AK // SYS LOG

A technical blog covering systems administration, IT infrastructure, site reliability engineering, homelab architecture, self-hosting, automation, and practical security workflows.

View on GitHub
8 September 2016 · Updated 13 June 2026

Setup Cyrus SASL with LDAP

@variablenix · { systems // sre // self-hosted }

Although Dovecot can provide SASL for Postfix perfectly well, I went with Cyrus SASL in this stack. At the time I wanted the auth layer decoupled and Cyrus SASL was a familiar path. It worked. It also added one more moving part, which is exactly why I would be much more selective about this choice now.

What this was solving

The goal was simple: allow SMTP authentication against LDAP so users could send mail through Postfix with their directory credentials. In my environment, the same LDAP record that controlled mailbox access also controlled whether SMTP auth should succeed.

That is why the mailEnabled attribute shows up in the LDAP filter. It was a clean access gate.

saslauthd LDAP configuration

The real work happened in /etc/saslauthd.conf:

ldap_servers: ldap://ldap.example.net
ldap_version: 3
ldap_search_base: ou=Mail,dc=example,dc=net
ldap_scope: sub
ldap_filter: (&(uid=%u)(mailEnabled=TRUE))
ldap_auth_method: bind
ldap_timeout: 10
ldap_time_limit: 10

The important part is the filter:

(&(uid=%u)(mailEnabled=TRUE))

That says: find the user by uid, and only allow auth if the mail account is enabled. That matched how I ran the rest of the mail stack. Flip mailEnabled to FALSE and the account effectively stops being useful for mail without deleting the record itself.

To use mailEnabled, the schema backing your LDAP records needs to actually define it. In my case that came from postfix-book.schema.

Telling saslauthd to use LDAP

On the system side I pointed saslauthd at LDAP with:

SASLAUTHD_OPTS="-a ldap"

Depending on distro, this file may live in a different place now, but the intent is the same: the auth daemon needs to know which backend it should ask.

Telling Postfix to use saslauthd

Then /usr/lib/sasl2/smtpd.conf looked like this:

pwcheck_method: saslauthd
mech_list: plain
log_level: 7

That tells Postfix’s SMTP daemon to hand auth checks off to saslauthd. In other words, Postfix does not talk to LDAP directly here. Cyrus SASL does.

Restart and test

Once everything is in place:

systemctl restart saslauthd
systemctl restart postfix

At that point a mail client should be able to use its LDAP-backed credentials for SMTP auth.

If it does not work, the usual problem is one of these:

This is one of those setups where logs matter more than theory. Watch the auth and mail logs while testing a real client login.

What I would do now

The broad auth pattern is still understandable, but if I were building a Postfix stack now I would think very carefully before adding Cyrus SASL unless there was a specific reason. Dovecot SASL usually makes more sense in a modern self-hosted mail stack because it removes an extra layer and keeps the mailbox auth logic closer to the rest of the mail system.

So yes, this worked. It was valid. It just belongs to a generation of mail stack design where adding another daemon felt normal. These days I would default to fewer moving parts.

Comments

Questions, corrections, and follow-ups live in GitHub Discussions.

tags: cyrus-sasl - sasl - ldap - openldap - smtp-authentication - self-hosted-email - postfix - smtp - mail-server - mail-authentication - saslauthd - linux - sysadmin - homelab - mail-infrastructure