Search code examples
emailpostfix-mtasasldovecot

SASL in postfix/dovecot setup: Where is it used?

I'm trying to setup a mailserver with Postfix/Dovecot for a learning experience. (This means you do not have to discurage me!!)

Towards 2/3 of any guides they just say "we're about to enable SASL authentication now". But I don't get where SASL fits into the setup.

I've drawn the following schema to visualize what I think Email communication looks like (smtp and smtpd in the ellipses refer to the submodules of postfix): three hosts and one client connecting to each other using various protocols, all SSL encrypted.

Why is SASL required? Postfix and Dovecot already encrypt their traffic with SSL, that's also why I pointed them to a valid Let's Encrypt certificate. What is SASL needed for and why does postfix need dovecot to provide it? (Note: I do understand however why postfix would need an external SASL provider like dovecot or Cyrus, so this question is not relevant to me.)

Please also correct this image, wherever it is wrong. I know this isn't a full picture of what is going on, but it should cover sufficient concepts to be useful.

Thank you!

Solution

  • SASL (Simple Authentication and Security Layer) is a framework for authentication. SSL (TLS) is a framework of protocols that provide secure communications over a network. SSL (TLS) can provide authentication via client certificates. I am not aware of an email client (MUA) that supports certificate authentication.

    The original design of SMTP allowed for email to arrive from anywhere and be forwarded anywhere. In the old days, we called email servers Store and Forward servers. However, today with the high prevalence of Spam and Phishing, allowing anyone to transfer email to an SMTP server is a bad idea. Blindly forwarding email (open relay) is also a bad idea.

    Postfix uses SASL to provide authentication for mail clients (MUAs). This can be as simple as a username/password or one of many authentication services such as LDAP or Active Directory. SASL is the software that handles authentication on behalf of Postfix.

    There are many providers of SASL software. The choice depends on your network design, authentication sources, design goals, etc. If your usernames are stored in Azure Active Directory, then you would select SASL software that supports Azure Active Directory. Another example is using MySQL to store your users. Once you design your network, the choice becomes fairly easy usually.

    Postfix also implements other forms of authorization to determine if it should accept email from other SMTP servers. This is where network affinity (are you on an authorized network or IP address), Reverse DNS, SPF, DMARC, DKIM, etc are used.

    SSL can be used to encrypt communications between SMTP servers and between the email client and the SMTP server. This provides secrecy but not authorization.