You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+31Lines changed: 31 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,6 +4,7 @@
4
4
5
5
This is a postfix socketmap adapter for the [userli](https://github.com/systemli/userli) project.
6
6
It implements the [socketmap protocol](https://www.postfix.org/socketmap_table.5.html) to provide dynamic lookups for aliases, domains, mailboxes, and senders.
7
+
It also provides a Dovecot SASL authentication server, allowing Postfix to authenticate SMTP clients against the Userli API without requiring Dovecot.
7
8
8
9
## Configuration
9
10
@@ -14,6 +15,7 @@ The adapter is configured via environment variables:
14
15
-`POSTFIX_RECIPIENT_DELIMITER`: The recipient delimiter used in Postfix (e.g., `+`). Default: empty.
15
16
-`SOCKETMAP_LISTEN_ADDR`: The address to listen on for socketmap requests. Default: `:10001`.
16
17
-`POLICY_LISTEN_ADDR`: The address to listen on for policy requests (rate limiting). Default: `:10003`.
18
+
-`SASL_LISTEN_ADDR`: The address to listen on for Dovecot SASL authentication. Supports TCP (e.g., `:10006`) and UNIX sockets (e.g., `/var/spool/postfix/private/auth`). Default: empty (disabled).
17
19
-`METRICS_LISTEN_ADDR`: The address to listen on for metrics. Default: `:10002`.
18
20
-`RATE_LIMIT_MESSAGE`: The rejection message returned when a sender exceeds their quota. Default: `Rate limit exceeded, please try again later`.
19
21
-`REDIS_URL`: Connection URL for Redis (required). Format follows [`redis.ParseURL`](https://pkg.go.dev/github.com/redis/go-redis/v9#ParseURL), e.g. `redis://[user:password@]host:port/db`. Rate-limit state is stored in Redis so it survives restarts.
@@ -52,6 +54,28 @@ Where `0` means unlimited. If the API is unreachable, messages are allowed (fail
52
54
53
55
Rate-limit state is persisted to Redis (`REDIS_URL`) so it survives restarts. If Redis is unreachable, messages are also allowed (fail-open) and the `userli_postfix_adapter_ratelimit_backend_errors_total` counter is incremented.
54
56
57
+
### SASL Authentication (Dovecot SASL)
58
+
59
+
The adapter implements the Dovecot SASL authentication protocol, so Postfix can authenticate SMTP clients via `smtpd_sasl_type=dovecot` without requiring Dovecot itself. Authentication is performed against the Userli API (`/api/postfix/auth`). Supported mechanisms: PLAIN and LOGIN.
60
+
61
+
**Important:** SASL authentication is fail-closed. If the API is unreachable, authentication is rejected.
62
+
63
+
Configure in Postfix `main.cf` (TCP):
64
+
65
+
```text
66
+
smtpd_sasl_type = dovecot
67
+
smtpd_sasl_path = inet:localhost:10006
68
+
smtpd_sasl_auth_enable = yes
69
+
```
70
+
71
+
Or using a UNIX socket (set `SASL_LISTEN_ADDR=/var/spool/postfix/private/auth`):
72
+
73
+
```text
74
+
smtpd_sasl_type = dovecot
75
+
smtpd_sasl_path = private/auth
76
+
smtpd_sasl_auth_enable = yes
77
+
```
78
+
55
79
## Docker
56
80
57
81
You can run the adapter using Docker.
@@ -178,6 +202,13 @@ The adapter exposes Prometheus metrics on `/metrics` (port 10002) and provides h
178
202
-`userli_postfix_adapter_quota_checks_total` - Total quota checks performed
179
203
-`userli_postfix_adapter_ratelimit_backend_errors_total` - Total Redis errors hit by the rate limiter, labelled by `operation`
180
204
205
+
**SASL Authentication Metrics:**
206
+
207
+
-`userli_postfix_adapter_sasl_active_connections` - Active SASL connections gauge
208
+
-`userli_postfix_adapter_sasl_auth_total` - Total SASL authentication attempts (by mechanism and result)
0 commit comments