at work i have to use an outbound mail server that requires smtp auth. that's fine, except postfix expects that you save the password in a file for sasl. my paranoia level disagrees with passwords ending up on disk unencrypted, so i decided to improve matters by convincing postfix to use the kernel keystore for accessing passwords.

i like the keystore a lot because it lets me enter passwords on demand and keep them in memory only. i dislike most userland "keyring" systems as too big and complicated; i'd rather trust the kernel (which i have to anyway).

fortunately postfix (and sendmail) support the same "socket" (tcp or unix domain) protocol for interacting with external services. in postfix it's called a "socketmap table".

so i cooked up a small socketmap server in perl which listens on a local unix domain socket (somewhere in postfix's changerooted runtime area), and which requests a 'key' (=my smtp password) from the kernel keystore when queried.

you can download keysockmap here. in my environment postfix is configured with smtp_sasl_password_maps = socketmap:unix:/tmp/mysockmap:allmine and when i start my work day i fire up a keysockmap instance: keysockmap -g postfix -o allmine -p mysmtpusername -s /var/spool/postfix/tmp/mysockmap.

when postfix needs to send emails out it queries the socketmap for the outbound, keysockmap asks the kernel keystore for a password for that and returns it prefixed with mysmtpusername and a colon.

this prefixing is required because postfix' sasl setup wants username:password combos, and i don't want the kernel key store to hold my smtp username, just the password.

pretty simple, and i think better than saving your password in a file.

[ published on Sat 12.09.2015 15:31 | filed in interests/crypto | ]
Debian Silver Server
© Alexander Zangerl