top image
home  /  pages  /  tech tips  /  contact about

How to set up a Postfix relay with SASL, TLS, Postgrey, and ClamAV


You want a Postfix server that does greylisting using postgrey, scans incoming mail using ClamAV, and that can relay mail when users authenticate with SASL over TLS. You want to fight spam as best as you can, also.


There are many guides that claim to solve this for you, but none of them were enough to get it to work on Ubuntu 9.10 (Karmic Koala), mostly because I couldn't get saslauthd to work. It seems to be broken out of the box as it tries to use PAM.

Install packages

Install packages:

$ sudo aptitude install postfix sasl2-bin install clamsmtp clamav-freshclam postgrey

Postfix on the server

Here are the salient details from /etc/postfix/ Note that there are some bonus spam-fighting measures in smtpd_recipient_restrictions.
# TLS setup
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.pem
smtpd_tls_loglevel = 1


# Optional, if you want this postfix to use TLS when acting as a client
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes

# SASL setup
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes

# Three changes to smtpd_recipient_restrictions:
# - "permit_sasl_authenticated" to relay for SASL-authenticated clients
# - "sleep 5" to slow down spammers; see
# - "reject_rbl_client" for spam filtering
# - "check_policy_service ..." for postgrey
smtpd_recipient_restrictions = permit_sasl_authenticated
                               sleep 5
                               check_policy_service inet:

# ClamAV setup
content_filter = scan:
receive_override_options = no_address_mappings
Then restart postfix:
$ /etc/init.d/postfix restart


Follow the steps in /usr/share/doc/postgrey/README.Debian; see above for the salient details in /etc/postfix/


Follow the steps in a guide on on "Virus filtering with Postfix and ClamAV in 4 steps".


Following instructions, create the ssl certificate:
$ sudo mkdir -p /etc/postfix/ssl/
$ sudo openssl req -new -x509 -nodes -out /etc/postfix/ssl/smtpd.pem -keyout /etc/postfix/ssl/smtpd.pem -days 3650
And set some smtpd_* variables; see above for the salient details in /etc/postfix/


Debian's packaging of postfix does not play nice with saslauthd for reasons explained in /usr/share/doc/sasl2-bin/README.Debian.gz. Add user postfix to the sasl group, so it can contact the daemon:
$ sudo adduser postfix sasl
Adding user `postfix' to group `sasl' ...
Adding user postfix to group sasl
Then, stop saslauthd:
$ sudo /etc/init.d/saslauthd stop
You need to modify /etc/default/saslauthd as follows:
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"
Then restart saslauthd.
$ sudo /etc/init.d/saslauthd restart
Add the SASL user that should be allowed to relay and make up a password, for example "relay-user".
$ sudo saslpasswd2 -c -u `postconf -h myhostname` relay-user
Again (for verification):
Check that the user is there:
$ sudo sasldblistusers2 userPassword
Test authentication:
$ sudo testsaslauthd -u relay-user -p password -s smtp -r `postconf -h myhostname` -f /var/spool/postfix/var/run/saslauthd/mux
0: OK "Success."
If it fails, run saslauthd by hand, try testsaslauthd again, and see what the problem is.
$ sudo /etc/init.d/saslauthd stop
$ sudo /usr/sbin/saslauthd -a pam -c -m /var/spool/postfix/var/run/saslauthd -n 5 -d
saslauthd[10419] :main            : num_procs  : 5
saslauthd[10419] :main            : mech_option: NULL
Tell postfix how to to SASL authenticate and create /etc/postfix/sasl/smtpd.conf:
$ sudo mkdir -p /etc/postfix/sasl/
$ sudo bash -c "cat > /etc/postfix/sasl/smtpd.conf"
pwcheck_method: saslauthd
mech_list: plain login
(Hit ctrl-d after copy/pasting those two lines.) For good measure, after all this, restart postfix again.
$ /etc/init.d/postfix restart
and keep an eye on its log files:
$ sudo tail -f /var/log/mail.err /var/log/ /var/log/mail.log

Postfix on the client

On the client, install postfix also. Here are the salient details from the client's /etc/postfix/
relayhost =
#smtp_use_tls = yes
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
Create /etc/postfix/smtp_auth: relay-user:password
Run postmap on smtp_auth:
$ sudo postmap /etc/postfix/smtp_auth
For good measure, after all this, restart postfix again.
$ /etc/init.d/postfix restart
and keep an eye on its log files:
$ sudo tail -f /var/log/mail.err /var/log/ /var/log/mail.log
Copyright © 1994-2011 by Thomer M. Gil
Updated: 2009/12/17