Final configuration for a non-chrooted saslauthd and (optional) chrooted Postfix follows in this comment.
The setup will work wether postfix is chrooted or not -- when chrooted, just apply the additional optional config, which should make postfix safer to use.

from here on, mandatory for both chrooted and non-chrooted postfix

saslauthd non-chrooted:

Reminder: saslauthd should be non-chrooted for the setup to be simple and work.

Set parameters for saslauthd in /etc/default/saslauthd:
Before (Incorrect):

OPTIONS="-c -m /var/run/saslauthd"
(or)
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

After (Correct):

OPTIONS="-c -m /var/run/saslauthd -r"

Standard Postfix configuration:

Create a pam file for smtp/postfix, equal to dovecot. The missing file will result in login failure of postfix in pam if other's file is hardened (/etc/pam.d/smtp):

#
# /etc/pam.d/smtp - PAM behavior for postfix
#
#%PAM-1.0

@include common-auth
@include common-account
@include common-session

This probably should be a separate issue but i'll include here as it's related.

Add postfix user to the sasl group:
adduser postfix sasl

from here on, optional...(chrooted postfix)

Add binding for saslauthd in Postfix chroot:

Add a permanent mount point to /etc/fstab:
/var/run/saslauthd /var/spool/postfix/var/run/saslauthd bind defaults,nodev,noauto,bind 0 0
Note: noauto = no attempt to mount what can't be mounted on early boot = no error/hang

Create directory for new mount point:
mkdir -p /var/spool/postfix/var/run/saslauthd

Set ownership and permissions:

chown -R root:sasl /var/spool/postfix/var/
dpkg-statoverride --add root sasl 710 /var/spool/postfix/var

Then mount it:
mount /var/spool/postfix/var/run/saslauthd

Add mount command /etc/rc.local to be run at boot (after all daemons):

# Mount saslauthd bind point at postfix chroot
mount /var/spool/postfix/var/run/saslauthd

https://wiki.debian.org/PostfixAndSASL
http://blog.brachium-system.net/archives/16-Postfix-with-SASL-Authentication-in-Debian.html

Finish Postfix chrooted configuration:

Configure sasl binding for postfix (/etc/postfix/sasl/smtpd.conf):
Incorrect:
saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux
or nothing
Correct:
saslauthd_path: /var/run/saslauthd/mux

Configure postfix to work in chrooted environment (/etc/postfix/master.cf):

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================

Debian stock configuration (unsecure):

smtp      inet  n       -       -       -       -       smtpd

Virtualmin configuration (sasl only):

smtp    inet    n   -   -   -   -   smtpd -o smtpd_sasl_auth_enable=yes
submission  inet    n   -   -   -   -   smtpd -o smtpd_sasl_auth_enable=yes

New configuration (also added TLS):

#
# Custom configuration
# See /etc/services
#

# SMTP (25/TCP)
smtp       inet n       -       y       -       -       smtpd -o smtpd_sasl_auth_enable=yes
# Submission (587/TCP+UDP)
submission inet n       -       y       -       -       smtpd -o smtpd_sasl_auth_enable=yes
# SMTPS/SSMTP (465/TCP) (deprecated, disabled)
#smtps      inet n       -       y       -       -       smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes

Notes:

• The y flag on 5th column denotes chroot=yes.
• Services were taken from /etc/services.
• TLS forced on SMTPS/465, as expected.

EDIT: fixed some settings

END

from webmin.

FWIW, on a fresh install of Ubuntu 18.04 and Webmin/Virtualmin (latest), Postfix is not running in chroot and this simplified subset sufficed:

1. Replace any references to /var/spool/postfix/var/run/saslauthd with /var/run/saslauthd in /etc/default/saslauthd
2. systemctl restart saslauthd

from webmin.

this post realy helped me out. but when using debian, there is no rc.local anymore but there are workarrounds.

i created a service for this as followed:

nano /etc/systemd/system/saslauthd_mount_bind.service

[Unit]
Description=Bind Mount for SASL Auth Daemon Socket
After=saslauthd.service
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/usr/bin/mount -o bind /var/run/saslauthd /var/spool/postfix/var/run/saslauthd
[Install]
WantedBy=multi-user.target

systemctl enable saslauthd_mount_bind.service

systemctl start saslauthd_mount_bind.service

from webmin.

Always weird when you get a notification on a bug from over a decade ago that's still open.

from webmin.

Update,

Found a fix for chrooted saslauthd.

Seems that in /etc/postfix/sasl/smtpd.conf the option saslauthd_path is relative to the postfix chroot. It won't accept full paths -- http://www.lxtreme.nl/index.pl/docs/linux/dovecot_postfix_pam

I'm figuring the mount bind probably should still be needed for one thing or another.
ie, testsaslauthd complains about not finding the path unless you specify it:
testsaslauthd -u username -p password -f /var/run/saslauthd/mux -s smtp

btw, tested the symlink method and it didn't worked as i thought -- the chroot does not let postfix go up in the path.

However, since one may use saslauthd for other services other than Postfix, such as Memcached (login yay!), LDAP, IRC and XMPP implementations:
http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer

I think it should be left non-chrooted, just as it is suggested in Debian Wiki:
https://wiki.debian.org/PostfixAndSASL

That way it can be accessed by other services without requiring major reconfiguration.

from webmin.

solving the mount problem at boot...

from webmin.

Thanks man... this helped.

from webmin.

Finally..... Thank you

from webmin.

Thanks alot for this, even 5 years later this guide still works, and so detailed, i just had this exact issue, and this worked flawless

from webmin.

When you switch postfix between chroot and non chroot mode, webmin should apply any changes so saslauthd would continue to work.

Note Ubuntu postfix installs with chroot active, while the Debian postfix package installs as non chroot mode.

webmin should set postfix as chroot by default for security as it's exposed to the internet.

from webmin.

When you switch postfix between chroot and non chroot mode, webmin should apply any changes so saslauthd would continue to work.

I think this is out of the scope of what Webmin should manage - it feels like something Postfix or saslauthd should manage.

from webmin.

I think this is out of the scope of what Webmin should manage - it feels like something Postfix or saslauthd should manage.

I agree. From reading the docs and mailing lists, the way to have saslauthd work with postfix and be properly secure: saslauthd runs as root, which is required to authenticate users against /etc/shadow. postfix runs in a chroot jail for security because it's exposed to the internet all the time. The only config is for chroot'ed postfix to see and communicate with saslauthd to authenticate smtp clients trying to send email from the internet, thru the outgoing postfix mail server for their domain, which requires authentication as a system user, the solution is a bind mount and a service to start saslauthd after reboots so it would be persistent. Without the saslauthd PAM authentication, either postfix has to run as root to check system user passwords, or a database like mysql/mariadb/ldap should be configured to hold email user passwords and postfix would contact it thru localhost on any host thru networking, or users are stuck using more resources with a webmail app on the virtualmin postfix server, which sends their email from the localhost which postfix accepts without authentication and sends it out. Because, a chroot'ed postfix cannot directly authenticate users against the user's system login password, neither can postfix communicate with saslauthd unless a communication pathway has been established prior and maintained, from the chroot jail, to saslauthd running as root.

from webmin.

From the postfix docs: Postfix in chroot does not manage the connection to saslauthd. Sys admin (webmin) should run scripts (examples for many OS are provided with postfix) to get postfix SMTP fully working, especially SMTP auth against saslauthd running outside the jail:

Postfix Linux chroot script.
Postfix FreeBSD chroot script.

Running Postfix daemon processes chrooted

Postfix daemon processes can be configured (via the master.cf file) to run in a chroot jail. The processes run at a fixed low privilege and with file system access limited to the Postfix queue directories (/var/spool/postfix). This provides a significant barrier against intrusion. The barrier is not impenetrable (chroot limits file system access only), but every little bit helps.

With the exception of Postfix daemons that deliver mail locally and/or that execute non-Postfix commands, every Postfix daemon can run chrooted.

Sites with high security requirements should consider to chroot all daemons that talk to the network: the smtp(8) and smtpd(8) processes, and perhaps also the lmtp(8) client. The (postfix) author's own porcupine.org mail server runs all daemons chrooted that can be chrooted.

[...]

Note that a chrooted daemon resolves all filenames relative to the Postfix queue directory (/var/spool/postfix). For successful use of a chroot jail, most UNIX systems require you to bring in some files or device nodes. The examples/chroot-setup directory in the source code distribution has a collection of scripts that help you set up Postfix chroot environments on different operating systems.

Additionally, you almost certainly need to configure syslogd so that it listens on a socket inside the Postfix queue directory. Examples of syslogd command line options that achieve this for specific systems:

FreeBSD: syslogd -l /var/spool/postfix/var/run/log

Linux, OpenBSD: syslogd -a /var/spool/postfix/dev/log

Enabling SASL auth when postfix is in chroot: https://www.postfix.org/SASL_README.html#server_sasl_enable

from webmin.

Finish Postfix chrooted configuration:

Configure sasl binding for postfix (/etc/postfix/sasl/smtpd.conf): Incorrect: saslauthd_path: /var/spool/postfix/var/run/saslauthd/mux or nothing Correct: saslauthd_path: /var/run/saslauthd/mux

Hmm, I'd personally love to use /var/run/saslauthd/mux with a chrooted Postfix config, though it doesn't seem to work correctly without doing mount binds.

Why is using the /var/spool/postfix/var/run/saslauthd/mux you mentioned to be incorrect?

from webmin.

Why is using the /var/spool/postfix/var/run/saslauthd/mux you mentioned to be incorrect?

Not sure, I believe it's because postfix is running in chroot, so the path in /etc/postfix/sasl/smtpd.conf setting saslauthd_path, /var/spool/postfix/var/run/saslauthd/mux does not exist, when postfix attempts to access it, from inside the chroot.

Postfix runs in its own chroot environment, and /var/run/saslauthd/mux resides outside the chroot jail. Postfix cannot directly access files outside its restricted environment.

Even if Postfix could access the file, /var/run/saslauthd/mux is usually owned by saslauthd which runs as root. Postfix, running as an unprivileged user, wouldn't have the necessary permissions to interact with the socket.

Mount binds provide a solution by creating a virtual link between the directory outside the chroot (/var/run/saslauthd/mux) and a directory inside the chroot jail (often /var/spool/postfix/var/run/saslauthd). This allows Postfix to access the socket within its restricted environment and communicate with saslauthd for authentication.

from webmin.