Postfix, SASL, SMTHAUTH, TLS and Relay

Sat 01 October 2011

Filed under Email

Tags Cool Geek Security

Relaying with Postfix, SASL, Authentication and TLS

Create All The Files!

/etc/postfix/sasl/saslpass relayuser:my password with spaces


[]:587 encrypt protocols=TLSv1 ciphers=high
[]:msa encrypt protocols=TLSv1 ciphers=high
[]:submission encrypt protocols=TLSv1 ciphers=high

Set File Permissions on SASL password file

chown root:root /etc/postfix/sasl/saslpass
chmod 600 /etc/postfix/sasl/saslpass

Hash All The Files!

postmap /etc/postfix/sasl/saslpass
postmap /etc/postfix/tls_policy

Configure All The Postfix!

## Since I am using TLS, I will allow plain text and LOGIN (which are disabled by default
postconf -e "smtp_sasl_security_options = "

## Enable SASL for outgoing SMTP traffic.
postconf -e  "smtp_sasl_auth_enable = yes"

### Add the SASL password map
postconf -e " smtp_sasl_password_maps = hash:/etc/postfix/sasl/saslpass"

### Set the TLS Policy map so that my mail server uses TLS w/ the appropriate policies.
postconf -e " smtp_tls_policy_maps = hash:/etc/postfix/tls_policy"

### Add the relayhost as my upstream mail server, note the format, it's important.
postconf -e "relayhost = []:587"

Brief Explanation

I needed to relay from my in-house Linux box, which runs Postfix (on Ubuntu, incidentally), through my colo-hosted mail server. This recipe will work for Comcast, Verizon, Frontier, and Gmail. Those are the only places I have tested it. All of those mailservers have a Submission port (587) which accepts TLS.

This should work for just about any setup.


There are tons of howto's. I own much to Bens Bits, Patrick Koetter, Postfix Documentation, and of course, Google.


Up To Something © Joshua M Schmidlkofer Powered by Pelican and Twitter Bootstrap. Icons by Font Awesome and Font Awesome More