When setting up Postfix as an outbound SMTP server for applications, preventing open relay is critical. Many tutorials suggest using Dovecot or PAM for SASL authentication, but these add unnecessary complexity for simple use cases where you just need username/password authentication against a plaintext file.

First, install the necessary packages on Debian/Ubuntu:

sudo apt-get update
sudo apt-get install postfix libsasl2-modules sasl2-bin

Edit /etc/default/saslauthd to enable saslauthd with plaintext authentication:

START=yes
MECHANISMS="plain"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Create /etc/postfix/sasl_passwd with username:password pairs (one per line):

user1:password1
user2:password2

Then create the hash database:

sudo postmap /etc/postfix/sasl_passwd
sudo chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

Add these lines to /etc/postfix/main.cf:

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

After restarting Postfix and saslauthd:

sudo systemctl restart postfix saslauthd

Test authentication using Telnet:

telnet localhost 25
EHLO localhost
AUTH PLAIN
[base64 encoded credentials]

• Ensure /etc/postfix/sasl_passwd has strict permissions (600)
• Consider using TLS encryption for SMTP
• Regularly audit authentication attempts in mail logs

For more secure storage than plaintext, you can use sasldb:

sudo saslpasswd2 -c -u postconf -h myhostname username
sudo chown postfix /etc/sasldb2
sudo chmod 660 /etc/sasldb2

Then configure Postfix to use sasldb by adding to main.cf:

smtpd_sasl_type = auxprop
smtpd_sasl_auxprop_plugin = sasldb
smtpd_sasl_path = sasldb2

---

First, ensure you have Postfix installed on your Debian VPS. We'll be using saslpasswd2 from Cyrus SASL package for credential management:

sudo apt-get update
sudo apt-get install postfix sasl2-bin libsasl2-modules

Create a directory for SASL credentials and set proper permissions:

sudo mkdir -p /etc/postfix/sasl
sudo chmod 750 /etc/postfix/sasl

Create the SASL password file and add your first user:

sudo saslpasswd2 -c -f /etc/postfix/sasl/sasldb2 -u [your-domain.com] username
# You'll be prompted to enter and confirm the password

Edit /etc/postfix/main.cf with these essential parameters:

# Enable SASL authentication
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

# Restrict relay to authenticated users only
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

# Enable TLS for security
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key

Create or modify /etc/postfix/sasl/smtpd.conf:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN
sasldb_path: /etc/postfix/sasl/sasldb2

Verify your SASL authentication with this test command:

testsaslauthd -u username -p password -f /etc/postfix/sasl/sasldb2

Check Postfix SASL support with:

postconf -a

To list existing users:

sudo sasldblistusers2 -f /etc/postfix/sasl/sasldb2

To delete a user:

sudo saslpasswd2 -d username -f /etc/postfix/sasl/sasldb2

For production environments, consider these additional measures:

• Implement proper TLS certificates (not self-signed)
• Set stricter file permissions (0600 for sasldb2)
• Consider using app-specific credentials rather than personal accounts
• Regularly monitor authentication logs

If authentication fails, check these logs:

tail -f /var/log/mail.log

Common issues include:

• Incorrect file permissions on sasldb2
• Missing dependencies (libsasl2-modules)
• Firewall blocking port 587 (submission)