Relaying mail with Postfix and Stunnel through SMTPS with Debian 7

Do you have setup your own Debian 7 VPS and you want to send mail from it to the outside world without running a full-blown mail server? You can install Postfix and use it in satellite mode, relaying email to another mail server.

However, all mail services aren't equal. Ones like Gmail are sophisticated and support the more recent TLS protocol, while many shared and budget hosting services don't. The latter often use an older SSL protocol, and Postfix SMTP client does not support the obsolete “wrappermode” protocol, which uses TCP port 465 on the SMTP server. A solution is to create your own local SSL tunnel between Postfix and the relay server with stunnel.

Stunnel configuration

Install stunnel in Ubuntu or Debian with

apt-get install stunnel

Enable it on startup by editing /etc/default/stunnel4 to


Create a .conf file in etc/stunnel directory with

vim /etc/stunnel/stunnel.conf

and paste the following text inside

client = yes
foreground = no

accept = 11125
connect =

In this case, 11125 is our local port (but could be different) and will be user by Postfix to connect to stunnel. The connect line has the fully qualified domain name ( and port number (465) of the external SMTP server. In this example, we are using the Netsons SMTP server as a smarthost — with the parameters provided by your e-mail or web hosting provider.

Now start stunnel with

service stunnel4 start

and test your SMTPS tunnel with

telnet localhost 11125

If everything is working, you should see the greeting line from your smarthost, something like

Trying ::1...
Connected to localhost.
Escape character is '^]'. ESMTP Exim 4.84 #2 Tue, 25 Nov 2014 11:31:45 +0100 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.

type quit to leave.

Postfix configuration

Install Postfix with

apt-get install postfix

If you weren’t automatically prompted to configure Postfix, run sudo dpkg-reconfigure postfix to access the configuration wizard. Configure Postfix as a Satellite system. You must enter a valid domain name for System mail name, so use if you do not have a real one. For SMTP relay host, enter []:10465.

Now edit /etc/postfix/ and add the following lines, being sure to comment out any smtp (client) settings that compete with them (the stmtpd server settings can be left alone).

relayhost = []:11125
inet_interfaces = loopback-only
# SASL Settings
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = login

The SASL settings [1] point to a password file, which we haven't yet created. Let's do that now, using the same email address from which we send messages.

vim /etc/postfix/sasl/sasl_passwd

and add


Beware to keep the SASL client password file within /etc/postfix, and make the file read+write only for root to protect the username/password combinations against other users. The Postfix SMTP client will still be able to read the SASL client passwords: it opens the file as user root. So change owner (chown) and set permissions (chmod) on the file to 600 so that your password can't be read by others with

chown root:root /etc/postfix/sasl/sasl_passwd
chmod 600 /etc/postfix/sasl/sasl_passwd

Finally convert the text-based password file to as hash-based file that Postfix can understand with

postmap /etc/postfix/sasl/sasl_passwd

Restart Postifix server

sudo service postfix reload

Important notes about password file

  • Use the postmap command whenever you change the /etc/postfix/sasl_passwd file.
  • If you specify the ”[” and ”]” in the relayhost destination, then you must use the same form in the smtp_sasl_password_maps file.
  • If you specify a non-default TCP Port (such as ”:submission” or ”:587”) in the relayhost destination, then you must use the same form in the password file.

Address rewriting

Some hosts have no valid Internet domain name, and instead use a name such as localdomain.local or This can be a problem when you want to send mail over the Internet, because many mail servers reject mail addresses with invalid domain names or mark them as spammer. You can specify generic lookup tables that replace local mail addresses by valid Internet addresses when mail leaves the machine via SMTP.

Edit file /etc/postfix/generic and add a mapping, such as    user@mydomain

and hash it with

postmap /etc/postfix/sasl/sasl_passwd

Finally, add

smtp_generic_maps = hash:/etc/postfix/generic

to Postfix configuration file.

For more info about address rewriting in Postfix see [2].

Final testing

At this point, the entire setup should be working. Send a test message from the command line to an external e-mail account (see send-mail-from-cli for more information) and monitor mail.log in another terminal to check if everything is fine.

Install mailutils apt-get install mailutils and run echo This is a test message. | mail -s “Test Message” while running tail -f /var/log/mail.log in a second terminal.

If you see and error like

warning: SASL authentication failure: No worthy mechs found

you neet to install libsasl2-modules with

apt-get install libsasl2-modules


notes/postfix-stunnel-smtps.txt · Last modified: 2014/11/25 06:42 by admin
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Run by Debian Driven by DokuWiki