### Get SASL authentication working with a Postfix mail server ###
       
       
       How to get the SASL authentication working with the Postfix mail server?
       
       On my Postfix server, I needed to allow relaying for authenticated people only. This is a rather good way to avoid being one of these nasty "open-relays".
       For authentication purpose, Postfix uses SASL. Here are parameters which I had to put into my /etc/postfix/main.cf file, to tell Postfix to use authentication, and allow mail relaying for authenticated people only:
       
               # SASL configuration
               smtpd_sasl_auth_enable = yes
               smtpd_sasl_security_options = noanonymous
               smtpd_sasl_local_domain = $myhostname
               smtpd_sasl_application_name = smtpd
               broken_sasl_auth_clients = yes
       
               smtpd_recipient_restrictions =
                  permit_sasl_authenticated,
                  permit_mynetworks,
                  reject_unauth_destination,
                  reject_unauth_pipelining
       
       The next step is to setup SASL itself. That's the content of the /etc/postfix/sasl file:
       
               pwcheck_method: auxprop
               auxprop_plugin: sasldb
               mech_list: plain login cram-md5 digest-md5
       
       Important to note, that to be able to use auxprop method, I had to install the libsasl2-modules package (apt-get install libsasl2-modules). Otherwise, I kept getting "xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms" errors in my mail.info logs.
       
       
       Now, the SASL mechanism will use the database at /etc/sasldb2 (this is a standard Berkeley database). This way it's not required to create a system account for users which have mail account on the server.
       It's important to let Postfix (and SASL, obviously) access the database file (otherwise you will be likely to get some "SASL authentication problem: unable to open Berkeley db /etc/sasldb2" error logs). A quick "chown postfix:sasl /etc/sasldb2" should be enough.
       Another trouble I got, is that Postfix was looking after a /var/spool/postfix/etc/sasldb2 file, instead of /etc/sasldb2, and was generating errors about /etc/sasldb2 (!) not found. This had me going for a long time, until I realised that Postfix is running smtpd in a chrooted environnement. To avoid it to do so, I had to modify the following line of the /etc/postfix/master.cf file:
       
               smtp inet n - n - - smtpd
       
       The second "n" means it is not chrooted. There may be a way of running smtpd in a chroot with SASL authentication, but it doesn't look like a "must do" thing to me, as I'm running my Postfix installation in a virtual machine anyway, so having it not chrooted is no big deal to me.
       
       
       From now on, Postfix will perform SASL authentication via sasldb2 lookups. Here are some usefull commands, which allows some administration tasks on the /etc/sasldb2 database:
       
           List users of the sasldb2 database:
               sasldblistusers2
       
           Add a new user to the sasldb2 database:
               saslpasswd2 -c <username> -u <domainname> -a smtpauth
               (note, that users will have to use logins in the form "username@domainname" when authenticating)
       
           Remove a user from the sasldb2 database:
               saslpasswd2 -d <username>
       
           Dump database's content onscreen:
               db_dump /etc/sasldb2 -p
               (well, on my Debian 5 distro it was actually the "db4.6_dump" command)