Fixing “postmap: fatal: open database /etc/postfix/sasl_passwd.db: Permission denied” Error in Postfix SMTP Configuration


8 views

When setting up Postfix to relay emails through an external SMTP server, many admins encounter this frustrating error during the postmap step. The core issue stems from incorrect file permissions and ownership in the Postfix working directory.

# Typical error output
postmap: fatal: open database /etc/postfix/sasl_passwd.db: Permission denied

Postfix requires two key files for SMTP authentication:

  • /etc/postfix/sasl_passwd (plaintext credentials)
  • /etc/postfix/sasl_passwd.db (hashed database)

First, ensure proper file creation and permissions:

# Create the sasl_passwd file (replace with your actual SMTP credentials)
sudo nano /etc/postfix/sasl_passwd
[SMTP_SERVER] username:password

# Set correct permissions
sudo chmod 600 /etc/postfix/sasl_passwd
sudo chown root:root /etc/postfix/sasl_passwd

The critical step most tutorials miss - pre-creating the .db file with correct permissions:

# Create empty database file
sudo touch /etc/postfix/sasl_passwd.db

# Set strict permissions
sudo chmod 640 /etc/postfix/sasl_passwd.db
sudo chown postfix:root /etc/postfix/sasl_passwd.db

Now run postmap with elevated privileges:

sudo postmap hash:/etc/postfix/sasl_passwd

Confirm the database was created properly:

sudo ls -l /etc/postfix/sasl_passwd.db
sudo postmap -q [SMTP_SERVER] hash:/etc/postfix/sasl_passwd.db
  • SELinux contexts on Fedora/RHEL systems (use restorecon -v /etc/postfix/sasl_passwd*)
  • AppArmor profiles on Ubuntu/Debian
  • Incorrect Postfix master process permissions

Add these lines to /etc/postfix/main.cf:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

Remember to restart Postfix after configuration changes:

sudo systemctl restart postfix

When configuring Postfix to use external SMTP with SASL authentication, many administrators encounter this permission error during the postmap operation. The error occurs when trying to create or access the hashed credential database.

postmap: fatal: open database /etc/postfix/sasl_passwd.db: Permission denied

The authentication workflow involves these key files:

  • /etc/postfix/sasl_passwd - Plaintext credentials file (format: [server]:port username:password)
  • /etc/postfix/sasl_passwd.db - Hashed database file generated by postmap

Here's the correct way to set up these files:

# Create the credentials file
sudo nano /etc/postfix/sasl_passwd
# Example content:
# [smtp.example.com]:587 username@example.com:yourpassword

# Set proper permissions
sudo chmod 600 /etc/postfix/sasl_passwd
sudo chown root:root /etc/postfix/sasl_passwd

# Generate the hash database
sudo postmap hash:/etc/postfix/sasl_passwd

Case 1: When the .db file doesn't exist yet

sudo touch /etc/postfix/sasl_passwd.db
sudo chmod 600 /etc/postfix/sasl_passwd.db
sudo chown postfix:postfix /etc/postfix/sasl_passwd.db

Case 2: SELinux contexts on Fedora/RHEL systems

sudo restorecon -Rv /etc/postfix
sudo semanage fcontext -a -t postfix_etc_t "/etc/postfix(/.*)?"

After fixing permissions, verify with:

sudo -u postfix postmap -q smtp.example.com hash:/etc/postfix/sasl_passwd

This should return your credentials without errors.

Ensure these settings in main.cf:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
  • Check Postfix logs: tail -f /var/log/maillog
  • Verify AppArmor/SELinux isn't blocking access
  • Test SMTP connection: telnet smtp.example.com 587