5.5.1 Error: authentication not enabled

```

My main.cf has changed a lot as I have played with it (making sure to use postfix reload, BTW) but here is the latest settings:

```
# postconf -n

broken_sasl_auth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = //usr/lib/postfix

data_directory = /var/lib/postfix

debug_peer_level = 2

default_destination_concurrency_limit = 10

home_mailbox = .maildir/

html_directory = /usr/share/doc/postfix-2.7.1/html

inet_interfaces = all

local_destination_concurrency_limit = 2

mail_owner = postfix

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

myhostname = [snip]

mynetworks_style = host

myorigin = $mydomain

newaliases_path = /usr/bin/newaliases

queue_directory = /var/spool/postfix

readme_directory = /usr/share/doc/postfix-2.6.6/readme

relayhost = 

sample_directory = /etc/postfix

sendmail_path = /usr/sbin/sendmail

setgid_group = postdrop

smtp_tls_note_starttls_offer = yes

smtp_tls_security_level = may

smtp_use_tls = yes

smtpd_recipient_restrictions = permit_sasl_authenticated,  permit_mynetworks,  reject_unauth_destination

smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain = $myhostname

smtpd_sasl_type = cyrus

smtpd_tls_CAfile = /etc/postfix/cacert.pem

smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/postfix/server.crt

smtpd_tls_key_file = /etc/postfix/server.key

smtpd_tls_loglevel = 0

smtpd_tls_received_header = yes

smtpd_tls_security_level = may

smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom

unknown_local_recipient_reject_code = 550

```

Postfix is installed. Cyrus-sasl is installed. Here's other configs, though I'm not entirely clear on how important they are:

```
# cat /etc/sasl2/smtpd.conf

# $Header: /var/cvsroot/gentoo-x86/mail-mta/postfix/files/smtp.sasl,v 1.2 2004/07/18 03:26:56 dragonheart Exp $

pwcheck_method:pam
```

```
# cat /etc/pam.d/smtp 

# File autogenerated by pamd_mimic in pam eclass

auth   include      system-auth

account   include      system-auth
```

Also, I am not sure if this is related or no, but another quirky behavior is that postfix won't let me use an outright TLS connection on port 465, as I thought this was supposed to be possible. To get TLS, my connections have to come in unencrypted on port 25 and then STARTTLS into encrypted mode.

```
# emerge --info postfix

Portage 2.1.8.3 (default/linux/x86/10.0/server, gcc-4.4.4, glibc-2.11.2-r3, 2.6.34-gentoo-r6 i686)

=================================================================

                        System Settings

=================================================================

System uname: Linux-2.6.34-gentoo-r6-i686-Intel-R-_Celeron-R-_CPU_2.40GHz-with-gentoo-1.12.14

Timestamp of tree: Tue, 23 Nov 2010 05:00:01 +0000

app-shells/bash:     4.1_p7

dev-lang/python:     2.6.5-r3, 3.1.2-r4

dev-util/cmake:      2.8.1-r2

sys-apps/baselayout: 1.12.14-r1

sys-apps/sandbox:    2.3-r1

sys-devel/autoconf:  2.65-r1

sys-devel/automake:  1.11.1

sys-devel/binutils:  2.20.1-r1

sys-devel/gcc:       4.4.4-r2

sys-devel/gcc-config: 1.4.1

sys-devel/libtool:   2.2.10

sys-devel/make:      3.81-r2

virtual/os-headers:  2.6.30-r1

ACCEPT_KEYWORDS="x86"

ACCEPT_LICENSE="* -@EULA"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"

GENTOO_MIRRORS="ftp://mirrors.tera-byte.com/pub/gentoo"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="acl berkdb bzip2 cli cracklib crypt cups cxx dri emacs fortran gdbm gpm iconv ipv6 mmx modules mudflap ncurses nls nptl nptlonly openmp pam pcre pppd readline session snmp sse sse2 ssl sysfs tcpd truetype unicode x86 xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" 

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

=================================================================

                        Package Settings

=================================================================

mail-mta/postfix-2.7.1 was built with the following:

USE="ipv6 pam sasl ssl -cdb -dovecot-sasl -hardened -ldap -mbox -mysql -nis -postgres (-selinux) -vda" 
```

----------

## gienah

I'm not really sure, but in my config I set the username and password with:

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

/etc/postfix/saslpass has stuff like:

[mail.somedomain]:port   username:password

where port is a number

anyway you seem lucky that your isp offers starttls, mine does not, so I am forced to instead set it to:

localhost:5000 username:password

and then configure stunnel to listen to that port in order to establish the connection with SSL.

----------

## Raptor85

I notice you didn't list it out, did you configure cyrus sasl and turn the daemon on (rc-update add saslauthd default && /etc/init.d/saslauthd start) ?

You should post up /etc/conf.d/saslauthd as well

edit: noticed some options you probably want turned on in postfix as well

smtpd_sasl2_auth_enable = yes

smtp_tls_note_starttls_offer = yes

smtpd_use_tls = yes

smtpd_tls_auth_only = yes

If you don't get it working, shoot me a PM (so I get an email notice) and I'll compare it to my working config when I get home, sounds like the setup you're trying to do is nearly identical to mine. (simple auth using PAM, with enforced encryption)

----------

## ali3nx

Considering your working with a familiar configuration you might find this gentoo wiki guide very useful

http://en.gentoo-wiki.com/wiki/Complete_Virtual_Mail_Server

----------

