LDAP with Postfix

In this configuration the postfix service will use the sasl server to provide authentication services.  The sasl service then use the pam configuration and the System Security Server Daemon (SSSD) to provide authentication and authorization services. SSSD will use the OS authentication and authorization  database (files) and connections to rfc-2307 LDAP Service. 

If you need an SMTP server with user accounts that are provided by an LDAP Directory using the system PAM stack with SSSD:

Ensure the following packages are installed:

        cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain postfix

The following are required in the postfix main.cf file for sasl authentication to function:

   smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination 

   smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject

   smtpd_sasl_security_options = noanonymous 

   smtpd_sasl_auth_enable = yes

In the master.cf file you will need the follow, you may want to change this depending on your use case:

submission inet n       -       n       -       -       smtpd

#  -o syslog_name=postfix/submission

  -o smtpd_tls_security_level=encrypt

  -o smtpd_sasl_auth_enable=yes

  -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

The permint_sasl_authenticated in the line above allow postfix to use the sasl service. 

You will need to configure then enable and start the sasl service. 

In  /etc/sasl2/smtpd.conf  (redhat example):

  pwcheck_method: saslauthd

  mech_list: plain login

log_level: 7

Then run:

   systemctl enable saslauthd

 systemctl start  saslauthd

You will need a pam stack file for the smtp postfix service. Here is an example  /etc/pam.d/password-auth-ac.smtp file.

auth        required      pam_env.so

auth        sufficient    pam_sss.so retry=5

auth        sufficient    pam_unix.so try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet_success

auth        required      pam_deny.so

account     required      pam_unix.so

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so gid = 13800 quiet

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     required      pam_permit.so

account     required      pam_access.so

password    requisite     pam_pwquality.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 difok=5 retry=3

password    required      pam_pwhistory.so remember=5 use_authtok

password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok

password    sufficient    pam_sss.so use_authtok

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session required pam_tty_audit.so disable=* enable=root

session     optional      pam_sss.so

The above pam stack uses the pam_access module to control which accounts or groups have access. By default the /etc/security/access.conf file is used to control which accounts or groups are permitted access. I recomend using account group membership to control access, and to list that group in the local group file of the mail server. Sometimes the SSSD LDAP lookup is too slow and mail connections are refused. So keeping the gid number of the LDAP account local fixes this issue. 

You will need to list the group name in the access.conf file. 

+:mailgroup:SMTP