Mail Gateway SASL

Simple Authentication and Security Layer (SASL) is part of the SMTP protocol, and provides a mechanisms for user authentication using a username and password. VSP/SPG supports both inbound and outbound authentication.

Contents 1 Authenticating users 1.1 LDAP Authentication 1.2 SMTP Forwarding Authentication 1.3 File Authentication 1.4 Custom scripts 1.4.1 HTTP Authentication 1.4.2 In-memory Authentication 2 Logging in on a server (delivery)

Authenticating users

Inbound authentication (from external users) are set per mail listener on the Mail Gateway → Domain → Incoming's tab. There are two options that are configurable "Authentication Flow" which sets the Authentication profile and "Secure Authentication" which if are set to "Require TLS" only allows authentication over TLS. "Secure Authentication" is mostly preferred since due to the fact that the Authentication flow requires the password in plain-text we only support the plain-text authentication methods PLAIN and LOGIN.

The Mail Gateway → Flows → Authentication flow provides some basic building blocks for inbound authentication (which should be used instead of custom scripts if possible). If none are suitable or you require some more advanced methods, there's scripting block available. A few examples are listed below.

Upon successful authentication the $saslauthed (true) and $saslusername (username) HSL variable will be set in HSL Mail Recipient and HSL Mail Content flows.

LDAP Authentication

An authentication request will be done by trying to bind (ldap_bind) against a LDAP server.

SMTP Forwarding Authentication

A forwarding SMTP request will be done to a SMTP of your choice. Due to the fact that SASL authentication is done before MAIL FROM/RCPT TO. It's not possible to use a "Per-domain" selection of SMTP server. If you want different users on different domain to authentication against different servers a custom script must be used where you eg. append a @domain after each username to support the selection of servers.

File Authentication

It's possible to lookup username and password in a file (uploaded to the FTP). The custom scripting block requires the syntax to be

username1 password1
username2 password2
username3 password3

Custom scripts

Some examples follows

HTTP Authentication

if (http("http://test.example.org/smtp_authentication.php?username=$1&password=$2", 10, $saslusername, $saslpassword) == "OK") {
 Accept();
} 

In-memory Authentication

if ($saslusername == "user1" and $saslpassword == "user2") {
 Accept();
} 

Logging in on a server (delivery)

Outbound authentication is set per mail transport, this is sometimes required by ISP's or mail providers in order to submit outbound messages. On the Mail Gateway → Domain → Outgoing's tab, where there are two advanced options "SASL Username" and "SASL Password", if set an authentication attempt will be done using SASL methods CRAM-MD5, LOGIN or PLAIN. If it fails the transmission will be aborted and a permanent failure will be raised.