Just some notes pulled from an email I sent to a customer explaining how to add SMTP authentication to Postfix. Should be added to the installer in some nice way. (Probably also with SSL/TLS.)

You need the cyrus-sasl package, so run:

yum install cyrus-sasl

(You can also install software using the Software Packages module, but it's quicker to use commands when we know exactly what we're doing.)

Set it up on boot:

chkconfig --level 345 saslauthd on

(Can also be done in the Bootup and Shutdown module.)

And then you need to setup Postfix to use it:

Browse to Servers:Postfix:Server Processes

Click the "smtp" process to edit it.

In the "Process command" field set it to:

smtpd -o smtpd_sasl_auth_enable=yes

Save it.

Browse to Servers:Postfix:SMTP Options

Edit the field labeled "Restrictions on recipient addresses"

Somewhere in the list of options (depending on what other stuff you're using, but before reject_unauth_destination and after permit_mynetwork) insert "permit_sasl_authenticated".

Save it.

Finally, we have to add three lines to /etc/postfix/main.cf (I'm having a hard time believing this isn't in Webmin, but I can't find it--this'll definitely get a bug filed):

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

This can probably come anywhere in the file (I believe the Postfix configuration is stateless). I always put it near the spam-filtering related stuff, like header_checks and such, as that seems the intuitive place for it to me.

Finally, run this:

echo "mech_list: PLAIN LOGIN" >> /usr/lib/sasl2/smtpd.conf

This just add a list of available authentication methods to the sasl configuration.

Save it, and restart postfix and start saslauthd.

service postfix restart
service saslauthd start

Test it with telnet:

[virtualmin@www ~]$ telnet localhost 25
Connected to localhost.localdomain (
Escape character is '^]'.
220 www.virtualmin.com ESMTP Postfix
ehlo localhost
250-SIZE 10240000

The two AUTH lines tell you it's working (there are two because we specified "broken_sasl_auth_clients=yes"). If you don't see'em then I forgot to mention a step.

Closed (fixed)