diff --git a/pica-mail-mta/local_mailbox_ldap_sasl/Dockerfile b/pica-mail-mta/local_mailbox_ldap_sasl/Dockerfile
index 1fe03e5d84bde7707b09d02c315e8bd11216c9b0..03b1fc72177610b269966f48ee0fbf2ac9479661 100644
--- a/pica-mail-mta/local_mailbox_ldap_sasl/Dockerfile
+++ b/pica-mail-mta/local_mailbox_ldap_sasl/Dockerfile
@@ -15,5 +15,6 @@ ENV LDAP_SERVER_HOSTNAME ldap.test.picasoft.net
 ENV LDAP_PORT 389
 
 COPY local_users /
+COPY saslauthd-postfix /etc/default/
 COPY entrypoint2.sh /
 ENTRYPOINT ["/entrypoint2.sh"]
diff --git a/pica-mail-mta/local_mailbox_ldap_sasl/entrypoint2.sh b/pica-mail-mta/local_mailbox_ldap_sasl/entrypoint2.sh
old mode 100755
new mode 100644
index 86061ab507c904f9d705af927de7d7d85443578c..95950c06a56c0a18461387e72ebe7143268960da
--- a/pica-mail-mta/local_mailbox_ldap_sasl/entrypoint2.sh
+++ b/pica-mail-mta/local_mailbox_ldap_sasl/entrypoint2.sh
@@ -10,10 +10,11 @@ postconf -e "virtual_mailbox_maps = hash:/local_users"
 
 #on modifie temporairement les restrictions pour permettre à tout le monde d'envoyer du mail par notre serveur tant que la destination est autorisée (par les autres règles) et que celui qui tente de se servir du serveur est sur un réseau autorisé (typiquement l'hôte et le subnet)
 postconf -e "mynetworks = 127.0.0.0/8"
-postconf -e "smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination"
+#voir en dessous pour la config sasl
+postconf -e "smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination"
+
+postconf -e "smtpd_client_restrictions = "
 
-#désactivation de la blacklist de clients à des fins de debug (elle rejette les clients en local)
-postconf -e "smtpd_client_restrictions = permit_mynetworks"
 #désactivation des restrictions sur le helo
 postconf -e "smtpd_helo_restrictions = "
 
@@ -22,17 +23,28 @@ postconf -e "virtual_transport = lmtp:inet:${LMTP_LAN_HOSTNAME}:${LMTP_PORT}"
 #:private/dovecot-lmtp
 
 #utiliser le démon saslauthd. Il est contacté par des appels de fonction à une lib et retourne la validité des login.
+postconf -e "smtpd_sasl_path = smtpd"
 cat <<EOF >> /etc/postfix/sasl/smtpd.conf
 pwcheck_method: saslauthd
 mech_list: PLAIN LOGIN
-ldap_servers: ldap://${LDAP_SERVER_HOSTNAME}:${LDAP_PORT}
-ldap_search_base: dc=picasoft, dc=net
-ldap_filter: objectClass=posixAccount
 EOF
-#configuration de saslauthd: utiliser le mécanisme ldap (on remplace pam par ldap dans la config par défaut de debian)
-sed -i -e 's/MECHANISMS="pam"/MECHANISMS="ldap"/g' /etc/default/saslauthd
-
 
+#fichiers de config et socket utilisés par le démon de saslauthd créé pour postfix (voir fichier copié dans le Dockerfile)
+dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd
+adduser postfix sasl
+service saslauthd  restart
+
+#on utilise les comptes unix de l'hôte
+postconf -e 'smtpd_sasl_local_domain = $myhostname'
+postconf -e 'smtpd_sasl_auth_enable = yes'
+postconf -e 'smtpd_sasl_security_options = noanonymous'
+#autorise l'auth depuis des clients connus comme sécurisés mais utilisant des syntaxes obsolètes/non standard (=outlook)
+postconf -e 'broken_sasl_auth_clients = yes'
+
+useradd toto
+useradd bobo
+echo "toto:toutou"|chpasswd
+echo "bobo:boubou"|chpasswd
 
 postfix start
 postfix reload
diff --git a/pica-mail-mta/local_mailbox_ldap_sasl/saslauthd-postfix b/pica-mail-mta/local_mailbox_ldap_sasl/saslauthd-postfix
new file mode 100644
index 0000000000000000000000000000000000000000..bca39c2b1af416966a048baf87d9f49a783c57eb
--- /dev/null
+++ b/pica-mail-mta/local_mailbox_ldap_sasl/saslauthd-postfix
@@ -0,0 +1,64 @@
+#
+# Settings for saslauthd daemon
+# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
+#
+
+# Should saslauthd run automatically on startup? (default: no)
+START=yes
+
+# Description of this saslauthd instance. Recommended.
+# (suggestion: SASL Authentication Daemon)
+DESC="SASL Auth. Daemon for Postfix"
+
+# Short name of this saslauthd instance. Strongly recommended.
+# (suggestion: saslauthd)
+NAME="saslauthd-postf"
+
+# Which authentication mechanisms should saslauthd use? (default: pam)
+#
+# Available options in this Debian package:
+# getpwent  -- use the getpwent() library function
+# kerberos5 -- use Kerberos 5
+# pam       -- use PAM
+# rimap     -- use a remote IMAP server
+# shadow    -- use the local shadow password file
+# sasldb    -- use the local sasldb database file
+# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
+#
+# Only one option may be used at a time. See the saslauthd man page
+# for more information.
+#
+# Example: MECHANISMS="pam"
+MECHANISMS="pam"
+
+# Additional options for this mechanism. (default: none)
+# See the saslauthd man page for information about mech-specific options.
+MECH_OPTIONS=""
+
+# How many saslauthd processes should we run? (default: 5)
+# A value of 0 will fork a new process for each connection.
+THREADS=5
+
+# Other options (default: -c -m /var/run/saslauthd)
+# Note: You MUST specify the -m option or saslauthd won't run!
+#
+# WARNING: DO NOT SPECIFY THE -d OPTION.
+# The -d option will cause saslauthd to run in the foreground instead of as
+# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
+# to run saslauthd in debug mode, please run it by hand to be safe.
+#
+# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
+# See the saslauthd man page and the output of 'saslauthd -h' for general
+# information about these options.
+#
+# Example for chroot Postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
+# Example for non-chroot Postfix users: "-c -m /var/run/saslauthd"
+#
+# To know if your Postfix is running chroot, check /etc/postfix/master.cf.
+# If it has the line "smtp inet n - y - - smtpd" or "smtp inet n - - - - smtpd"
+# then your Postfix is running in a chroot.
+# If it has the line "smtp inet n - n - - smtpd" then your Postfix is NOT
+# running in a chroot.
+
+# Option -m sets working dir for saslauthd (contains socket)
+OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd" # postfix/smtp in chroot()