at work i have to use an outbound mail server that requires smtp auth. that's fine, except postfix expects that you save the password in a file for sasl. my paranoia level disagrees with passwords ending up on disk unencrypted, so i decided to improve matters by convincing postfix to use the kernel keystore for accessing passwords.
i like the keystore a lot because it lets me enter passwords on demand and keep them in memory only. i dislike most userland "keyring" systems as too big and complicated; i'd rather trust the kernel (which i have to anyway).
fortunately postfix (and sendmail) support the same "socket" (tcp or unix domain) protocol for interacting with external services. in postfix it's called a "socketmap table".
so i cooked up a small socketmap server in perl which listens on a local unix domain socket (somewhere in postfix's changerooted runtime area), and which requests a 'key' (=my smtp password) from the kernel keystore when queried.
you can download keysockmap here. in my
environment postfix is configured with smtp_sasl_password_maps =
socketmap:unix:/tmp/mysockmap:allmine and when i start my work day i
fire up a keysockmap instance: keysockmap -g postfix -o
allmine -p mysmtpusername -s /var/spool/postfix/tmp/mysockmap.
when postfix needs to send emails out it queries the socketmap for the outbound smtp.server.name, keysockmap asks the kernel keystore for a password for that smtp.server.name and returns it prefixed with mysmtpusername and a colon.
this prefixing is required because postfix' sasl setup wants username:password combos, and i don't want the kernel key store to hold my smtp username, just the password.
pretty simple, and i think better than saving your password in a file.


