Postfix sasl_password file and MX resolution

Thanks to @AlexD idea, we'll implement the following transport table in order to simulate a IP failover using the DNS MX resolution (postfix 3.3)

Relay for 2 domains, exemple[12].com

exemple1.com   relay:mx.myhost.com:587
exemple2.com   relay:mx.myhost.com:587

In DNS

A    ip1.myhost.com      1.2.3.4
A    ip2.myhost.com      11.12.13.14

MX   mx.myhost.com   10  ip1.myhost.com
MX   mx.myhost.com   50  ip2.myhost.com

The postfix relay should first use ip1 (priority 10) and ip2 (50) if ip1 fails.

Provided that this is correct, next step is the SMTP authentication. The same set of username/password is available for both the ip1 and ip2 connections.

user:pass

Question: in the sasl_passwd map, since both ip1 and ip2 use the same user:pass set, can we / should we use the to-be-mx-resolved host (one entry) or do we have to use two identical user/pass entries one for [ip1] and one for [ip2]? (Does the SASL authentication indirectly accepts a host to be MX resolved and then apply the authentication to the resolved entry?)

a) Is this sasl_passwd file ok

 mx.myhost.com:587   user:pass

b) or this one

 [ip1.myhost.com]:587   user:pass
 [ip2.myhost.com]:587   user:pass

c) and by the way is this the same as using directly the IPs?

 [1.2.3.4]:587       user:pass
 [11.12.13.14]:587   user:pass

(provided the A record does not change)


man 5 postconf says following:

smtp_sasl_password_maps (default: empty) Optional Postfix SMTP client lookup tables with one username:password entry per sender, remote hostname or next-hop domain.

SASL_README has the following:

Important

If you specify the "[" and "]" in the relayhost destination, then you must use the same form in the smtp_sasl_password_maps file.

If you specify a non-default TCP Port (such as ":submission" or ":587") in the relayhost destination, then you must use the same form in the smtp_sasl_password_maps file.

Example configuration:

/etc/postfix/sasl_passwd:
    # destination                   credentials
    [mail.isp.example]              username:password
    # Alternative form:
    # [mail.isp.example]:submission username:password

So according to the documentation quoted above, you need to write your destination the same way as it used in your transport table. If you have mx.myhost.com:587 then you need to use

mx.myhost.com:587 user:pass