using a secured relay in Postfix

I have a server on a LAN that need to send emails. Of course, this server has access to the internet through NAT, but for emails it is a bit more difficult : nowadays, email servers are checking many things when receiving emails : reverse, ‘from’ field, etc. and you may not have access to this kind of tuning for the internet IP address used with your NAT. So I needed to configure a relayhost, with direct access to the internet, that would accept my incoming email and relay it through normal channels. But I don’t want this server to be an open relay, so I have to setup authentication between them.

Configuration on Postfix is quite easy :

relayhost =
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt

Now, let’s create file /etc/postfix/sasl_passwd :

Create the hash for this file :

$ postmap /etc/postfix/sasl_passwd

Then restart Postfix and let’s try if everything is working :

postfix/qmgr[44536]: 62A2D16012B: from=<root@xxxxx>, size=438, nrcpt=1 (queue active)
postfix/smtp[44689]: warning: SASL authentication failure: No worthy mechs found
postfix/smtp[44689]: 62A2D16012B: to=<>,[X.X.X.X]:587, delay=10, delays=10/0.04/0.04/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server[X.X.X.X]: no mechanism available)

Damn, there is an authentication error it seems. I double check my password … No, it is not the issue. Let’s focus on the error message :

no mechanism available

So, it seems Postfix did not find any auth mechanism suitable. I know my relayhost is using PLAIN SASL auth … Maybe I’m missing some libs :

$ rpm -qa |fgrep sasl

Here, I need lib cyrus-sasl-plain ! Let’s install and retry :

$ yum install -y cyrus-sasl-plain
$ /etc/init.d/postfix restart
$ postqueue -f
postfix/smtp[556]: F297016012E: to=<>,[X.X.X.X]:587, delay=0.35, delays=0.01/0.04/0.28/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as EDF5C449D)

And voilà ! It works !

Leave a Reply

Your email address will not be published. Required fields are marked *