How to configure Postfix with SMTP-AUTH over SASL2 with authentication against PAM in Ubuntu

I would like to submit emails to Postfix using smtp authentication. I will authenticate my smtp users against PAM.

Install sasl2:

apt-get install sasl2-bin

Add the following to /etc/postfix/sasl/smtpd.conf:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Create saslauthd’s config file copy to /etc/default/saslauthd-postfix so that is used from postfix:

cp /etc/default/saslauthd /etc/default/saslauthd-postfix

Update the following in /etc/default/saslauthd-postfix:

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Since we have chrooted saslauthd to postfix so its good to symlink it:

rm -rf /run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /run/saslauthd

Create required subdirectories:

dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

Setup proper permission by adding postfix to ‘sasl’ group:

adduser postfix sasl

Restart saslauthd service

systemctl restart saslauthd.service

Add the following directives to /etc/postfix/

smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

Restart postfix service

systemctl restart postfix.service

Create linux user

useradd postmaster

Test authentication using ‘swaks’ mailing utility :

swaks --from --to --tls --auth LOGIN --auth-user --auth-password 123pass --server

How to configure OpenDKIM with Postfix

In this HowTo, you will find out how we configured OpenDKIM and Postfix(3.1.0) to sign our emails with DKIM. I will not talk about what is DKIM and settings like hash algorithms, DKIM Identity, Selectors etc.

Install OpenDKIM and tools.

apt-get install opendkim opendkim-tools

Add the following settings to /etc/opendkim.conf after “UserID” directive.

Map AuthorDomains to RSA keys.
KeyTable /etc/dkimkeys/rsakeys.table
SigningTable refile:/etc/dkimkeys/signingdomains.table

# "simple" recommended by DKIMCore
Canonicalization simple

Mode sv
SubDomains no
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
OversignHeaders From

Generate RSA key for

cd /etc/dkimkeys/
opendkim-genkey --bits=1024 --selector=key1 --append-domain

It will create two files. “key1.private” which is for server side and “key1.txt” which contain the following DNS record that needs to be created in zone. You can lookup my existing record with dig TXT +short IN TXT ( "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVgaYb2qaO92yF1DuoSIWybPgiwQ3dfjN1XhzstnEqfi/GroqtN87BrjEr9BGTTiisocbMZOtfErgfCSq+sCjHohEySdngfnxPUqLYqco+Xe3RlESYngKFU9YUUKXE9OcT3dt3v921h1pZ9BJwQ2RyJ+xANYR5DivfRT2gPCdIWwIDAQAB" )  ; ----- DKIM key key1 for

mv key1.private

Add RSAkey reference to KeyTable file in /etc/dkimkeys/rsakeys.table


Add AuthorDomain and RSAKey reference in /etc/dkimkeys/signingdomains.table

* postfixdkim

“*” says domain with any local-part should be signed with this key. “postfixdkim” is reference to RSA key in KeyTable.

Connect OpenDKIM to Postfix. Since Postfix runs in jail environment so its better to keep OpenDKIM also inside Postfix spool directory.

mkdir /var/spool/postfix/opendkim

Update opendkim.sock path to new location in /etc/default/opendkim


Configure opendkim in /etc/postfix/

# Connect OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = local:/opendkim/opendkim.sock

Setup proper permissions.

chown -R opendkim:opendkim /etc/opendkim.conf /etc/dkimkeys
chown opendkim:postfix /var/spool/postfix/opendkim

Restart opendkim and postfix

systemctl restart opendkim.service
systemctl restart postfix.service

How to enable Outbound Opportunistic TLS in Postfix

Most ISPs like Gmail, Hotmail and Yahoo now support Server-side-tls. ESPs like Sendgrid, Sparkpost, Mailchimp have also enabled outbound TLS in their MTAs.

You can either enforce Postfix to always use TLS or the other recommend way is to use ‘Opportunistic TLS’ so Postfix should use TLS when the recipient domain supports it otherwise falls back to non-TLS connection.

vim /etc/postfix/

Add after “smtp_banner” settings.

smtp_tls_security_level = may

Reload Postfix

systemctl reload postfix.service

Verify logs for errors.

tail -f /var/log/mail.log

Expected output:

Nov 26 13:21:54 console postfix/postfix-script[9285]: refreshing the Postfix mail system
Nov 26 13:21:54 console postfix/master[2323]: reload -- version 3.1.0, configuration /etc/postfix