Postfix SASL relayhost

Nota Bene:

/!\ Notice: This documentation was written for CentOS 5. It may not be accurate for CentOS 6 or subsequent releases.

1. Introduction

This guide is designed to compliment the basic postfix guide. It is written for CentOS 5. Configuration will differ for CentOS 6.

2. What is SASL and do I need it?

SASL (Simple Authentication and Security Layer) provides a mechanism of authenticating users using their username and password. Probably the most well known implementation of SASL is provided by the Cyrus SASL library.

If your ISP blocks port 25 connections and requires you to authenticate to send email, you will need to configure SASL.

3. What about SSL/TLS?

So SASL is able to provide a mechanism to authenticate remote users by username and password who wish to send mail through the mail server. We have a problem in that these mechanisms are sending usernames and passwords in plain text across the Internet (SASL does support various encrypted authentication methods such as DIGEST-MD5 but these aren’t always universally supported by email client software). This poses a security risk as anyone can potentially intercept this information and steal login details so we need to encrypt the connection. SSL (Secure Sockets Layer), and more recently TLS (Transport Layer Security), offer a mechanism to encrypt communications between two hosts, in our case our mail server and our remote client. SSL was renamed TLS by the IETF as of version 3.1.

4. Configuring stunnel for SSL connections

Start by installing and configuring stunnel. In this example we will use and port 465. Replace these values with your ISP's values.

yum -y install stunnel telnet
cat >> /etc/stunnel/stunnel.conf <<EoT
accept  = 10465
client = yes
connect =
wget -O /etc/init.d/stunnel
chmod 755 /etc/init.d/stunnel
chkconfig stunnel on; service stunnel start

Test that the stunnel connection is working with a telnet connection.

$ telnet localhost 10465
Connected to localhost.localdomain (
Escape character is '^]'.
220 ESMTP ready
$ quit
221 2.0.0 Bye
Connection closed by foreign host.

5. Configuring SASL in postfix

The first step is to create the files with your credentials for the ISP.

echo "[]:10465" >> /etc/postfix/relay_creds
postmap /etc/postfix/relay_creds
chmod go-rwx /etc/postfix/relay_creds*

The second step is to add new setting to the postfix file.

cat >> /etc/postfix/ <<EoT

#added to enable SASL support for relayhost
relayhost = []:10465
smtp_sasl_type = cyrus
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/relay_creds
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_cname_overrides_servername = no
smtp_sasl_mechanism_filter = plain, login
service postfix reload

6. Test for Delivery

SASL is configured and email should be routed through the relayhost. Check /var/log/maillog if there are errors. If you need to update the credentials, be sure to run "postmap /etc/postfix/relay_creds" and "service postfix reload".

If you get an error about email being sent from an unknown user, you may need to send all email from the email address of your ISP's account. In this example, replace the email address with the one provided by your ISP.

echo '/.*/' >> /etc/postfix/sender_canonical
postmap /etc/postfix/sender_canonical
echo 'sender_canonical_maps = regexp:/etc/postfix/sender_canonical' >> /etc/postfix/
service postfix reload

HowTos/postfix sasl relayhost (last edited 2013-10-29 14:48:09 by carltm)