A note about SASL mechs
Whether authentication is performed using DIGEST, PLAIN, CRAM, etc... doesn't really matter. The only caveat for the type of authentication is that you need to have the appropriate SASL library installed; so for plain you need to "yum install cyrus-sasl-plain". If you get to the end and don't have an appropriate SASL library installed for a type of authentication the central SMTP server supports you'll see messages like "SASL authentication failure: No worthy mechs found". It is the central SMTP server that determines what authentication methods are acceptable - your client has to be able to match at least on of the methods it supports.
Step #1 : Point to the central SMTP server
Configure the Postfix instance to only listen to the local interface and to send all mail, regardless of destination, to the central relay.
postconf -e inet_interfaces=localhostStep #2 : Enable authentication & encryption
postconf -e relayhost='[smtp.example.com]'
Text 1: Setting the central SMTP server (relayhost)
Of course you'll want to encrypt the traffic and the relay host will probably only permit authentication over an encrypted connection anyway.
postconf -e smtp_sasl_auth_enable=yesIf the site is using their own CA certificate to create SSL certificates then that CA certification must be available on the host in order to verify the host certificate of the SMTP relay.
postconf -e smtp_use_tls=yes
postconf -e smtp_tls_note_starttls_offer = yes
Text 2: Enable TLS & authentication
postconf -e smtp_tls_CAfile=/path/to/the/cacert.pemStep #3 : Establish the authentication credentials
Text 3: Set the path to the CA certificate
Now the SMTP server needs some credentials. These are written to a file and then a Postfix map is generated from that file. The format of the file is the host name of the remote, whitespace, and then the username and password delimited by a colon. Note that the hostname must match the actual hostname of the remote or the local Postfix instance won't attempt to login - it will think it doesn't have credentials. The permissions on the sasl_passwd and sasl_passwd.db files should be secured so that only user root & group mail have access.
echo "smtp.example.com username:password" > sasl_passwdOptional Extra Paranoia
postconf -e smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd
chown root:mail sasl_passwd sasl_passwd.db
chmod 740 sasl_passwd sasl_passwd.db
Text 4: Creating the sasl_passwd map
My personal preference, for a bit of added paranoia, is to also set the immutable flag of the three security sensitive files.
chattr +i cacert.pem sasl_passwd sasl_passwd.db
Text 5: Making the sensitive file immutable.
A file set as imutable canntot be modfied, deleted, renamed, or linked to. Not even by root - at least not until the immutability flag is explicitly removed [chatter -i files]. This protects the file from being modified or deleted unintentionally as well as making them that much more difficult to modify maliciously.
Step #4: Test
Now you should be able to send some mail; this is most easily accomplished with the mail command [which is provided in the mailx package]. Watch the /var/log/maillog file to see your message go; or see any errors. If you see messages like "certificate verification failed for ..." then Postfix doesn't accept the validity of the central SMTP relay's certificate. Either the CA cert specified in Step#2 is invalid or the permissions are incorrect and Postfix can access the file.
When you receive the mail you've sent in your INBOX you can look at the headers and you should see something very much like:
Received: from client.example.com (client.example.com [192.168.1.70]) \You server is now securely sending messages.
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No \
client certificate requested) (Authenticated sender: smtpclient) by \
smtp.example.com (Postfix) with ESMTP id 5FD712000C for \
; Wed, 8 Feb 2012 12:05:19 -0500 (EST)
Text 6: Example header from a secure and authenticated e-mail.