diff --git a/build-scripts/postfix-install.sh b/build-scripts/postfix-install.sh
index 32c3c7c..f10da5b 100644
--- a/build-scripts/postfix-install.sh
+++ b/build-scripts/postfix-install.sh
@@ -17,7 +17,7 @@ do_ubuntu() {
     apt-get install -y libsasl2-modules
     apt-get install -y postfix
     apt-get install -y opendkim
-    apt-get install -y ca-certificates tzdata supervisor rsyslog bash opendkim-tools curl libcurl4 libjsoncpp1 postfix-lmdb netcat
+    apt-get install -y ca-certificates tzdata supervisor rsyslog bash opendkim-tools curl libcurl4 libjsoncpp1 sasl2-bin postfix-lmdb netcat
 }
 
 if [ -f /etc/alpine-release ]; then
diff --git a/scripts/common-run.sh b/scripts/common-run.sh
index a63dfb6..80e19a8 100755
--- a/scripts/common-run.sh
+++ b/scripts/common-run.sh
@@ -306,6 +306,33 @@ postfix_setup_xoauth2_post_setup() {
 	fi
 }
 
+postfix_setup_smtpd_sasl_auth() {
+	if [ ! -z "$SMTPD_SASL_USERS" ]; then
+		info "Enable smtpd sasl auth."
+		do_postconf -e "smtpd_sasl_auth_enable=yes"
+		do_postconf -e "broken_sasl_auth_clients=yes"
+		
+		[ ! -d /etc/postfix/sasl ] && mkdir /etc/postfix/sasl
+		cat >> /etc/postfix/sasl/smtpd.conf <<EOF
+pwcheck_method: auxprop
+auxprop_plugin: sasldb
+mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
+EOF
+		[ ! -d /etc/sasl2 ] && mkdir /etc/sasl2
+		ln -s /etc/postfix/sasl/smtpd.conf /etc/sasl2/
+
+		# sasldb2
+		echo $SMTPD_SASL_USERS | tr , \\n > /tmp/passwd
+		while IFS=':' read -r _user _pwd; do
+			echo $_pwd | saslpasswd2 -p -c $_user
+		done < /tmp/passwd
+
+		rm -f /tmp/passwd
+
+		chown postfix:postfix /etc/sasldb2
+	fi
+}
+
 postfix_setup_networks() {
 	if [ ! -z "$MYNETWORKS" ]; then
 		deprecated "${emphasis}MYNETWORKS${reset} variable is deprecated. Please use ${emphasis}POSTFIX_mynetworks${reset} instead."
@@ -352,7 +379,11 @@ postfix_setup_sender_domains() {
 		echo
 		postmap lmdb:$allowed_senders
 
-		do_postconf -e "smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_sender_access lmdb:$allowed_senders, reject"
+		if [ ! -z "$SMTPD_SASL_USERS" ]; then
+			smtpd_sasl="permit_sasl_authenticated,"
+		fi
+
+		do_postconf -e "smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_sender_access lmdb:$allowed_senders, $smtpd_sasl reject"
 
 		# Since we are behind closed doors, let's just permit all relays.
 		do_postconf -e "smtpd_relay_restrictions=permit"
@@ -579,4 +610,5 @@ unset_sensible_variables() {
 	unset XOAUTH2_SECRET
 	unset XOAUTH2_INITIAL_ACCESS_TOKEN
 	unset XOAUTH2_INITIAL_REFRESH_TOKEN
+	unset SMTPD_SASL_USERS
 }
diff --git a/scripts/run.sh b/scripts/run.sh
index 0ba79d0..c4fc0f3 100755
--- a/scripts/run.sh
+++ b/scripts/run.sh
@@ -29,6 +29,7 @@ postfix_setup_sender_domains        # Configure allowed sender domains
 postfix_setup_masquarading          # Setup masquaraded domains
 postfix_setup_header_checks         # Enable SMTP header checks, if defined
 postfix_setup_dkim                  # Configure DKIM, if enabled
+postfix_setup_smtpd_sasl_auth       # Enable sender sasl auth, if defined
 postfix_custom_commands             # Apply custom postfix settings
 opendkim_custom_commands            # Apply custom OpenDKIM settings
 postfix_open_submission_port        # Enable the submission port