Dic 092014

In this article we will configure our server for authenticated smtp.

In the previuos part we have alredy setup database and tables.

FIRST METHOD: CYRUS-SASL AUTH (saslauthd daemon)

Now we have to install the following packages in order to enable sasl2 authentication:

cyrus-sasl cyrus-sasl-devel cyrus-sasl-plain cyrus-sasl-sql:

yum install cyrus−sasl cyrus−sasl−devel cyrus−sasl−plain cyrus−sasl−sql

edit your /etc/sasl2/smtpd.conf :

pwcheck_method: auxprop
mech_list: PLAIN
auxprop_plugin: sql
sql_usessl: no
sql_engine: mysql
sql_hostnames: localhost
sql_user: postfix
sql_database: mailserver
sql_passwd: yoursecretpassword
sql_select: select password from users where username = '%u'
log_level: 3

you need a SSL certifcate. For a production server it is adviceable to purchase one. Otherwise you can build a self-signed certificate this way: generate your key

openssl genrsa -out ca.key 2048 

Now generate your CSR (certificate request).
Answer to all questions and press return (no password) to create it

openssl req -new -key ca.key -out postfix.csr

Now you can get your self-signed certificate signing your request:

openssl x509 -req -days 3650 -in postfix.csr -signkey ca.key -out postfix.crt

move them

mv postfix.crt /etc/pki/tls/certs/
mv ca.key /etc/pki/tls/private/
mv postfix.csr /etc/pki/tls/private/

Adding the following lines to your /etc/postfix/main.cf should complete your configuration.

smtpd_tls_key_file =  /etc/pki/tls/private/ca.key
smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt
smtpd_use_tls = yes

smtpd_sasl_security_options = noanonymous
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes

smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

Don’t forget to enable and start saslauthd service:

systemctl enable saslauthd
systemctl  start saslauthd

SECOND METHOD: use dovecot to authenticate postfix

This method doesn’t require the installation of external modules. So it is simplier.
But it has the disadvantage you cannot easilly separate IMAP and SMTP users. So all your IMAP users will be enabled to send email trough your SMTP.
If this is OK for you, you can go this way and save time and server resources.
Configuration is very simple.
You should add a dovecot listener.
Add this to your /etc/dovecot/conf.d/10−master.conf under service auth section :

 # Postfix smtp−auth
 unix_listener /var/spool/postfix/private/auth {
 mode = 0666

Postfix configuration is very similar to the one supplied above.
Add the following two line to the above config:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth

restart your services and remember this time the auth username matches your email address.

  10 Risposte a “Centos 7.x (or RHEL) very simple configuration of a mailserver with postfix, dovecot & mysql (mariaDB) – part 2”

  1. HI, Thanks for this tutorial!
    I use the FIRST METHOD: CYRUS-SASL AUTH (saslauthd daemon).
    My problem now is… how to configure my thunderbird to use this SSL connection.

    On first tutorial, i configure:
    1) The IMAP (security box) with “SECURITY CONNECTION”: STARTTLS , and “AUTHENTICATED METHOD”: Normal Password.
    2) The SMTP (security box) with “SECURITY CONNECTION”: NONE , and “AUTHENTICATED METHOD”: Password transmitted insecurely

    Now… after i make the tutorial step 2, i can’t send and i can’t receive email with this configuration. What is the correct configuration? Where can i see the log error?


    • For thunderbird I configured:
      Security STARTTLS
      Port: 25
      Auth: normal password

      And it is OK.

      You can find all errors in the usual mail log in /var/log/maillog
      I cannot help you with the very few info you provided.
      1)cannot receive mail: can you telnet your server on port 25? Have you tried to telnet a mail and see if it si correctly delivered to the inbox? If it is OK have you set the DNS MX record of your domain pointing to your server….. etc.etc.

      2)cannot send: check your client configuration. Look at the log and report errors.

      • ok. The problem is my firewall 🙁

        I can send and receive email now… but i don’t understand why The SMTP configuration (security box) is “SECURITY CONNECTION”: NONE , and “AUTHENTICATED METHOD”: Password transmitted insecurely

        The “SECURITY CONNECTION” shoud not be : STARTTLS or SSL/TLS ???

        what this new settings actually do?


  2. OK… now is working… the problem is my self-signed certificate… but the option “smtpd_tls_auth_only = yes” or “smtpd_tls_auth_only = no” is equal in the result.
    It Works for the two ways even that “smtpd_tls_auth_only = no”.

    Another thing…

    I don’t know if you can help me but i only can send and receive emails in my internal network. If i send a email to GMAIL i don’t receive, and if i send a email from gmail i don’t receive.

    > I configure my MX in “register.com” with:
    (Hostname) mywebsite.com > (Priority) High > (mailserver) mail.mywebsite.com
    > I configure my CNAME in “register.com” with:
    mail.mywebsite.com (points to) mywebsite.dyndns.org (I use dyndns because i don’t have a fix IP)
    > In my router, i configure to automaticly update the dyndns with newest IP.
    > I can ping to mail.mywebsite.com
    > In my router, i make port forwarding to ports 25(SMTP), 110(POP3), 143(IMAP), 993(IMAPS), 995(POPS), 465(SMTPS) to my CentosServer IP, where is the mail server. In that case, we only use 25, 110 and 143.
    >My Thinderbird is installed in a windows machine, inside the home network, and i can send and receive emails to the users in my mail server. It works if i use as server my internal SERVER IP and works if i use as server the “mail.mywebsite.com”

    Is something wrong in what I’m Doing ?

    (Now… the log errors)

    I receive this error message in Gmail:

    Delivery to the following recipient has been delayed:
    Message will be retried for 2 more day(s)
    Technical details of temporary failure:
    The recipient server did not accept our requests to connect. Learn more at http://support.google.com/mail/bin/answer.py?answer=7720
    [(0) mail.mywebsite.com. [177.158.125.XXX]:25: socket error]

    In the /var/log/logmail i get this:

    Jan 22 20:53:59 mywebsite postfix/smtp[2365]: connect to gmail-smtp-in.l.google.com[]:25: Connection timed out
    Jan 22 20:53:59 mywebsite postfix/smtp[2365]: connect to gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25: Network is unreachable
    Jan 22 20:53:59 mywebsite postfix/smtp[2365]: connect to alt1.gmail-smtp-in.l.google.com[2a00:1450:400c:c03::1a]:25: Network is unreachable
    Jan 22 20:54:06 mywebsite postfix/qmgr[1588]: 94AFF416180C: from=, size=755, nrcpt=3 (queue active)
    Jan 22 20:54:06 mywebsite postfix/qmgr[1588]: 37583416182D: from=, size=741, nrcpt=1 (queue active)
    Jan 22 20:54:06 mywebsite postfix/qmgr[1588]: ECA23416182A: from=, size=733, nrcpt=1 (queue active)
    Jan 22 20:54:06 mywebsite postfix/qmgr[1588]: 2A7FB4161836: from=, size=723, nrcpt=2 (queue active)
    Jan 22 20:54:14 mywebsite postfix/smtp[2378]: connect to gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25: Network is unreachable
    Jan 22 20:54:14 mywebsite postfix/smtp[2379]: connect to gmail-smtp-in.l.google.com[2800:3f0:4003:c00::1a]:25: Network is unreachable

    P.S. I change my real hostname to mywebsite and i change the last 3 digit of my ip address to XXX

    Thanks for help!

    • A normal network issue. Usually very easy to track.
      For incoming email try telneting port 25 of your 177.158.125.XXX from an external address (not LAN). This seems to be the problem faced by gmail sending to you.
      For outgoing email try telneting port 25 of gmail-smtp-in.l.google.com [] from your server. Probably it won’t be able to do that.
      Morever check your IPV6 network status. It seems your box have IPV6 enabled but cannot reach external network. Disable IPV6 on your network intervace if it is not really able to reach the internet.

    • Moreover I confirm no address in your 177.158.125.XXX range has port 25 open to the internet

  3. Hi…

    My ISP is blocking my port 25 (in Brazil this port is blocked for residencial users).
    I changed my smtp port to (587) and i can connect to my server from outside (with Thunderbird) and sent emails to users in my server sucessfully.
    When i try to send to an external email, SMTP use the port 25, and i can not send. When i try to receive from an external email, the external email can´t reach my server.
    The unique solution (in Brazil) is to have a “comercial connection” in my ISP instead of a “residencial connection”.
    Thanks for the help!

    Do you will try to install a anti-spam and anti-virus in the mail server? What programs you recommend?

    Thanks for the help!

    • I am testing amavis + clamav + spamassassin.
      For your problem, if you wish to keep your server on your home connection, you can buy a cheap vps and tunnel from outside 🙂 Mail service doesn’t require a very fast connection.
      Or use IPV6….

 Lascia un commento

Puoi usare questi tag e attributi HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>