Postfix SASL relayhost

1. Introduction

This guide is designed to compliment the basic postfix guide. It is written for CentOS 7 and 8. Configuration will differ for CentOS 6.

2. What is SASL and do I need it?

SASL (Simple Authentication and Security Layer) provides a mechanism of authenticating users using their username and password. Probably the most well known implementation of SASL is provided by the Cyrus SASL library.

If your ISP blocks port 25 connections and requires you to authenticate to send email, you will need to configure SASL.

3. What about SSL/TLS?

So SASL is able to provide a mechanism to authenticate remote users by username and password who wish to send mail through the mail server. We have a problem in that these mechanisms are sending usernames and passwords in plain text across the Internet (SASL does support various encrypted authentication methods such as DIGEST-MD5 but these aren’t always universally supported by email client software). This poses a security risk as anyone can potentially intercept this information and steal login details so we need to encrypt the connection. SSL (Secure Sockets Layer), and more recently TLS (Transport Layer Security), offer a mechanism to encrypt communications between two hosts, in our case our mail server and our remote client. SSL was renamed TLS by the IETF as of version 3.1.

4. Research your ISP

You will need to visit your ISP's documentation to find the SMTP server and port for authenticated SMTP. In this example, we are using the fictitious ISP "example.com" which has an SMTP server "smtp.example.com" with the port 587.

5. Configuring SASL in postfix

The first step is to create the files with your credentials for the ISP.

$ echo "smtp.example.com:587  MyUserName@example.com:SecretPassword" | sudo tee /etc/postfix/relay_creds
$ sudo postmap /etc/postfix/relay_creds
$ sudo chmod go-rwx /etc/postfix/relay_creds*

The second step is to add new setting to the postfix main.cf file.

$ sudo tee -a /etc/postfix/main.cf <<EoT

# added to enable SASL support for relayhost
# host to relay all mail through
relayhost = [smtp.example.com]:587
# enable SASL authentication
smtp_sasl_auth_enable = yes
# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/relay_creds
# disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# Enable STARTTLS encryption
smtp_use_tls = yes
EoT


$ sudo systemctl restart postfix.service

Please read the Postfix web site for more details on the above configuration options.

6. Test for Delivery

SASL is configured and email should be routed through the relayhost. Check /var/log/maillog if there are errors. If you need to update the credentials, be sure to run "postmap /etc/postfix/relay_creds" and "systemctl restart postfix.service".

If you get an error about email being sent from an unknown user, you may need to send all email from the email address of your ISP's account. In this example, replace the email address with the one provided by your ISP.

$ echo '/.*/ MyUserName@example.com' | sudo tee -a /etc/postfix/sender_canonical
$ sudo postmap /etc/postfix/sender_canonical
$ echo 'sender_canonical_maps = regexp:/etc/postfix/sender_canonical' | sudo tee -a /etc/postfix/main.cf
$ sudo systemctl restart postfix.service