1

I'm trying to setup a mailserver with Postfix/Dovecot for a learning experience. (This means you do not have to discurage me!!)

Towards 2/3 of any guides they just say "we're about to enable SASL authentication now". But I don't get where SASL fits into the setup.

I've drawn the following schema to visualize what I think Email communication looks like (smtp and smtpd in the ellipses refer to the submodules of postfix): three hosts and one client connecting to each other using various protocols, all SSL encrypted.

Why is SASL required? Postfix and Dovecot already encrypt their traffic with SSL, that's also why I pointed them to a valid Let's Encrypt certificate. What is SASL needed for and why does postfix need dovecot to provide it? (Note: I do understand however why postfix would need an external SASL provider like dovecot or Cyrus, so this question is not relevant to me.)

Please also correct this image, wherever it is wrong. I know this isn't a full picture of what is going on, but it should cover sufficient concepts to be useful.

Thank you!

TobTobXX
  • 418
  • 4
  • 17

1 Answers1

1

SASL (Simple Authentication and Security Layer) is a framework for authentication. SSL (TLS) is a framework of protocols that provide secure communications over a network. SSL (TLS) can provide authentication via client certificates. I am not aware of an email client (MUA) that supports certificate authentication.

The original design of SMTP allowed for email to arrive from anywhere and be forwarded anywhere. In the old days, we called email servers Store and Forward servers. However, today with the high prevalence of Spam and Phishing, allowing anyone to transfer email to an SMTP server is a bad idea. Blindly forwarding email (open relay) is also a bad idea.

Postfix uses SASL to provide authentication for mail clients (MUAs). This can be as simple as a username/password or one of many authentication services such as LDAP or Active Directory. SASL is the software that handles authentication on behalf of Postfix.

There are many providers of SASL software. The choice depends on your network design, authentication sources, design goals, etc. If your usernames are stored in Azure Active Directory, then you would select SASL software that supports Azure Active Directory. Another example is using MySQL to store your users. Once you design your network, the choice becomes fairly easy usually.

Postfix also implements other forms of authorization to determine if it should accept email from other SMTP servers. This is where network affinity (are you on an authorized network or IP address), Reverse DNS, SPF, DMARC, DKIM, etc are used.

SSL can be used to encrypt communications between SMTP servers and between the email client and the SMTP server. This provides secrecy but not authorization.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • So the `mail.domain1.tld` server must fulfill the SASL authentication to be able to deliver his mail to my server via SMTP? Is this what I've specified with this: `smtpd_relay_restrictions=permit_sasl_authenticated,reject`? – TobTobXX Sep 06 '20 at 10:45
  • 1
    Typically no. SMTP servers use authorization (port number, IP address, Reverse DNS, etc) to determine if the connecting server is a legitimate SMTP server. This is one of the reasons ISPs block port 25. Your Postfix rule can impact the decision process. Note the word "relay" in the rule. If the other SMTP server fails the implied authorization then they are determined to be a relay. Your rule then rejects email from unauthenticated relays. Relays should connect on port 465 or 587 and authenticate which will then bypass your rule. – John Hanley Sep 06 '20 at 17:44
  • So SASL is only used to authenticate me to dovecot when I (my MUA) get emails via IMAP and to postfix if I (my MUA) send emails via SMTP. Connections from other servers (for incoming mail) are not authenticated, but directly authorized by postfix itself. Am I getting it right? – TobTobXX Sep 06 '20 at 21:43
  • And the afore mentioned exception: If other servers DO authenticate via SASL, they can relay through my server. – TobTobXX Sep 06 '20 at 21:46
  • 1
    SASL is normally used for clients (MUAs and relays) to authenticate. Postfix and Dovecot are two different services. The first handles email transmission (SMTP) and the other handles your mailboxes (POP3 and IMAP). You are mixing the two services together. For your second comment, yes, if you provide credentials to another system, they can log in and send email via your SMTP server. – John Hanley Sep 06 '20 at 23:19
  • Note: you don't log in via SASL. SASL is a framework and not an authentication method. Authentication is usually username/password. These credentials are stored somewhere (passwd file, MySQL, LDAP, etc.). Various SASL libraries can talk to specific `Identity Providers` to verify that your credentials are correct. – John Hanley Sep 06 '20 at 23:21