[PLUG] Help with Postfix SASL auth to smarthost on RedHat distro

"Lee H. Marzke" <lee@marzke.net> · Mon, 12 Feb 2018 03:36:36 +0000 (GMT)

I'm having trouble with Postfix SMTP authentication to a smarthost on a new install of RH 7.3

This is actually the latest FreePBX SNG7 OS based on RH 7.3 but shouldn't matter. 
https://en.wikipedia.org/wiki/FreePBX_Distro

I have Postfix SMTP auth over TLS  working on an old Ubuntu release, but for some reason the Red Hat distro is giving me permission issues
with nearly the same setup.   Any clues where I should look next ?

Basically SASL authentication strings are in the file   /etc/postfix/sasl_passwd containing two smart hosts:

[smtp.gmail.com]:587      username:password 
[smtp.smarthost2.net]:587 username:password 

and has permissions: 

-rw------- 1 root root 111   Feb 11 18:37 sasl_paswd 
-rw------- 1 root root 12288 Feb 11 19:42 sasl_paswd.db

the hash is updated/created with:
sudo postmap hash:/etc/postfix/sasl_passwd

Notes with CentOS claim that postfix reads the .db map file as root, then drops permissions on startup.

However,  when I send email,  I keep getting errors where postfix can't read the sasl_passwd.db file.

Feb 11 22:12:42 freepbx postfix/smtp[11208]: Trusted TLS connection established to smtp.gmail.com[209.85.232.108]:587: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 11 22:12:42 freepbx postfix/smtp[11208]: warning: hash:/etc/postfix/sasl_passwd is unavailable. open database /etc/postfix/sasl_passwd.db: No such file or directory
Feb 11 22:12:42 freepbx postfix/smtp[11208]: warning: hash:/etc/postfix/sasl_passwd lookup error for "smtp.gmail.com"
Feb 11 22:12:42 freepbx postfix/smtp[11208]: warning: 89DF211780BB: smtp_sasl_passwd lookup error
Feb 11 22:12:42 freepbx postfix/smtp[11208]: 89DF211780BB: local data error while talking to smtp.gmail.com[209.85.232.108]

Now I know the file is there.   And I've tried changing permissions to allow postfix group read, and other combination
but they always fail the same way.

The relevant sections of main.cf are:

#Setup TLS, using default self-signed certs

smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.trust.crt
smtp_tls_cert_file = /etc/pki/tls/certs/localhost.crt
smtp_tls_key_file = /etc/pki/tls/private/localhost.key

# Use smarthost
#relayhost = [smtp.protectedservice.net]:587
relayhost = [smtp.gmail.com]:587

# Setup SASL over TLS for smart host ( Gmail require TLS,  others may not )

smtp_use_tls = yes
smtp_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_type = cyrus 
smtp_tls_security_level = encrypt
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

###DEBUG
#debug_peer_list=smtp.gmail.com
#debug_peer_level=3

The policy map  tls_policy contains:       (but this isn't causing issues so far)

[smtp.gmail.com]:587 encrypt
[smtp.othersmarhost.net]:587 encrypt

Regards,

Lee

-- 
"Between subtle shading and the absence of light lies the nuance of iqlusion..."  - Kryptos

Lee Marzke,  lee@marzke.net     http://marzke.net/lee/
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM