This site is for tech Q&A. Please keep your posts focused on the subject at hand.

Ask one question at a time. Don't conflate multiple problems into a single question.

Make sure to include all relevant information in your posts. Try to avoid linking to external sites.

Links to documentation are fine, but in addition you should also quote the relevant parts in your posts.

0 votes

I'm running Postfix on Devuan and want to enable submission, so I need to configure SMTP authentication. I'm already using Cyrus as my IMAP-Server, so I think I'll have to use Cyrus-SASL. But how do I set that up and integrate it with Postfix?

in General by (15) 4
edited by

Your answer


Privacy: Your email address will only be used for sending these notifications.
Anti-spam verification:
By submitting this post you agree to our Terms & Conditions.
To avoid this verification in future, please log in or register.

1 Answer

0 votes
Best answer

First you need to install the required packages:

apt-get install libsasl2-modules sasl2-bin

and start saslauthd:

sed -i -e 's/^\(START=\).*/\1yes/' /etc/default/saslauthd
service saslauthd start

You also need an SSL-certificate matching your mail server hostname. If your IMAP service is being accessed under the same hostname as the SMTP service you can probably use the same certificate you already have configured in Cyrus. Otherwise you need to get a new one (self-signed, from LetsEncrypt, or from a commercial CA, depending on your requirements).

Put the certificate and key in /etc/ssl/certs and /etc/ssl/private respectively, add the user postfix to the group ssl-cert and make sure the key can be read by that group.

adduser postfix ssl-cert
chgrp ssl-cert /etc/ssl/private/
chmod g+r /etc/ssl/private/

Next add the following settings to /etc/postfix/

smtpd_tls_security_level = may 
smtpd_tls_auth_only = no
smtpd_tls_CAfile = /etc/ssl/certs/ca.crt
smtpd_tls_cert_file = /etc/ssl/certs/
smtpd_tls_key_file = /etc/ssl/private/
smtpd_tls_loglevel = 3 
smtpd_tls_received_header = yes 
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# authentication (assuming $myhostname =
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes 
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes 
broken_sasl_auth_clients = yes 

Create a file /etc/postfix/sasl/smtpd.conf with the following content:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

Then create your users in the SASL database (the domain name should be the same that you specified for smtpd_sasl_local_domain in

saslpasswd2 -c -u username

Use sasldblistusers2 to list the existing users.

Uncomment the submission section in /etc/postfix/, then restart both postfix and saslauthd.

service saslauthd restart
service postfix restart

You can test authentication like this:

root@host:~ # telnet localhost 587
Connected to localhost.
Escape character is '^]'.
250-SIZE 102400000
250-STARTTLS                   # ← these lines should
250-AUTH PLAIN LOGIN           # ← be present in the
250-AUTH=PLAIN LOGIN           # ← output
auth login
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
235 2.7.0 Authentication successful
Connection closed by foreign host.

The line 334 VXNlcm5hbWU6 is the prompt to enter the username, the line 334 UGFzc3dvcmQ6 is the prompt to enter the password. The two bold lines dXNlcm5hbWU= and UGFzc3cwcmQ= are the base64-encoded username and password. You can generate the encoded values e.g. like this:

root@host:~ # echo -n 'username' | base64
root@host:~ # echo -n 'Passw0rd' | base64

Replace "username" and "Passw0rd" with the actual username and password.

by (15) 4
edited by