Postfix configuration guides

Here you can find a few guides that can help you configure more advanced Postfix features. Some of these can and are implemented as separate Ansible roles, here you can see the configuration specific to debops.postfix role.

Postfix SMTP client with SASL authentication

This configuration is based on the SMTP client SASL authentication HOWTO.

We will configure Postfix to act as an SMTP client and send all mail to a remote relay which requires SMTP authentication. This guide assumes that you already have an e-mail account set up elsewhere and you know the password.

For SASL authentication to work, Postfix requires libsasl2-modules package (there are some custom ones for LDAP, OTP, SQL). You need to tell debops.postfix role to install one for you, via Ansible inventory:

postfix__packages: [ 'libsasl2-modules' ]

It's best to keep the authentication details out of the Ansible inventory, therefore you should create a separate text file in the ansible/secret/ directory of the project directory (see debops.secret for details).

Create the file ansible/secret/postfix/smtp-auth.key. In it, put the e-mail account username and password in the form:


You now need to create a lookup table with the authentication credentials for Postfix to consume. You can do this using Ansible inventory:


  - name: ''
    mode: '0600'

      - name: '[]'
        value: '{{ lookup("file", secret + "/postfix/smtp-auth.key") }}'

The .in filename suffix tells Postfix to generate a hash table with the file contents. The files should be secured with the 0600 permissions, so only root will be able to read it.

The last piece of the puzzle is the Postfix configuration in the /etc/postfix/ You can set it via Ansible inventory:


  - name: 'smtp_sasl_auth_enable'
    value: True
    state: present

  - name: 'smtp_tls_security_level'
    value: 'encrypt'
    state: present

  - name: 'smtp_sasl_tls_security_options'
    value: 'noanonymous'
    state: present

  - name: 'relayhost'
    value: '[]'
    state: present

  - name: 'smtp_sasl_password_maps'
    value: [ 'hash:${config_directory}/smtp_sasl_password_maps' ]
    state: present

When you run the debops.postfix role with the above configuration, Postfix should now send all e-mails to the relayhost with SMTP client authentication. You can send an e-mail and check the logs in /var/log/mail.log to see if they are relayed correctly.