Setup Cyrus SASL with LDAP
Intro
Although Dovecot provides it’s own SASL, I opted for Cyrus SASL. It is fairly simple to configure both, but in this post I will demonstrate what worked for me.
/etc/saslauthd.conf
ldap_servers: ldap://ldap.example.net
ldap_version: 3
ldap_search_base: ou=Mail,dc=example,dc=net
ldap_scope: sub
ldap_filter: (&(uid=%u)(mailEnabled=TRUE))
ldap_auth_method: bind
ldap_timeout: 10
ldap_time_limit: 10
For LDAP authentication the above options worked in my environment. To use the mailEnabled
attribute make sure postfix-book.schema is loaded into your LDAP implementation like OpenLDAP. With this we’re basically saying users who have Enabled accounts are allowed to authenticate.
/etc/conf.d/saslauthd
SASLAUTHD_OPTS="-a ldap"
/usr/lib/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: plain
log_level: 7
Once everything is in place a simple systemctl restart saslauthd
is all that is needed. You should now be able to add your LDAP account credentials to any mail application’s SMTP settings.