How To Setup Postfix To Relay Outbound Mail Using SASL

By Angsuman Chakraborty, Gaea News Network
Tuesday, October 23, 2007

Postfix is an excellent and powerful mail transfer agent (MTA) like sendmail. You can configure postfix to send outbound mails directly (default) or relay it to another MTA, which could be postfix or sendmail. However you don’t want anyone to be able to relay mails through the server. So normally MTA’s are configured to relay mails from trusted and/or authenticated networks only (configurable). Another option is available when your local MTA has a fixed IP address. However for all other cases using SASL is a very secure and easily configurable option as detailed below.

A typical configuration on the server which receives email for relaying to remote hosts looks like:
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination

The permit_sasl_authenticated entry ensures that SASL authenticated clients are permitted to relay emails through this server.

However you have to configure your local postfix server to relay outbound mails to this server and also to use SASL while relaying. You need to first set your relayhost parameter to relay outbound mails to your specified server. The relayhost parameter specifies the default host to send mail to when no entry is matched in the optional transport table. When no relayhost is given, mail is routed directly to the destination.
My relayhost settings is:
relayhost =
This ensures relaying of emails. Now to configure sending mails with SASL you need to set at least the following:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_security_options = noanonymous

The file /etc/postfix/sasl_passwd must contain the login and password which it will use to authenticate itself. It looks like: username:secret_password

Replace with the domain of your receiving postfix server (MTA). Replace username with a valid user name and secret_password with a valid password.

You should create the hash of the map by using:
postmap /etc/postfix/sasl_passwd.

Restart postfix as follows and you be ready to go:
service postfix restart

Note: You can debug both the postfix servers by checking /var/log/maillog (use tail -f).

will not be displayed