1. Install all required packages
yum install cyrus-sasl cyrus-sasl-devel cyrus-sasl-gssapi cyrus-sasl-md5 cyrus-sasl-plain postfix

1b. Backup default postfix config
cp /etc/postfix/main.cf /etc/postfix/main.cf_orig

2. Configure SMTP-AUTH and TLS using postconf
/usr/sbin/postconf -e 'smtpd_sasl_local_domain ='
/usr/sbin/postconf -e 'smtpd_sasl_auth_enable = yes'
/usr/sbin/postconf -e 'smtpd_sasl_security_options = noanonymous'
/usr/sbin/postconf -e 'broken_sasl_auth_clients = yes'
/usr/sbin/postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
/usr/sbin/postconf -e 'inet_interfaces = all'
/usr/sbin/postconf -e 'mynetworks =,'

3. Set postfix to allow LOGIN and PLAIN logins.
vim /usr/lib/sasl2/smtpd.conf (32-bit)
vim/usr/lib64/sasl2/smtpd.conf (64-bit)

pwcheck_method: saslauthd
mech_list: plain login

4. Create key for SSL certificate signing request
mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key

5. Create the signing request with the key
openssl req -new -key smtpd.key -out smtpd.csr

6. Create the SSL certificate with the signing request and the key
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

7. Create RSA key
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv smtpd.key.unencrypted smtpd.key

8. Create CA key and cert
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

9. Configure postfix for TLS
/usr/sbin/postconf -e 'smtpd_tls_auth_only = no'
/usr/sbin/postconf -e 'smtp_use_tls = yes'
/usr/sbin/postconf -e 'smtpd_use_tls = yes'
/usr/sbin/postconf -e 'smtp_tls_note_starttls_offer = yes'
/usr/sbin/postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
/usr/sbin/postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
/usr/sbin/postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
/usr/sbin/postconf -e 'smtpd_tls_loglevel = 1'
/usr/sbin/postconf -e 'smtpd_tls_received_header = yes'
/usr/sbin/postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
/usr/sbin/postconf -e 'tls_random_source = dev:/dev/urandom'

10. Set servers hostname and mydomain in postfix config
/usr/sbin/postconf -e 'myhostname = vsv01.atbnet.local'
/usr/sbin/postconf -e 'mydomain = atbnet.local'

11. Check through the postfix config
more /etc/postfix/main.cf

12. Create DNS entry in your domain zone file (e.g. smtp.atbnet.local)
smtp IN A

13. Stop sendmail and Start postfix, saslauthd
/etc/init.d/sendmail stop
/etc/init.d/postfix start
/etc/init.d/saslauthd start

14. Check maillog for errors/failures and correct startup

tail /var/log/maillog
Mar 10 04:21:55 vsv01 sendmail[6074]: alias database /etc/aliases rebuilt by andy
Mar 10 04:21:55 vsv01 sendmail[6074]: /etc/aliases: 76 aliases, longest 10 bytes, 765 bytes total
Mar 10 04:21:55 vsv01 postfix/postfix-script: starting the Postfix mail system
Mar 10 04:21:55 vsv01 postfix/master[6120]: daemon started -- version 2.3.3, configuration /etc/postfix

15. Configure services to start at required runlevels
/sbin/chkconfig --level 345 sendmail off
/sbin/chkconfig --level 345 postfix on
/sbin/chkconfig --level 345 saslauthd on

16. Test that postfix is running, accepting connections and SMTP-AUTH/TLS is working
telnet localhost 25

Connected to localhost.localdomain (
Escape character is '^]'.
220 vsv01.atbnet.local ESMTP Postfix
ehlo localhost
250-SIZE 10240000
250 DSN
221 2.0.0 Bye
Connection closed by foreign host.

If the below is in the statement returned by the server then TLS and PLAIN/LOGIN logins are configured correctly:

17. Check firewall rules allow port 25
/sbin/iptables -nvL

-A INPUT -i lo -j ACCEPT
-A INPUT -s -p tcp --dport 25 -j ACCEPT




Share this blog post on social media:

Social Links


All advice, installation/configuration how to guides, troubleshooting and other information on this website are provided as-is with no warranty or guarantee. Whilst the information provided is correct to the best of my knowledge, I am not reponsible for any issues that may arise using this information, and you do so at your own risk. As always before performing anything; check, double check, test and always ensure you have a backup.

Copyright ©2016 Andy Barnes - Please do not copy any content including images without prior consent!

Designed and Hosted by Andy Barnes