>Wakefield, Robin:
> Hello,
>
> My company requires that the passwords for all technical accounts
> be recycled regularly.
>
> Our implementation of SMTP authentication uses the nslcd service
> - we regularly rotate between 2 binddn accounts, so that we can
> perform the password updates on the inactive account, and then
> replace the active account in the conf file, etc.
>
> A new requirement is to now integrate this into the HashiCorp/EVA
> password management system. At present, this is being engineered
> using scripts to extract the password from the HashiCorp vault,
> and then update the nslcd.conf file automatically.
>
> The question has been asked:
>
> * Are there any plans to fully integrate SMTP Authentication
> with this password management system such that the mail operations
> team don't even know what the password is?
>
> Has anyone any experience of this, or can suggest a way of achieving
> this?
If this is for receiving email, then the passwords are looked up
by Cyrus SASL or Dovecot. The Postfix SMTP server does not look up
passwords.
If this is for sending email, then the Postfix SMTP client looks
up passwords specified with smtp_sasl_password_maps. This can be a
local file, a database (LDAP, SQL) client, or a client for a service
that speaks the socketmap_table or tcp_table protocol.
Wietse
