From Halon, SMTP software for hosting providers
Jump to: navigation, search

Simple Authentication and Security Layer (SASL) is part of the SMTP protocol, and provides a mechanisms for user authentication using a username and password. Halon supports both inbound and outbound authentication.

Outbound (logging in on a server during delivery)

Outbound authentication is set per mail transport, this is sometimes required by ISP's or mail providers in order to submit outbound messages. You can configure this under Mail → Transports and then clicking on the outgoing mail transport. Here you will find the two advanced options "SASL username" and "SASL password", if set an authentication attempt will be done using SASL methods CRAM-MD5, LOGIN or PLAIN. If it fails the transmission will be aborted and a permanent failure will be raised. You can also use the SetSASL() function.

Inbound (authenticating clients)

Inbound authentication (from external users) are set per mail listener which you can find under Mail → Relay table. There are two options that are configurable AUTH script which sets the authentication profile and an option to only allow authentication over TLS. TLS is mostly preferred since due to the fact that the Halon system requires the password in plain-text (PLAIN and LOGIN). The Mail → Flows and scripts → AUTH flow provides some basic building blocks for inbound authentication (which should be used instead of custom scripts if possible). If none are suitable or you require some more advanced methods, there's scripting block available. A few examples are listed below.

Upon successful authentication the $saslauthed (true) and $saslusername (username) HSL variable will be set, which is available in most flows.


An authentication request will be done by trying to ldap_bind() against an LDAP server.

SMTP forwarding

A forwarding SMTP request will be done to a SMTP of your choice. Due to the fact that SASL authentication is done before MAIL FROM/RCPT TO, it's not possible to use a "per-domain" selection of SMTP server. If you want different users on different domain to authentication against different servers a custom script must be used where you eg. append a @domain after each username to support the selection of servers.


Since Halon supports LMTP delivery directly to a email storage server (such as Dovecot), it makes sense that also authentication can be performed directly to Dovecot, without having an MTA doing SASL. Please see the dovecot_lookup_auth() module.


If you have a control panel or API server, it often makes sense to make lookups using for example REST directly to that server, as in the simple example below.

if (http("$1&pass=$2", [], [$saslusername$saslpassword]) == "OK") {