[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Creating Authenticated Relay using Postfix

Posted on 2006-05-09
Medium Priority
Last Modified: 2013-12-16
As the title would indicate, I'm hoping to create an Authenticated relay using Postfix.  I've searched the Internet high and low on how to do this, but I am still falling short.

What appears to be happening is, I can send an e-mail... and it appears to send without error.  However, it never makes it to the recipient.  My theory is Postfix is stopping it, since it does not want to relay mail.  This is also happening when authenticating, so I'm stumped.

If anybody could give me some config tips to help me correctly set up my Postfix to relay authenticated e-mails, I will forever be indebted to you.

Question by:dharvell
  • 3
  • 3
LVL 25

Expert Comment

ID: 16647937
you are trying to have users authenticate with your mail server in order to send email, correct?

if so, no problem, I know a couple of ways to do it, but before I get into that I will wait for you to confirm my suspicion.  Also, if this is it, also answer if your /var/spool/postfix directory structure is on the same partition as the /var/lib/

Author Comment

ID: 16648288
Cyclops -

Sounds like your suspicion is dead on!  And yes... the /var/spool/postfix is on the same partition as /var/lib/.  So far, so good! :)
LVL 25

Accepted Solution

Cyclops3590 earned 1000 total points
ID: 16648462
perfect, the reason I asked that question is because we can setup your postfix installation to use saslauthd to verify username/password against the /etc/shadow file so any changes that happen there automatically take effect for sending and receiving (other methods make it so the sending password is stored in a different area than the receiving password).

Okay, here is what you do.
1) Make sure saslauthd is installed
2) make a directory /etc/postfix/sasl/ with privileges 755 owned by root group owned by root
    In the directory make the file called smtpd.conf with privileges of  644 owned by root group owned by root
mech_list:         plain login
pwcheck_method:    saslauthd
log_level:      3
the mech_list can have more then plain and login, but those are needed for MS clients, thunderbird and others can use cram-md5 or digest-md5 no problem
3) edit the main.cf
smtpd_sasl_path = /etc/postfix/sasl:/usr/lib/sasl2
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions=  permit_mynetworks,  permit_sasl_authenticated,  reject_unauth_destination
line 1 says where to find the sasl config file, 2 says enable sasl, 3 says the domain to send to saslauthd (*NOTE: also try with $myhostname missing, some installs need that depending upon the cyrus-sasl install you have), 4 says don't allow anonymous connections, 5 says be compatible with MS clients, and 6 says relay for mynetworks, sasl authenticated users, MTAs, and no one else
4) edit /etc/sysconfig/saslauthd
this will make the sasl daemon authenticate against the system shadow file

as soon as you make those changes restart postfix and saslauthd.  That should be everything, but if its still not working, let me know.  Also, you may want to look at securing your connections with SSL since you are passing your password via an easily crackable method

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 16649283
Cyclops -

Beautiful!  Sending mail works like a charm!  Now, when I attempt to RECEIVE mail (I sent myself a test to my Gmail account, which worked great, so I attempted to reply from my Gmail account), I get the following error (from Gmail):

PERM_FAILURE: SMTP Error (state 9): 554 <emailaddress@domain.com>: Relay access denied

So, in a nutshell, sending seems to work great, but receiving doesn't seem to...  Any thoughts?

Thanks again!

Author Comment

ID: 16649734
Okay... I got the send working.  All I had to do was add a $mydomain in the allowed relay in the /etc/postfix/main.cf file.  Excellent!

Thanks for the help.
LVL 25

Expert Comment

ID: 16650021
awesome, glad I could help.

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses
Course of the Month20 days, 3 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question