diff --git a/target/scripts/helpers/index.sh b/target/scripts/helpers/index.sh
index 027e0e6a..41d1b098 100644
--- a/target/scripts/helpers/index.sh
+++ b/target/scripts/helpers/index.sh
@@ -17,7 +17,6 @@ function _import_scripts
   source "${PATH_TO_SCRIPTS}/network.sh"
   source "${PATH_TO_SCRIPTS}/postfix.sh"
   source "${PATH_TO_SCRIPTS}/relay.sh"
-  source "${PATH_TO_SCRIPTS}/sasl.sh"
   source "${PATH_TO_SCRIPTS}/ssl.sh"
   source "${PATH_TO_SCRIPTS}/utils.sh"
 }
diff --git a/target/scripts/helpers/relay.sh b/target/scripts/helpers/relay.sh
index d1ae382e..8852bd44 100644
--- a/target/scripts/helpers/relay.sh
+++ b/target/scripts/helpers/relay.sh
@@ -64,16 +64,36 @@ function _env_relay_host
 # `/etc/postfix/sasl_passwd` example at end of file.
 function _relayhost_sasl
 {
-  if [[ ! -f /tmp/docker-mailserver/postfix-sasl-password.cf ]] && [[ -z ${RELAY_USER} || -z ${RELAY_PASSWORD} ]]
+  if [[ ! -f /tmp/docker-mailserver/postfix-sasl-password.cf ]] \
+    && [[ -z ${RELAY_USER} || -z ${RELAY_PASSWORD} ]] \
+    && [[ -z ${SASL_PASSWD} ]]
   then
-    _log 'warn' "No relay auth file found and no default set"
+    _log 'warn' "Missing relay-host mapped credentials provided via ENV, or from postfix-sasl-password.cf"
     return 1
   fi
 
+  _log 'trace' "Adding relay-host credential mappings to Postfix"
+
+  # Start from a new `/etc/postfix/sasl_passwd`:
+  : >/etc/postfix/sasl_passwd
+  chown root:root /etc/postfix/sasl_passwd
+  chmod 0600 /etc/postfix/sasl_passwd
+
+  # SASL_PASSWD is a legacy ENV, not likely in use by any users.
+  #
+  # Single ENV for specifying `<DEFAULT_RELAY_HOST>    <RELAY_USER>:<RELAY_PASSWORD>`,
+  # Where `<DEFAULT_RELAY_HOST>` must match the equivalent ENV,
+  # while the other two have no dependency to their equivalent ENV.
+  # SASL_PASSWD requires `smtp_sasl_password_maps` to be enabled - but that has only
+  # ever been via this function which relies upon RELAY_HOST. Hence redundant.
+  # TODO: Deprecate. Remove on next major version?
+  if [[ -n ${SASL_PASSWD} ]]
+  then
+    echo "${SASL_PASSWD}" >> /etc/postfix/sasl_passwd
+  fi
+
   if [[ -f /tmp/docker-mailserver/postfix-sasl-password.cf ]]
   then
-    _log 'trace' "Adding relay authentication from postfix-sasl-password.cf"
-
     # Add domain-specific auth from config file:
     while read -r LINE
     do
@@ -93,8 +113,6 @@ function _relayhost_sasl
     echo "$(_env_relay_host)    ${RELAY_USER}:${RELAY_PASSWORD}" >> /etc/postfix/sasl_passwd
   fi
 
-  _sasl_set_passwd_permissions
-
   # Technically if only a single relay host is configured, a `static` lookup table could be used instead?:
   # postconf "smtp_sasl_password_maps = static:${RELAY_USER}:${RELAY_PASSWORD}"
   postconf 'smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd'
@@ -196,7 +214,6 @@ function _setup_relayhost
   then
     _log 'trace' "Setting up relay hosts (default: ${RELAY_HOST})"
 
-    # Expects `_sasl_passwd_create` was called prior in `setup-stack.sh`
     _relayhost_sasl
     _populate_relayhost_map
 
@@ -208,9 +225,6 @@ function _rebuild_relayhost
 {
   if [[ -n ${RELAY_HOST} ]]
   then
-    # Start from a new `/etc/postfix/sasl_passwd` state:
-    _sasl_passwd_create
-
     _relayhost_sasl
     _populate_relayhost_map
   fi
diff --git a/target/scripts/helpers/sasl.sh b/target/scripts/helpers/sasl.sh
deleted file mode 100644
index e5fb7a16..00000000
--- a/target/scripts/helpers/sasl.sh
+++ /dev/null
@@ -1,22 +0,0 @@
-#! /bin/bash
-
-function _sasl_passwd_create
-{
-  if [[ -n ${SASL_PASSWD} ]]
-  then
-    # create SASL password
-    echo "${SASL_PASSWD}" > /etc/postfix/sasl_passwd
-    _sasl_set_passwd_permissions
-  else
-    rm -f /etc/postfix/sasl_passwd
-  fi
-}
-
-function _sasl_set_passwd_permissions
-{
-  if [[ -f /etc/postfix/sasl_passwd ]]
-  then
-    chown root:root /etc/postfix/sasl_passwd
-    chmod 0600 /etc/postfix/sasl_passwd
-  fi
-}
diff --git a/target/scripts/start-mailserver.sh b/target/scripts/start-mailserver.sh
index fc189772..5a46490e 100755
--- a/target/scripts/start-mailserver.sh
+++ b/target/scripts/start-mailserver.sh
@@ -215,7 +215,6 @@ function _register_functions
   _register_setup_function '_setup_dovecot_hostname'
   _register_setup_function '_setup_postfix_smtputf8'
   _register_setup_function '_setup_postfix_sasl'
-  _register_setup_function '_setup_postfix_sasl_password'
   _register_setup_function '_setup_security_stack'
   _register_setup_function '_setup_postfix_aliases'
   _register_setup_function '_setup_postfix_vhost'
diff --git a/target/scripts/startup/setup-stack.sh b/target/scripts/startup/setup-stack.sh
index 0d8293f5..6043509c 100644
--- a/target/scripts/startup/setup-stack.sh
+++ b/target/scripts/startup/setup-stack.sh
@@ -764,21 +764,6 @@ function _setup_postfix_override_configuration
   fi
 }
 
-function _setup_postfix_sasl_password
-{
-  _log 'debug' 'Setting up Postfix SASL Password'
-
-  # support general SASL password
-  _sasl_passwd_create
-
-  if [[ -f /etc/postfix/sasl_passwd ]]
-  then
-    _log 'trace' 'Loaded SASL_PASSWD'
-  else
-    _log 'debug' "SASL_PASSWD was not provided - '/etc/postfix/sasl_passwd' not created"
-  fi
-}
-
 function _setup_postfix_relay_hosts
 {
   _setup_relayhost
diff --git a/test/mail_privacy.bats b/test/mail_privacy.bats
index ba489b04..c83d5087 100644
--- a/test/mail_privacy.bats
+++ b/test/mail_privacy.bats
@@ -7,7 +7,6 @@ function setup_file() {
   docker run -d --name mail_privacy \
     -v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
     -v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
-    -e SASL_PASSWD="external-domain.com username:password" \
     -e ENABLE_MANAGESIEVE=1 \
     --cap-add=SYS_PTRACE \
     -e PERMIT_DOCKER=host \
diff --git a/test/mail_with_relays.bats b/test/mail_with_relays.bats
index 44279849..ecd2112f 100644
--- a/test/mail_with_relays.bats
+++ b/test/mail_with_relays.bats
@@ -64,6 +64,11 @@ function teardown_file() {
   assert_output ''
 }
 
+@test "checking relay hosts: sasl_passwd exists" {
+  run docker exec mail_with_relays [ -f /etc/postfix/sasl_passwd ]
+  assert_success
+}
+
 @test "checking relay hosts: auth entry is added" {
   run docker exec mail_with_relays /bin/sh -c 'cat /etc/postfix/sasl_passwd | grep -e "^@domaintwo.tld\s\+smtp_user_2:smtp_password_2" | wc -l'
   assert_success
diff --git a/test/tests.bats b/test/tests.bats
index 5ace6b09..81743446 100644
--- a/test/tests.bats
+++ b/test/tests.bats
@@ -31,7 +31,6 @@ setup_file() {
     -e SA_SPAM_SUBJECT="SPAM: " \
     -e SA_TAG=-5.0 \
     -e SA_TAG2=2.0 \
-    -e SASL_PASSWD="external-domain.com username:password" \
     -e SPAMASSASSIN_SPAM_TO_INBOX=0 \
     -e SPOOF_PROTECTION=1 \
     -e SSL_TYPE='snakeoil' \
@@ -175,11 +174,6 @@ teardown_file() {
   assert_success
 }
 
-@test "checking sasl: sasl_passwd exists" {
-  run docker exec mail [ -f /etc/postfix/sasl_passwd ]
-  assert_success
-}
-
 #
 # logs
 #