Configuring SASL for SMTP authentication in Cihermail 6.2

I do a migration from ciphermail 5.5 to 6.2. We send outgoing mail via external relay host with SASL authentication.

In 5.5. the credentials where configured in Web UI under Admin / MTA / SASL. In 6.2 there I cannot find this setting. The documentation says that credentials must be in

/etc/postfix/maps.d/hash-smtp-sasl-password_maps.map

Format:

mailserver.domain.org:587 user@domain:plaintextpassword

I refreshed the corresponding db with:

postmap /etc/postfix/maps.d/hash-smtp-sasl-password_maps.map

No error given and map.db file was modified.

Unforunately postfix still sends to relay host without authentication and mail is rejected. The log says:

postfix/smtp 4fVYkR00Ktz2Ty1g: to=foo@bar, relay=xxxxx[x.x.x.x]:587, delay=20, delays=0.06/0.05/10/10, dsn=5.0.0, status=bounced (host xxxxx[x.x.x.x] said: 550 relay not permitted. authentication required (in reply to RCPT TO command))
postfix/smtp Trusted TLS connection established to xxxxx[x.x.x.x]:587: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
postfix/smtp warning: run-time library vs. compile-time header version mismatch: OpenSSL 3.5.0 may not be compatible with OpenSSL 3.2.0
postfix/smtp _sasl_plugin_load failed on sasl_canonuser_init
postfix/smtp ldapdb

Do I have to hash the password?

You can edit the MAP file directly from the UI: Admin → MTA → Maps, then select the smtp-sasl-password_maps file

In most cases you need to embed the hostname between square brackets:

[mailserver.domain.org]:587    user@domain:plaintextpassword

Make sure that the port is configured outside the brackets

I did not recognize that “Maps” item because of German translation “Karten”.

Because I manually edited the file the authentication entry already was in the map:

[mail.XXXXXX.de]:587 cipher@XX:plaintext_pwd

I contacted the mailserver admin. Ciphermail wants to send without authentication. We have 5.5. production system with same config which works.

I believe it has something to do with that log message:

_sasl_plugin_load failed on sasl_canonuser_init

Okay I solved it now. I remove the brackets from the hostname. Documentation says, that hostname must be equal to the relay_host setting concerning the brackets.

So either both with brackets or both without.

_sasl_plugin_load failed on sasl_canonuser_init

comes from the SASL ldap plugin which is not used/configured. One can ignore this message.

The square brackets tell Postfix whether to perform an MX lookup (without brackets) or an A record lookup (with brackets).

If it did not work with the brackets, you probably require MX lookup.