SMTP Client Authentication

You may want your Postfix server to relay through other servers that require SMTP authentication. In addition to requiring passwords on your own server, you can configure Postfix to provide login names and passwords when relaying mail through other SMTP servers.

You have to provide Postfix with a password file that contains the credentials it should use when authenticating to other servers. Entries in the password file contain a domain or hostname, username, and password in the form: domain username:password. For the domain or hostname, Postfix first checks for the destination domain from the recipient address. If it doesn't find the domain, it then checks for the hostname it is connecting to. This allows Postfix to work easily with sites that have multiple MX hosts that share the same user database. Use smtp_sasl_password_maps parameter to specify where your password file is.

The client smtp_sasl_security_options parameter works just like server smtpd_sasl_security_options (discussed earlier in the chapter) for the SMTP servers. If you don't specify any options, the default allows all available mechanisms including plaintext but not anonymous logins.

12.5.1 Procedure to Enable SMTP Client Authentication

Use the following steps to configure Postfix to provide a login and password when relaying mail. In this example, you'll set up two different passwords for Postfix to authenticate when relaying through any server for the domain ora.com and through a host called mail.postfix.org:

1. Create a file called /etc/postfix/sasl_passwd with entries for each host, login, and password combination you need. Your file should resemble the following:

   ora.com kdent:Rumpelstiltskin
   mail.postfix.org kyle:quixote

2. Execute postmap on the file:

   # postmap /etc/postfix/sasl_passwd

3. Edit main.cf to turn on client authentication. Notice that you are now setting smtp_sasl_auth_enable instead of smtpd_sasl_auth_enable as you did to turn on authentication at the server. You must also set smtp_sasl_password_maps to point to the password file you created:

   smtp_sasl_auth_enable = yes
   smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

4. Reload Postfix so that it recognizes the changes in its main.cf configuration file:

   # postfix reload

Now, when the Postfix SMTP client attempts to relay messages through any of the domains or hosts listed in /etc/postfix/sasl_passwd, it will offer the corresponding authentication credentials. For example, if your Postfix smtp client connects to the server mail.ora.com, it authenticates with the username kdent and the password Rumpelstiltskin.