Just some notes pulled from an email I sent to a customer explaining how to add SMTP authentication to Postfix. Should be added to the installer in some nice way. (Probably also with SSL/TLS.)
You need the cyrus-sasl package, so run:
yum install cyrus-sasl
(You can also install software using the Software Packages module, but it's quicker to use commands when we know exactly what we're doing.)
Set it up on boot:
chkconfig --level 345 saslauthd on
(Can also be done in the Bootup and Shutdown module.)
And then you need to setup Postfix to use it:
Browse to Servers:Postfix:Server Processes
Click the "smtp" process to edit it.
In the "Process command" field set it to:
smtpd -o smtpd_sasl_auth_enable=yes
Save it.
Browse to Servers:Postfix:SMTP Options
Edit the field labeled "Restrictions on recipient addresses"
Somewhere in the list of options (depending on what other stuff you're using, but before reject_unauth_destination and after permit_mynetwork) insert "permit_sasl_authenticated".
Save it.
Finally, we have to add three lines to /etc/postfix/main.cf (I'm having a hard time believing this isn't in Webmin, but I can't find it--this'll definitely get a bug filed):
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
This can probably come anywhere in the file (I believe the Postfix configuration is stateless). I always put it near the spam-filtering related stuff, like header_checks and such, as that seems the intuitive place for it to me.
Finally, run this:
echo "mech_list: PLAIN LOGIN" >> /usr/lib/sasl2/smtpd.conf
This just add a list of available authentication methods to the sasl configuration.
Save it, and restart postfix and start saslauthd.
service postfix restart
service saslauthd start
Test it with telnet:
[virtualmin@www ~]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 www.virtualmin.com ESMTP Postfix
ehlo localhost
250-www.virtualmin.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME
The two AUTH lines tell you it's working (there are two because we specified "broken_sasl_auth_clients=yes"). If you don't see'em then I forgot to mention a step.