Chapter 12. SASL Authentication
The basic SMTP protocol does not provide a mechanism to authenticate users. Since email envelope addresses are so easy to fake, you can’t know who is sending mail to your server unless you have a reliable means to authenticate clients. To allow mail relay privileges on your server, you need assurance that senders are who they claim to be, and you cannot rely on the senders’ email addresses as identification. In this chapter, we look at using the Simple Authentication and Security Layer (SASL) as a means to control mail relaying and generally to identify who is using your mail server.
You might want to provide access to individuals using your mail server as their SMTP server, or to other MTAs that relay through your system. We’ll also look at configuring Postfix to provide its own credentials to other MTAs that may require authentication before permitting email delivery or relaying. Chapter 4 discusses the mail relay problem in general, and some other solutions to consider.
Because you lock down your mail servers to prevent unauthorized relaying, some of your users might have trouble sending email when they are not on your network. If you have users that travel with laptops, for example, they will likely connect through a nearby ISP and get an IP address from its dial-up pool. Or perhaps you have users that work from home. In any case, whenever you don’t know what users’ IP addresses will be, SASL can provide the means to reliably identify them.