Postfix SMTP AUTH support for relayhost

Posted by on September 6, 2005

Tonight I changed my relayhost for my outgoing home mail server to one that requires me to use SMTP AUTH so I needed to modify my main.cf on the outgoing server as follows.

Added the following settings to /etc/postfix/main.cf:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =

Create /etc/postfix/sasl_passwd as follows:
my.mail.relay.net username:password

Because the password is in cleartext make it root only:
# chown root:root /etc/postfix/sasl_passwd && chmod 600 /etc/postfix/sasl_passwd

Create the hash file:
# postmap /etc/postfix/sasl_passwd

Make the hash file world readable:
# chmod 644 /etc/postfix/sasl_passwd

Reload the Postfix config:
# /etc/init.d/postfix reload

Server Notes

5 Comments.

  1. Curtis Brown November 12, 2005 at 7:58 pm

    You say:

    Make the hash file world readable:
    # chmod 644 /etc/postfix/sasl_passwd

    But shouldn’t that be:
    chmod 644 /etc/postfix/sasl_passwd.db

    ???
    When I do the postmap command you show it doesn’t alter the mother file, but it makes a .db file.

  2. Ben Franske November 13, 2005 at 4:31 pm

    Hmm. Now that I look at it I think you’re right, but if you were going to do it that way I think you would change smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd to smtp_sasl_password_maps = /etc/postfix/sasl_passwd.db or something similar. I think that my original method hashes the file on demand instead of accessing a pre-hashed file.

  3. sysmonk May 18, 2007 at 3:45 am

    First of all, if you specify hash:/etc/postfix/sasl_passwd, then postfix accesses /etc/postfix/sasl_passwd.db and not /etc/postfix/sasl_passwd.
    Secondly, you have to chmod the sasl_passwd.db, and not sasl_passwd. ( i’m talking about the second chmod).
    And, if you chmod 644, then you’ll have security problems, because the .db file IS NOT encrypted, and anyone can read the file with a simple editor.
    So, the solution would be to chown it to postfix:postfix and chmod 600 the sasl_passwd.db.

  4. sysmonk May 18, 2007 at 3:52 am

    oh, and here’s a link to a Proof of concept:

    http://p.data.lt/67

  5. Matthew Szubrycht September 26, 2008 at 1:38 pm

    @sysmonk, all

    You need to have the sasl_passwd file owned by root:root or root:wheel (depending on the OS), with 0600 permissions. Otherwise you could potentially expose your server. Postfix will still be able to read the file, because it gets started with root privileges.

    To sum it up, Ben is right, and these are the right commands to issue:

    [quote]
    # chown root:root /etc/postfix/sasl_passwd && chmod 600 /etc/postfix/sasl_passwd

    #### or, on BSD-like boxes ####

    # chown root:wheel /etc/postfix/sasl_passwd && chmod 600 /etc/postfix/sasl_passwd

    Also, remember to run (as root):
    # postmap /etc/postfix/sasl_passwd whenever you change the sasl_passwd file

    Cheers,
    Matt