This documentation is for Dovecot v2.x, see wiki1 for v1.x documentation.
Differences between revisions 11 and 23 (spanning 12 versions)
Revision 11 as of 2010-02-23 04:29:54
Size: 2117
Editor: user-69-73-127-30
Comment:
Revision 23 as of 2014-12-30 23:19:11
Size: 3159
Editor: pool-98-111-147-67
Comment: submission should not be chrooted in order for DNS queries to work. http://dan.langille.org/2014/12/30/reject_unknown_recipient_domain-gives-recipient-address-rejected-domain-not-found/
Deletions are marked like this. Additions are marked like this.
Line 10: Line 10:
=== Example dovecot.conf excerpt === === Example conf.d/10-master.conf excerpt ===
Line 12: Line 12:
auth default {
      mechanisms = plain login
      passdb pam {
      }
      userdb passwd {
      }
      socket listen {
        client {
          # Assuming the default Postfix $queue_directory setting
          path = /var/spool/postfix/private/auth
          mode = 0660
          # Assuming the default Postfix user and group
          user = postfix
          group = postfix
        }
        # deliver and some other programs need also auth-master:
        #master {
        # path = /var/run/dovecot/auth-master
        # mode = 0600
        #}
      }
    }
service auth {
...
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    # Assuming the default Postfix user and group
    user = postfix
    group = postfix
  }
  ...
}

# Outlook Express and Windows Mail works only with LOGIN mechanism, not the standard PLAIN:
auth_mechanisms = plain login
Line 35: Line 26:
Line 38: Line 30:
Line 41: Line 34:

# On Debian Wheezy path must be relative and queue_directory defined
#queue_directory = /var/spool/postfix
Line 43: Line 40:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
vecot
# With Postfix version before 2.10, use smtpd_recipient_restrictions
smtpd_relay
_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
Line 46: Line 43:

=== Using SASL with Postfix submission port ===
When Dovecot is used as the authentication backend for Postfix it is good practice to use a dedicated submission port for the MUAs (TCP 587). Not only can you specify individual parameters in '''master.cf''' overriding the global ones but you will not run into internet mail rejection while the Dovecot Auth Mechanism is unavailable. In this example Postfix is configured to accept TLS encrypted sessions only, along with several other sanity checks:

 * Verification of alias ownership via Login Maps
 * Domainname and recipient plausibility

`master.cf`
{{{
submission inet n - n - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
}}}
=== Dovecot authentication via TCP ===

If Postfix and Dovecot are running on separate servers, you can also authenticate via TCP. For Dovecot set up an inet_listener:

{{{
service auth {
 inet_listener {
   port = 12345
 }
}
}}}

And configure Postfix to use it:

{{{
smtpd_sasl_path = inet:dovecot.example.com:12345
smtpd_sasl_type = dovecot
}}}
Line 48: Line 85:

=== Remark ===
If Outlook Express (and/or Windows Mail) doesn't seem to login, even though you checked "My server requires authentication" in its configuration, then verify that the "mechanisms" line contains "login" in addition to "plain". "plain" is the default, and most clients can work with it, but Outlook Express needs the "login" mechanism. Also see:

 * http://archives.neohapsis.com/archives/postfix/2000-11/0881.html

Postfix and Dovecot SASL

Since version 2.3, Postfix supports SMTP AUTH through Dovecot SASL as introduced in the Dovecot 1.0 series. If using Postfix obtained from a binary (such as a .rpm or .deb file), you can check if Postfix was compiled with support for Dovecot SASL by running the command:

postconf -a

Once you have verified that your installation of Postfix supports Dovecot SASL, it's very simple to configure:

Example conf.d/10-master.conf excerpt

service auth {
...
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    # Assuming the default Postfix user and group
    user = postfix
    group = postfix        
  }
  ...
}

# Outlook Express and Windows Mail works only with LOGIN mechanism, not the standard PLAIN:
auth_mechanisms = plain login

Example Postfix main.cf excerpt

smtpd_sasl_type = dovecot

# Can be an absolute path, or relative to $queue_directory
# Debian/Ubuntu users: Postfix is setup by default to run chrooted, so it is best to leave it as-is below
smtpd_sasl_path = private/auth

# On Debian Wheezy path must be relative and queue_directory defined
#queue_directory = /var/spool/postfix

# and the common settings to enable SASL:
smtpd_sasl_auth_enable = yes
# With Postfix version before 2.10, use smtpd_recipient_restrictions
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

Using SASL with Postfix submission port

When Dovecot is used as the authentication backend for Postfix it is good practice to use a dedicated submission port for the MUAs (TCP 587). Not only can you specify individual parameters in master.cf overriding the global ones but you will not run into internet mail rejection while the Dovecot Auth Mechanism is unavailable. In this example Postfix is configured to accept TLS encrypted sessions only, along with several other sanity checks:

  • Verification of alias ownership via Login Maps
  • Domainname and recipient plausibility

master.cf

submission inet n - n - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_login_maps=hash:/etc/postfix/virtual
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

Dovecot authentication via TCP

If Postfix and Dovecot are running on separate servers, you can also authenticate via TCP. For Dovecot set up an inet_listener:

service auth {
 inet_listener {
   port = 12345
 }
}

And configure Postfix to use it:

smtpd_sasl_path = inet:dovecot.example.com:12345
smtpd_sasl_type = dovecot

See also:

None: HowTo/PostfixAndDovecotSASL (last edited 2014-12-30 23:19:11 by pool-98-111-147-67)