Setup Cyrus SASL with LDAP

Intro

Although Dovecot provides it’s own SASL, I opted for Cyrus SASL. It is fairly simple to configure both, but in this post I will demonstrate what worked for me.

/etc/saslauthd.conf

ldap_servers: ldap://ldap.example.net
ldap_version: 3
ldap_search_base: ou=Mail,dc=example,dc=net
ldap_scope: sub
ldap_filter: (&(uid=%u)(mailEnabled=TRUE))
ldap_auth_method: bind
ldap_timeout: 10
ldap_time_limit: 10

For LDAP authentication the above options worked in my environment. To use the mailEnabled attribute make sure postfix-book.schema is loaded into your LDAP implementation like OpenLDAP. With this we’re basically saying users who have Enabled accounts are allowed to authenticate.

/etc/conf.d/saslauthd

SASLAUTHD_OPTS="-a ldap"

/usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain
log_level: 7

Once everything is in place a simple systemctl restart saslauthd is all that is needed. You should now be able to add your LDAP account credentials to any mail application’s SMTP settings.