Differences

This shows you the differences between two versions of the page.

--- notes:postfix-stunnel-smtps [2014/11/22 18:30] – [Relaying mail with Postfix and Stunnel through an SMTPS smarthost on port 465] admin
+++ notes:postfix-stunnel-smtps [2014/11/25 11:42] (current) – [Postfix configuration] admin
@@ Line 1: / Line 1: @@
-====== Relaying mail with Postfix and Stunnel through an SMTPS smarthost on port 465 ======
+====== Relaying mail with Postfix and Stunnel through SMTPS with Debian 7======
-The Postfix SMTP client does not support the obsolete "wrappermode" protocol, which uses TCP port 465 on the SMTP server. A solution is to use the stunnel command.
+Do you have setup your own Debian 7 VPS and you want to send mail from it to the outside world without running a full-blown mail server? You can install Postfix and use it in satellite mode, relaying email to another mail server.
-alled your own virtual server running Postfix. Now you want to send mail from it to the outside world. You don't want the work of running a full-blown mail server.
+However, all mail services aren't equal. Ones like Gmail are sophisticated and support the more recent TLS protocol, while many shared and budget hosting services don't. The latter often use an older SSL protocol, and Postfix SMTP client does not support the obsolete "wrappermode" protocol, which uses TCP port 465 on the SMTP server. A solution is to create your own local SSL tunnel between Postfix and the relay server with ''stunnel''.
-Problem is, all mail services aren't equal. Ones like Gmail are sophisticated and support the more recent TLS protocol. Many shared and budget hosting services don't. They use an older SSL protocol, and Postfix isn't designed to handle it. The solution is to create your own local SSL tunnel between Postfix and the relay server.
-With the smtp_sasl_password_maps parameter, we configure the Postfix SMTP client to send username and password information to the mail gateway server. As discussed in the next section, the Postfix SMTP client supports multiple ISP accounts. For this reason the username and password are stored in a table that contains one username/password combination for each mail gateway server.
-  /etc/postfix/sasl_passwd:
-  # destination                   credentials
-  [mail.isp.example]              username:password
-  # Alternative form:
-  # [mail.isp.example]:submission username:password
-Important
-Keep the SASL client password file in /etc/postfix, and make the file read+write only for root to protect the username/password combinations against other users. The Postfix SMTP client will still be able to read the SASL client passwords. It opens the file as user root before it drops privileges, and before entering an optional chroot jail.
-  * Use the postmap command whenever you change the /etc/postfix/sasl_passwd file.
-  * If you specify the "[" and "]" in the relayhost destination, then you must use the same form in the smtp_sasl_password_maps file.
-  * If you specify a non-default TCP Port (such as ":submission" or ":587") in the relayhost destination, then you must use the same form in the smtp_sasl_password_maps file.
-In this example, I’m using the Comcast SMTP server as my smarthost — replace smtp.comcast.net:465 with the mail server you wish to use as a smarthost.
-Install stunnel and Postfix with sudo apt-get install stunnel mailutils postfix
-If you weren’t automatically prompted to configure Postfix, run sudo dpkg-reconfigure postfix to access the configuration wizard. Configure Postfix as a “Satellite system”. You must enter a valid domain name for “System mail name”, so use example.com. For “SMTP relay host”, enter [127.0.0.1]:10465
-warning: SASL authentication failure: No worthy mechs found
-  sudo apt-get install libsasl2-modules
 ===== Stunnel configuration =====
-Install stunnel in Ubuntu or Debian with...
+Install stunnel in Ubuntu or Debian with
+  apt-get install stunnel
-  sudo apt-get install stunnel
+Enable it on startup by editing /etc/default/stunnel4 to
-Enable it on startup by editing /etc/default/stunnel4:
   #ENABLED=0
   ENABLED=1
-Create a .conf file in etc/stunnel directory. I named this one /etc/stunnel/stunnel.conf. 11125 is our local port. The connect line has the fully qualified domain name and port number at the external relay host (SMTP server). Check with your e-mail or web hosting provider if you're unsure. Cpanel has this information under "Email Accounts" in a "Configure Email Client" option:
+Create a .conf file in etc/stunnel directory with
+  vim /etc/stunnel/stunnel.conf
+and paste the following text inside
+  client = yes
+  foreground = no
   [smtp-tls-wrapper]
   accept = 11125
-  client = yes
+  connect = srv-hp12.netsons.net:465
-  connect: MY_SMTP_HOSTNAME:465
+In this case, 11125 is our local port (but could be different) and will be user by Postfix to connect to stunnel. The connect line has the fully qualified domain name (srv-hp12.netsons.net) and port number (465) of the external SMTP server. In this example, we are using the Netsons SMTP server as a smarthost — srv-hp12.netsons.net:465 with the parameters provided by your e-mail or web hosting provider.
-Test your SMTPS tunnel with telnet localhost 10465. If everything is working, you should see the greeting line from your smarthost, something like “220 omta14.emeryville.ca.mail.comcast.net comcast ESMTP server ready”; type quit to disconnect.
+Now start stunnel with
+  service stunnel4 start
+and test your SMTPS tunnel with
+  telnet localhost 11125
+If everything is working, you should see the greeting line from your smarthost, something like
+  Trying ::1...
+  Trying 127.0.0.1...
+  Connected to localhost.
+  Escape character is '^]'.
+-srv-hp12.netsons.net ESMTP Exim 4.84 #2 Tue, 25 Nov 2014 11:31:45 +0100
+-We do not authorize the use of this system to transport unsolicited,
+and/or bulk e-mail.
+type ''quit'' to leave.
 ===== Postfix configuration =====
+Install Postfix with
+  apt-get install postfix
-Put these lines in /etc/postfix/main.cf and be sure to comment out any earlier ones that compete with them. The relayhost is localhost (127.0.0.1), not the external relay server, because we will be creating a local tunnel for the SSL. Only smtp (client) settings need to be tweaked; the stmtpd (server) settings can be left alone, including the TLS configuration.
+If you weren’t automatically prompted to configure Postfix, run sudo ''dpkg-reconfigure postfix'' to access the configuration wizard. Configure Postfix as a //Satellite system//. You must enter a valid domain name for //System mail name//, so use example.com if you do not have a real one. For //SMTP relay host//, enter [127.0.0.1]:10465.
+Now edit ''/etc/postfix/main.cf'' and add the following lines, being sure to comment out any smtp (client) settings that compete with them (the stmtpd server settings can be left alone).
   relayhost = [127.0.0.1]:11125
@@ Line 71: / Line 58: @@
   smtp_sasl_auth_enable = yes
   smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
-  smtp_sasl_security_options =
+  smtp_sasl_security_options = noanonymous
+  smtp_sasl_mechanism_filter = login
-The SASL settings point to a password file, which we haven't yet created. Let's do that now, using the same email address from which we send messages. Change permissions (chmod) on the file to 600 so that your password can't be read by others:
+The SASL settings [1] point to a password file, which we haven't yet created. Let's do that now, using the same email address from which we send messages.
+  vim /etc/postfix/sasl/sasl_passwd
+and add
+  [127.0.0.1]:11125       user@maydomain.com:password
-The last step is to provide Postfix with your username and password for the smarthost. Without authentication,your smarthost mail server is not going to allow you to relay mail. Run sudo vim /etc/postfix/saslpass and add a line to the file:
+Beware to keep the SASL client password file within /etc/postfix, and make the file read+write only for root to protect the username/password combinations against other users. The Postfix SMTP client will still be able to read the SASL client passwords: it opens the file as user root.
+So change owner (chown) and set permissions (chmod) on the file to 600 so that your password can't be read by others with
+  chown root:root /etc/postfix/sasl/sasl_passwd
+  chmod 600 /etc/postfix/sasl/sasl_passwd
-  [127.0.0.1]:10465 your-username@comcast.net:your-password
+Finally convert the text-based password file to as hash-based file that Postfix can understand with
+  postmap /etc/postfix/sasl/sasl_passwd
-Convert the text-based password file to as hash-based file that Postfix can understand with
+Restart Postifix server
+  sudo service postfix reload
-  sudo postmap /etc/postfix/sasl/sasl_passwd
+==== Important notes about password file ====
+  * Use the postmap command whenever you change the /etc/postfix/sasl_passwd file.
+  * If you specify the "[" and "]" in the relayhost destination, then you must use the same form in the smtp_sasl_password_maps file.
+  * If you specify a non-default TCP Port (such as ":submission" or ":587") in the relayhost destination, then you must use the same form in the password file.
-Restart both servers:
+==== Address rewriting ====
-  sudo service stunnel4 restart
+Some hosts have no valid Internet domain name, and instead use a name such as localdomain.local or example.com. This can be a problem when you want to send mail over the Internet, because many mail servers reject mail addresses with invalid domain names or mark them as spammer.
-  sudo service postfix reload
+You can specify generic lookup tables that replace local mail addresses by valid Internet addresses when mail leaves the machine via SMTP.
+Edit file ''/etc/postfix/generic'' and add a mapping, such as
+  localuser@example.com    user@mydomain
+and hash it with
+  postmap /etc/postfix/sasl/sasl_passwd
+Finally, add
+  smtp_generic_maps = hash:/etc/postfix/generic
+to ''main.cf'' Postfix configuration file.
+For more info about address rewriting in Postfix see [2].
+===== Final testing =====
+At this point, the entire setup should be working. Send a test message from the command line to an external e-mail account (see [[notes:send-mail-from-cli|send-mail-from-cli]] for more information) and monitor ''mail.log'' in another terminal to check if everything is fine.
-Send a test message to an external e-mail account. I prefer mutt mail client; you might use the mail command instead:
+Install mailutils
+ apt-get install mailutils
+and run
+ echo This is a test message. | mail -s "Test Message" your-email-address@example.com
+while running
+ tail -f /var/log/mail.log
+in a second terminal.
-At this point, the entire setup should be working. Try to send yourself a test message using echo This is a test message. | mail -s "Test Message" your-email-address@example.com and, optionally, monitor the Postfix mail log with tail -F /var/log/mail.log
+If you see and error like
+  warning: SASL authentication failure: No worthy mechs found
+you neet to install libsasl2-modules with
+  apt-get install libsasl2-modules
-http://www.postfix.org/SASL_README.html
+[1] http://www.postfix.org/SASL_README.html\\
-http://quietmint.com/linux/postfix-relaying-mail-through-an-smtps-smarthost-on-port-465/
+[2] http://www.postfix.org/ADDRESS_REWRITING_README.html#generic\\
-http://tech.surveypoint.com/posts/relay-mail-with-postfix-and-stunnel/
+[3] http://quietmint.com/linux/postfix-relaying-mail-through-an-smtps-smarthost-on-port-465/\\
+[4] http://tech.surveypoint.com/posts/relay-mail-with-postfix-and-stunnel/\\