http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html
SMTP AUTH for mail server is a feature that is often required to relay mail through other mail servers. To enable SMTP AUTH for Postfix, acting as mail client in this scenario, you need to do the following steps:
Add credentials to sasl_passwd
Postfix, acting as mail client in this scenario, will need to be able to
Enter credentials
These informations are layed down in /etc/postfix/sasl_passwd:
# less /etc/postfix/sasl_passwd # foo.com [1] username:password [2] # bar.com username:password
The mail server that we want to relay through in this example is mail.my-isp.org; username is test and it's password is testpass. We open /etc/postfix/sasl_passwd and add our credentials. When we are done it looks like this:
# cat /etc/postfix/sasl_passwd # mail.my-isp.org test:testpass
Secure sasl_passwd
As you have noticed, the credentials in sasl_passwd are entered plaintext. That means that anybody who can open the file will be able to read this sensitive information. Therefore we change ownership and permission to root and r/w only.
# chown root:root /etc/postfix/sasl_passwd && chmod 600 /etc/postfix/sasl_passwd
After these commands ownership and permissions read like this:
# ls -all /etc/postfix/sasl_passwd # -rw------- 1 root root 79 Dec 30 23:50 /etc/postfix/sasl_passwd
[Note] You wonder why Postfix running as user postfix can read this file? Postfix will start as user root, read all files that need root permission and switch to user postfix after that.
Create sasl_passwd DB file
Now that we have set correct ownership and permissions there is one more thing to do. A plaintext file can't be read as fast as database. Postfix requires this file to be a database, because it doesn't want to spend a lot of time looking the credentials up when it needs to get it's job done. We create a sasl_passwd.db with the help of postmap:
# postmap hash:/etc/postfix/sasl_passwd
After that there will be a new file sasl_passwd.db in /etc/postfix/.
# ls -all /etc/postfix/sasl_passwd.db # -rw------- 1 root root 12288 Mar 13 23:13 /etc/postfix/sasl_passwd.db
From the onwership and permissions you can see that postmap applied the same as in the source file. That's it for sasl_passwd; you only need to get back when the informations need an update.
[Note] Don't forget to postmap the file, when you change credentials. Postfix will tell you anyway by claiming that sasl_passwd is newer than sasl_passwd.db in the maillog.
Enable SMTP AUTH
There are only three options that you must set to enable SMTP AUTH for mail servers in Postfix.
[Note] You can easily tell that these parameters are settings for the smtp daemon. They all begin with smtp_.
The first thing we do is enabling SMTP AUTH for the smtp daemon. We open main.cf and enter some documentation first and then we set smtp_sasl_auth_enable to yes.
# SASL SUPPORT FOR SERVERS # # The following options set parameters needed by Postfix to enable # Cyrus-SASL support for authentication of mail servers. # smtp_sasl_auth_enable = yes
Set path to sasl_passwd
Then we tell Postfix where to find sasl_passwd by adding smtp_sasl_password_maps = hash:/path/to/sasl_passwd to the configuration.
# smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
Set security options
Finally we set security options. In our scenario we will allow Postfix to use anonymous and plaintext authentication. That's why we set the paramter, but leave it empty:
# smtp_sasl_security_options =
All settings together will give this listing in main.cf.
... # SASL SUPPORT FOR SERVERS # # The following options set parameters needed by Postfix to enable # Cyrus-SASL support for authentication of mail servers. # smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = ...
Reload Postfix
All that you need to do now is to reload Postfix and you're ready to use your ISPs mail server to relay mail.
# postfix reload # postfix/postfix-script: refreshing the Postfix mail system