Postfix config for virtual aliases and sasldb

Question

I'm trying to set-up postfix to handle several domains as aliases, with an SMTP server accepting incoming mails from these domains with sasldb authentication. The documentation looks quite old, and many information sources are contradicting, so I'm looking for clarification on some configuration items and solving my non-working sasldb authentication. My OS is Debian 8.

First, what is this smptd.conf file, that contains:

pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

and where does it go? I could find three different paths in various tutorials, /usr/lib/sasl2/smtpd.conf, /etc/sasl2/smtpd.conf and /etc/postfix/sasl/smtpd.conf. How can we know which one is used? There is a configuration variable smtpd_sasl_path but its documentation is as good as non-existent, how is it related to the actual configuration? There was a previous question about this variable that didn't really help understanding.

I have put this file at the three locations, and in the list of authentication methods given by the smtpd, I still get $250-AUTH DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN.

What is the realm of saslpasswd2? Is it different to use for username john@doe.com than john with -u doe.com? Can we just use a complete email address for username in the authentication process? Apparently yes from this comment, but I still don't understand what the realm is. Finally, how does that relate to the smtpd_sasl_local_domain, especially in a multiple virtual domain alias configuration? It seems to accept an empty value, that's what I did.

For sasldb authentication, is it required to use salsauthd? I've read here and there that postfix is able to use the sasldb without installing saslauthd, while other people and the official documentation indicate that it is required. What's the correct answer?

For a virtual domain alias server that manages several domains, which value should be used for myorigin, myhostname and mydestination? Is localhost.localdomain alright if we assume that the mail clients will be configured with the proper domain completion? How does that relate to the actual machine's hostname?

Below is my current postfix configuration. I have added users with saslpasswd2, and I always have an authentication failure, no matter which realm and username with or without domain I put. I can see the list of users with sasldblistusers2, and I have moved the sasldb2 file in postfix's chroot (/var/spool/postfix/etc/sasldb2) as indicated here.

saslfinger - postfix Cyrus sasl configuration Wed Dec  2 11:59:11 CET 2015
version: 1.0.4
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.11.3
System: Debian GNU/Linux 8 \n \l

-- smtpd is linked to --
    libsasl2.so.2 => /usr/lib/x86_64-linux-gnu/libsasl2.so.2 (0x00007fb6d84b9000)

-- active SMTP AUTH and TLS parameters for smtpd --
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = sasl2/smtpd.conf
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache


-- listing of /usr/lib/sasl2 --
total 20
drwxr-xr-x  2 root root 4096 Nov 30 00:12 .
drwxr-xr-x 44 root root 4096 Nov 14 23:39 ..
-rw-r--r--  1 root root    4 Nov 28 21:15 berkeley_db.active
-rw-r--r--  1 root root    4 Sep 25 10:54 berkeley_db.txt
-rw-r--r--  1 root root   70 Nov 30 00:12 smtpd.conf

-- listing of /etc/sasl2 --
total 12
drwxr-xr-x  2 root root 4096 Nov 30 00:41 .
drwxr-xr-x 77 root root 4096 Nov 30 01:19 ..
-rw-r--r--  1 root root   70 Nov 29 23:22 smtpd.conf

-- listing of /etc/postfix/sasl --
total 12
drwxr-xr-x 2 root root 4096 Nov 30 00:41 .
drwxr-xr-x 3 root root 4096 Nov 30 01:18 ..
-rw-r--r-- 1 root root   70 Nov 30 00:41 smtpd.conf




-- content of /usr/lib/sasl2/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

-- content of /etc/sasl2/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN

-- content of /etc/postfix/sasl/smtpd.conf --
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: PLAIN LOGIN


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
pickup    unix  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
retry     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix      -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}

-- mechanisms on localhost --
250-AUTH DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN^M


-- end of saslfinger output --

Given the time I lost trying to get a proper configuration, I'll try to make an up-to-date tutorial with correct explanations in it. => DONE

Thank you for reading me, and for the answers to come.

Answer 1

what is this smptd.conf file, that contains ... and where does it go?

First, there are configuration options in Postfix, which specify whrere this file have to be (if using cyrus sasl) and how it should be named. That options are:

smtpd_sasl_path = smtpd
cyrus_sasl_config_path = /etc/sasl2/

Postfix combines them and sends to cyrus sasl as /etc/sasl2/smtpd.conf

Finally, how does that relate to the smtpd_sasl_local_domain, especially in a multiple virtual domain alias configuration?

To my knowledge, it is used as default domain for users without domain-name supplied.

For a virtual domain alias server that manages several domains, which value should be used for myorigin, myhostname and mydestination?

Do as you wish. I prefer to set them all (and smtpd_sasl_local_domain) to system hostname, so email generated on this host always shown as coming from that host. This helps to build redundant system with backup MX, which will have same set of virtual domains, but different system name, so I always can differentiate hosts.

You can ask for more, I certainly didn't covered every aspect of these questions. And, of course, Postfix has perfect documentation with almost everything covered.

Answer 2

http://www.postfix.org/SASL_README.html should be your first reference rather than serverfault pages. Go for the pages here for more specific points if needed, but the docs on the postfix site are generally pretty good. As that page says,

Postfix does not implement SASL itself, but instead uses existing implementations as building blocks. This means that some SASL-related configuration files will belong to Postfix, while other configuration files belong to the specific SASL implementation that Postfix will use. This document covers both the Postfix and non-Postfix configuration.

You don't seem to have configured smtpd_sasl_application_name (and that's in effect rather than smtpd_sasl_type due to your older version of postfix), so the default Cyrus SASL is presumably in effect. the value you have in smtpd_sasl_path is passed to the cyrus sasl library, and presumably interpreted relative to it's base path. I imagine that you are using Cyrus SASL 2.x, but have used 1.x in the past, and have left over config files. I may be wrong though given your version of postfix. Check that. Also, take a look at which packages are actually installed.

smtpd_sasl_path = sasl2/smtpd.conf is almost certainly wrong.