I've been asked to add SASL authentication to an existing Postfix server
used for outbound mail. For a variety of reasons (but primarily because
it integrates more easily with MySQL), we're planning to use Dovecot as
the authentication server.
I've installed Dovecot, and it works OK. (The server doesn't normally
act as a POP/IMAP server, but I enabled it temporarily so that I could
ensure Dovecot was authenticating correctly before trying to use it as
the backend for Postfix). But I can't get Postfix to use SASL.
The server is running on FreeBSD and postfix was installed from ports,
so, to add SASL support, I shut down Postfix and ran 'make deinstall',
'make config' to add Dovecot to the configuration, and then 'make
reinstall' to rebuild it. A 'make showconfig' shows that Dovecot is now
in the config:
===> The following configuration options are available for postfix-2.4.0,1:
PCRE=on "Perl Compatible Regular Expressions"
SASL2=off "Cyrus SASLv2 (Simple Auth. and Sec. Layer)"
DOVECOT=on "Dovecot SASL authentication method"
SASLKRB=off "If your SASL req. Kerberos select this option"
SASLKRB5=off "If your SASL req. Kerberos5 select this option"
SASLKMIT=off "If your SASL req. MIT Kerberos5 select this option"
TLS=off "Enable SSL and TLS support"
BDB=off "Berkeley DB (choose version with WITH_BDB_VER)"
MYSQL=on "MySQL maps (choose version with WITH_MYSQL_VER)"
PGSQL=off "PostgreSQL maps (choose with DEFAULT_PGSQL_VER)"
OPENLDAP=off "OpenLDAP maps (choose ver. with WITH_OPENLDAP_VER)"
CDB=off "CDB maps lookups"
NIS=off "NIS maps lookups"
VDA=off "VDA (Virtual Delivery Agent)"
TEST=off "SMTP/LMTP test server and generator"
===> Use 'make config' to modify these settings
(Previously, 'make showconfig' listed DOVECOT=off)
I've then added these lines to main.cf:
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = /var/run/dovecot/auth-client
and under smtpd_recipient_restrictions, added
permit_sasl_authenticated
(The path to the Dovecot auth-client file is correct, and Postfix is not
running chrooted so there's no problem reading a file in that location)
However, when I start Postfix, I get these errors in maillog:
warning: smtpd_sasl_auth_enable is true, but SASL support is not compiled in
and issuing an EHLO command from a manual SMTP connection doesn't show
authentication as an option.
postconf -a and postconf -A both return nothing.
For reference, here's the full postconf -n output:
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
debug_peer_level = 2
disable_vrfy_command = yes
html_directory = no
mail_owner = postfix
mailbox_size_limit = 1024000000
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 40960000
mynetworks = [various IP ranges]
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = $transport_maps
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtpd_client_connection_rate_limit = 60
smtpd_client_event_limit_exceptions = 127.0.0.0/8
smtpd_discard_ehlo_keywords = silent-discard, dsn
smtpd_recipient_restrictions = permit_mynetworks
reject_non_fqdn_recipient permit_sasl_authenticated
reject_unauth_destination reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access
mysql:/usr/local/etc/postfix/sender.cf check_sender_access
mysql:/usr/local/etc/postfix/sender_smtpout.cf
reject_non_fqdn_hostname reject_non_fqdn_sender reject
unknown_local_recipient_reject_code = 550
virtual_mailbox_limit = 1024000000
Any clues as to what I'm doing wrong here? Or is this more likely to be
an issue with the FreeBSD ports distribution?
Thanks
Mark
--
http://mark.goodge.co.uk - my pointless blog
http://www.good-stuff.co.uk - my less pointless stuff
