diff --git a/Dockerfile b/Dockerfile
index 81becc40..04643c6e 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,10 +1,12 @@
-FROM golang:1.12.7-alpine3.10 AS builder
+FROM golang:1.13.14-alpine3.11 AS builder
 RUN mkdir -p /go/src/github.com/mailgun/kafka-pixy
 COPY . /go/src/github.com/mailgun/kafka-pixy
 WORKDIR /go/src/github.com/mailgun/kafka-pixy
+RUN apk add build-base
+RUN go mod download 
 RUN go build -v -o /go/bin/kafka-pixy
 
-FROM alpine:3.10
+FROM alpine:3.11
 LABEL maintainer="Maxim Vladimirskiy <horkhe@gmail.com>"
 COPY --from=builder /go/bin/kafka-pixy /usr/bin/kafka-pixy
 EXPOSE 19091 19092
diff --git a/config/config.go b/config/config.go
index 8b297bfe..1de100ae 100644
--- a/config/config.go
+++ b/config/config.go
@@ -139,6 +139,24 @@ type Proxy struct {
 
 		// How long to wait for a transmit.
 		WriteTimeout time.Duration `yaml:"write_timeout"`
+
+		// SASL support for SASL PLAIN
+		SASL struct {
+			// Whether or not to use SASL authentication when connecting to the broker (defaults to false).
+			Enable bool `yaml:"enable"`
+
+			// Whether or not to send the Kafka SASL handshake first if enabled
+			// (defaults to true). You should only set this to false if you're using
+			// a non-Kafka SASL proxy.
+			Handshake bool `yaml:"handshake"`
+
+			// User is the authentication identity (authcid) to present for
+			// SASL/PLAIN
+			User string `yaml:"user"`
+
+			// Password for SASL/PLAIN authentication
+			Password string `yaml:"password"`
+		} `yaml:"sasl"`
 	} `yaml:"net"`
 
 	Producer struct {
@@ -350,6 +368,13 @@ func (p *Proxy) SaramaProducerCfg() *sarama.Config {
 	saramaCfg.Net.ReadTimeout = p.Net.ReadTimeout
 	saramaCfg.Net.WriteTimeout = p.Net.WriteTimeout
 
+	if p.Net.SASL.Enable {
+		saramaCfg.Net.SASL.Enable = p.Net.SASL.Enable
+		saramaCfg.Net.SASL.Handshake = p.Net.SASL.Handshake
+		saramaCfg.Net.SASL.User = p.Net.SASL.User
+		saramaCfg.Net.SASL.Password = p.Net.SASL.Password
+	}
+
 	saramaCfg.Producer.MaxMessageBytes = p.Producer.MaxMessageBytes
 	saramaCfg.Producer.Compression = sarama.CompressionCodec(p.Producer.Compression)
 	saramaCfg.Producer.Flush.Frequency = p.Producer.FlushFrequency
@@ -379,6 +404,13 @@ func (p *Proxy) SaramaClientCfg() *sarama.Config {
 	saramaCfg.Net.ReadTimeout = p.Net.ReadTimeout
 	saramaCfg.Net.WriteTimeout = p.Net.WriteTimeout
 
+	if p.Net.SASL.Enable {
+		saramaCfg.Net.SASL.Enable = p.Net.SASL.Enable
+		saramaCfg.Net.SASL.Handshake = p.Net.SASL.Handshake
+		saramaCfg.Net.SASL.User = p.Net.SASL.User
+		saramaCfg.Net.SASL.Password = p.Net.SASL.Password
+	}
+
 	if p.Kafka.TLSEnabled {
 		saramaCfg.Net.TLS.Enable = true
 		tlsCfg, _ := p.newTLSConfig() // Ok to ignore err since we validated