SMTP AUTH is a bit tricky for an amateur to configure, as it is not a requirement and not enabled by default in MTAs yet.

  • MTA: Postfix
    • remote: preconfigured as MX (example.org)
    • local: yet to configure
  • SMTP AUTH: SASL (Cyrus SASL)
    • remote: saslauthd
    • local: hash db (/etc/postfix/sasl_passwd)
  • No TLS, no submission port, just plain port 25 (lame)
  • Todo: TLS

Configuration (local)

Configure Postfix SMTP server and client

Tweak myorigin, etc. on the server. Enable SASL on the client.

% sudo vi /etc/postfix/main.cf
...
%

Check the configuration.

% sudo postconf -n
...
append_at_myorigin = yes
append_dot_mydomain = no
...
mydestination = foo, localhost.localdomain, localhost, local.example.org
myhostname = foo
...
myorigin = local.example.org
...
relayhost = [example.org]
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_tls_security_level = may
...
%

Prepare SASL db

% sudo cp /dev/null /etc/postfix/sasl_passwd
% sudo chmod 700 /etc/postfix/sasl_passwd
% sudo vi /etc/postfix/sasl_passwd
...
% sudo cat /etc/postfix/sasl_passwd
[mail.example.org]            johnd:opensesame
[mail.example.org]:submission johnd:opensesame
% sudo postmap /etc/postfix/sasl_passwd
% sudo ls /etc/postfix/sasl_passwd.db
/etc/postfix/sasl_passwd
%

Don’t forget to postmap.

Testing

% sudo /etc/init.d/postfix restart
% echo test | mail jdoe@example.org
% sudo tail -f /var/log/mail.log

Troubleshooting

Invalid envelope from

Remote smtpd may reject connections with invalid FQDN in envelope from.

Quick-and-dirty workaround:

[ubuntu] Postfix, smarthost and local mail
http://ubuntuforums.org/showpost.php?p=6348383&postcount=3
myorigin = local.myvaliddomain.com append_at_myorigin = yes mydestination = …, local.myvaliddomain.com

  1. Set bogus FQDN to myorigin, so that envelope from may look like FQDN.
  2. Enable append_at_myorigin to add the bogus FQDN to messages to local users (e.g. root -> root@bogusFQDN)
  3. Include the bogus FQDN in mydestination, so that messages to bogus FQDN be handled locally.

SASL authentication mechanism

If you are using plain text and find something like this in the log,

… (SASL authentication failed; cannot authenticate to server …: no mechanism available)

read the document carefully.

Postfix SASL Howto
http://www.postfix.org/SASL_README.html#client_sasl
By default, the Postfix SMTP client does not use authentication methods that send plaintext passwords, and defers delivery with the following error message: “Authentication failed: cannot SASL authenticate to server”. To enable plaintext authentication specify, for example:

/etc/postfix/main.cf: smtp_sasl_security_options = noanonymous

This disables noplaintext by explicitly setting only noanonymous. (Not recommended though.)

Reference