Table of Contents
Relaying mail with Postfix and Stunnel through SMTPS with Debian 7
Do you have setup your own Debian 7 VPS and you want to send mail from it to the outside world without running a full-blown mail server? You can install Postfix and use it in satellite mode, relaying email to another mail server.
However, all mail services aren't equal. Ones like Gmail are sophisticated and support the more recent TLS protocol, while many shared and budget hosting services don't. The latter often use an older SSL protocol, and Postfix SMTP client does not support the obsolete “wrappermode” protocol, which uses TCP port 465 on the SMTP server. A solution is to create your own local SSL tunnel between Postfix and the relay server with
Install stunnel in Ubuntu or Debian with
apt-get install stunnel
Enable it on startup by editing /etc/default/stunnel4 to
Create a .conf file in etc/stunnel directory with
and paste the following text inside
client = yes foreground = no [smtp-tls-wrapper] accept = 11125 connect = srv-hp12.netsons.net:465
In this case, 11125 is our local port (but could be different) and will be user by Postfix to connect to stunnel. The connect line has the fully qualified domain name (srv-hp12.netsons.net) and port number (465) of the external SMTP server. In this example, we are using the Netsons SMTP server as a smarthost — srv-hp12.netsons.net:465 with the parameters provided by your e-mail or web hosting provider.
Now start stunnel with
service stunnel4 start
and test your SMTPS tunnel with
telnet localhost 11125
If everything is working, you should see the greeting line from your smarthost, something like
Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220-srv-hp12.netsons.net ESMTP Exim 4.84 #2 Tue, 25 Nov 2014 11:31:45 +0100 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
quit to leave.
Install Postfix with
apt-get install postfix
If you weren’t automatically prompted to configure Postfix, run sudo
dpkg-reconfigure postfix to access the configuration wizard. Configure Postfix as a Satellite system. You must enter a valid domain name for System mail name, so use example.com if you do not have a real one. For SMTP relay host, enter [127.0.0.1]:10465.
/etc/postfix/main.cf and add the following lines, being sure to comment out any smtp (client) settings that compete with them (the stmtpd server settings can be left alone).
relayhost = [127.0.0.1]:11125 inet_interfaces = loopback-only # SASL Settings smtp_use_tls = yes smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_mechanism_filter = login
The SASL settings  point to a password file, which we haven't yet created. Let's do that now, using the same email address from which we send messages.
Beware to keep the SASL client password file within /etc/postfix, and make the file read+write only for root to protect the username/password combinations against other users. The Postfix SMTP client will still be able to read the SASL client passwords: it opens the file as user root. So change owner (chown) and set permissions (chmod) on the file to 600 so that your password can't be read by others with
chown root:root /etc/postfix/sasl/sasl_passwd chmod 600 /etc/postfix/sasl/sasl_passwd
Finally convert the text-based password file to as hash-based file that Postfix can understand with
Restart Postifix server
sudo service postfix reload
Important notes about password file
- Use the postmap command whenever you change the /etc/postfix/sasl_passwd file.
- If you specify the “[” and “]” in the relayhost destination, then you must use the same form in the smtp_sasl_password_maps file.
- If you specify a non-default TCP Port (such as “:submission” or “:587”) in the relayhost destination, then you must use the same form in the password file.
Some hosts have no valid Internet domain name, and instead use a name such as localdomain.local or example.com. This can be a problem when you want to send mail over the Internet, because many mail servers reject mail addresses with invalid domain names or mark them as spammer. You can specify generic lookup tables that replace local mail addresses by valid Internet addresses when mail leaves the machine via SMTP.
/etc/postfix/generic and add a mapping, such as
and hash it with
smtp_generic_maps = hash:/etc/postfix/generic
main.cf Postfix configuration file.
For more info about address rewriting in Postfix see .
At this point, the entire setup should be working. Send a test message from the command line to an external e-mail account (see send-mail-from-cli for more information) and monitor
mail.log in another terminal to check if everything is fine.
Install mailutils apt-get install mailutils and run echo This is a test message. | mail -s “Test Message” firstname.lastname@example.org while running tail -f /var/log/mail.log in a second terminal.
If you see and error like
warning: SASL authentication failure: No worthy mechs found
you neet to install libsasl2-modules with
apt-get install libsasl2-modules