<!-- NOTES - Notes here --> <!-- GOAL ONE-LINER --> <p>Configure Postfix to use Dovecot as its authorization mechanism.</p> <!-- RATIONALE --> <!-- NUANCE --> <h2>Procedure</h2> <!-- NARRATIVE FORM --> <!-- Configure `submission` port --> <!-- STEP BY STEP --> <ol> <li> <p>Edit <code>/etc/dovecot/conf.d/10-master.conf</code> to have it create a authentication [socket file][3] for the user/group postfix with 660 as its user permissions (so only "postfix" can "talk to" the socket file): :</p> <pre><code class="language-diff"> service auth { ... # Postfix smtp-auth #unix_listener /var/spool/postfix/private/auth { # mode = 0666 #} + unix_listener /var/spool/postfix/private/auth { + mode = 0660 + user = postfix + group = postfix + }</code></pre> </li> <li> <p>Make Postfix use Dovecot for <a href="https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer">sasl</a> authentication:</p> <pre><code class="language-shell">postconf -e "smtpd_sasl_type=dovecot" postconf -e "smtpd_sasl_path=private/auth" postconf -e "smtpd_sasl_auth_enable=yes"</code></pre> </li> <li> <p>Edit <code>/etc/postfix/master.cf</code> to make Postfix use the <em>submission</em> port (587) (instead of the old-school SMTP port (25))*:</p> <pre><code class="language-diff"> #submission inet n - y - - smtpd # -o syslog_name=postfix/submission # -o smtpd_tls_security_level=encrypt # -o smtpd_sasl_auth_enable=yes # -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING + submission inet n - - - - smtpd + -o syslog_name=postfix/submission + -o smtpd_tls_security_level=encrypt + -o smtpd_sasl_auth_enable=yes + -o smtpd_sasl_type=dovecot + -o smtpd_sasl_path=private/auth + -o smtpd_sasl_security_options=noanonymous + -o smtpd_sender_login_maps=mysql:/etc/postfix/mysql-email2email.cf,mysql:/etc/postfix/mysql-virtual-alias-maps.cf + -o smtpd_sender_restrictions=reject_sender_login_mismatch + -o smtpd_sasl_local_domain=$myhostname + -o smtpd_client_restrictions=permit_sasl_authenticated,reject + -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject</code></pre> <!-- !!! Explain each default-deviation !!! --> <blockquote> <p>:information_source: *Port 25 (SMTP) is used for server to server e-mail submission. This was historically also used for human - server e-mail relaying, however because SMTP port 25 does not necessarily require authentication many ISPs block port 25 to prevent erroneously configured (open) relay servers that are infamous to be used for spammers. Submission (587) requires authentication in all cases, therefore this is the safer option to use.</p> </blockquote> </li> <li> <p>Reload Dovecot and Postfix to effectuate the changes:</p> <pre><code class="language-shell">service dovecot reload service postfix reload</code></pre> </li> </ol> <!-- REFERENCES -->