notes:postfix-stunnel-smtps
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
notes:postfix-stunnel-smtps [2014/11/23 13:10] – admin | notes:postfix-stunnel-smtps [2014/11/25 11:42] (current) – [Postfix configuration] admin | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Relaying mail with Postfix and Stunnel through | + | ====== Relaying mail with Postfix and Stunnel through SMTPS with Debian 7====== |
- | + | Do you have setup your own Debian 7 VPS and you want to send mail from it to the outside world without running a full-blown mail server? You can install Postfix and use it in satellite mode, relaying email to another mail server. | |
- | Do you have setup your own VPS and you want to send mail from it to the outside world without running a full-blown mail server? You can install Postfix and use it in satellite mode, relaying email to another mail server. | + | |
However, all mail services aren't equal. Ones like Gmail are sophisticated and support the more recent TLS protocol, while many shared and budget hosting services don't. The latter often use an older SSL protocol, and Postfix SMTP client does not support the obsolete " | However, all mail services aren't equal. Ones like Gmail are sophisticated and support the more recent TLS protocol, while many shared and budget hosting services don't. The latter often use an older SSL protocol, and Postfix SMTP client does not support the obsolete " | ||
- | ===== Stunnel ===== | + | ===== Stunnel |
- | + | ||
- | Install stunnel with | + | |
- | sudo apt-get install stunnel | + | |
Install stunnel in Ubuntu or Debian with | Install stunnel in Ubuntu or Debian with | ||
- | | + | apt-get install stunnel |
Enable it on startup by editing / | Enable it on startup by editing / | ||
#ENABLED=0 | #ENABLED=0 | ||
Line 19: | Line 15: | ||
Create a .conf file in etc/stunnel directory with | Create a .conf file in etc/stunnel directory with | ||
- | vim / | + | vim / |
and paste the following text inside | and paste the following text inside | ||
+ | |||
+ | client = yes | ||
+ | foreground = no | ||
+ | | ||
[smtp-tls-wrapper] | [smtp-tls-wrapper] | ||
accept = 11125 | accept = 11125 | ||
- | | + | connect = srv-hp12.netsons.net:465 |
- | | + | |
- | In this case, 11125 is our local port (but could be different). The connect line has the fully qualified domain name and port number | + | In this case, 11125 is our local port (but could be different) |
- | Test your SMTPS tunnel | + | Now start stunnel |
+ | service stunnel4 start | ||
+ | and test your SMTPS tunnel with | ||
+ | telnet localhost 11125 | ||
| | ||
+ | If everything is working, you should see the greeting line from your smarthost, something like | ||
+ | Trying ::1... | ||
+ | Trying 127.0.0.1... | ||
+ | Connected to localhost. | ||
+ | Escape character is ' | ||
+ | 220-srv-hp12.netsons.net ESMTP Exim 4.84 #2 Tue, 25 Nov 2014 11:31:45 +0100 | ||
+ | 220-We do not authorize the use of this system to transport unsolicited, | ||
+ | 220 and/or bulk e-mail. | ||
+ | type '' | ||
| | ||
+ | ===== Postfix configuration ===== | ||
+ | Install Postfix with | ||
+ | apt-get install postfix | ||
- | | + | If you weren’t automatically prompted to configure Postfix, run sudo '' |
- | + | Now edit ''/ | |
- | With the smtp_sasl_password_maps parameter, we configure the Postfix SMTP client to send username and password information to the mail gateway server. As discussed in the next section, the Postfix SMTP client supports multiple ISP accounts. For this reason the username and password are stored in a table that contains one username/ | + | |
- | + | ||
- | / | + | |
- | # destination | + | |
- | [mail.isp.example] | + | |
- | # Alternative form: | + | |
- | # [mail.isp.example]: | + | |
- | + | ||
- | Important | + | |
- | + | ||
- | Keep the SASL client password file in / | + | |
- | + | ||
- | * Use the postmap command whenever you change the / | + | |
- | + | ||
- | * If you specify the " | + | |
- | + | ||
- | * If you specify a non-default TCP Port (such as ": | + | |
- | + | ||
- | + | ||
- | In this example, I’m using the Comcast SMTP server as my smarthost — replace smtp.comcast.net: | + | |
- | + | ||
- | Install stunnel and Postfix with sudo apt-get install stunnel mailutils postfix | + | |
- | + | ||
- | If you weren’t automatically prompted to configure Postfix, run sudo dpkg-reconfigure postfix to access the configuration wizard. Configure Postfix as a “Satellite system”. You must enter a valid domain name for “System mail name”, so use example.com. For “SMTP relay host”, enter [127.0.0.1]: | + | |
- | + | ||
- | + | ||
- | warning: SASL authentication failure: No worthy mechs found | + | |
- | + | ||
- | + | ||
- | sudo apt-get install libsasl2-modules | + | |
- | + | ||
- | ===== Stunnel configuration ===== | + | |
- | + | ||
- | + | ||
- | Install stunnel in Ubuntu or Debian with... | + | |
- | + | ||
- | sudo apt-get install stunnel | + | |
- | + | ||
- | Enable it on startup by editing / | + | |
- | + | ||
- | # | + | |
- | ENABLED=1 | + | |
- | + | ||
- | Create a .conf file in etc/stunnel directory. I named this one / | + | |
- | + | ||
- | [smtp-tls-wrapper] | + | |
- | accept = 11125 | + | |
- | client = yes | + | |
- | connect: MY_SMTP_HOSTNAME: | + | |
- | + | ||
- | + | ||
- | Test your SMTPS tunnel with telnet localhost 10465. If everything is working, you should see the greeting line from your smarthost, something like “220 omta14.emeryville.ca.mail.comcast.net comcast ESMTP server ready”; type quit to disconnect. | + | |
- | + | ||
- | ===== Postfix configuration ===== | + | |
- | + | ||
- | + | ||
- | Put these lines in / | + | |
relayhost = [127.0.0.1]: | relayhost = [127.0.0.1]: | ||
Line 101: | Line 58: | ||
smtp_sasl_auth_enable = yes | smtp_sasl_auth_enable = yes | ||
smtp_sasl_password_maps = hash:/ | smtp_sasl_password_maps = hash:/ | ||
- | smtp_sasl_security_options = | + | smtp_sasl_security_options = noanonymous |
+ | smtp_sasl_mechanism_filter = login | ||
- | The SASL settings point to a password file, which we haven' | + | The SASL settings |
+ | vim / | ||
+ | and add | ||
+ | [127.0.0.1]: | ||
- | The last step is to provide Postfix with your username and password for the smarthost. Without authentication, | + | Beware |
+ | So change owner (chown) and set permissions (chmod) on the file to 600 so that your password can't be read by others with | ||
+ | chown root: | ||
+ | chmod 600 / | ||
- | [127.0.0.1]: | + | Finally convert the text-based password |
+ | postmap / | ||
- | Convert the text-based password file to as hash-based file that Postfix can understand with | + | Restart Postifix server |
+ | sudo service postfix reload | ||
- | sudo postmap / | + | ==== Important notes about password file ==== |
+ | * Use the postmap command whenever you change the / | ||
+ | * If you specify the " | ||
+ | * If you specify a non-default TCP Port (such as ": | ||
- | Restart both servers: | + | ==== Address rewriting ==== |
- | sudo service stunnel4 restart | + | Some hosts have no valid Internet domain name, and instead use a name such as localdomain.local or example.com. This can be a problem when you want to send mail over the Internet, because many mail servers reject mail addresses with invalid domain names or mark them as spammer. |
- | | + | You can specify generic lookup tables that replace local mail addresses by valid Internet addresses when mail leaves the machine via SMTP. |
+ | |||
+ | Edit file ''/ | ||
+ | | ||
+ | and hash it with | ||
+ | postmap /etc/postfix/ | ||
+ | Finally, add | ||
+ | smtp_generic_maps = hash:/ | ||
+ | to '' | ||
+ | |||
+ | For more info about address rewriting in Postfix see [2]. | ||
+ | |||
+ | ===== Final testing ===== | ||
+ | |||
+ | At this point, the entire setup should be working. Send a test message from the command line to an external e-mail account (see [[notes: | ||
- | Send a test message | + | Install mailutils |
+ | | ||
+ | and run | ||
+ | echo This is a test message. | mail -s "Test Message" | ||
+ | while running | ||
+ | tail -f /var/log/mail.log | ||
+ | in a second terminal. | ||
- | At this point, the entire setup should be working. Try to send yourself a test message using echo This is a test message. | mail -s "Test Message" | + | If you see and error like |
+ | warning: SASL authentication failure: No worthy mechs found | ||
+ | you neet to install libsasl2-modules with | ||
+ | apt-get install libsasl2-modules | ||
- | http:// | + | [1] http:// |
- | http:// | + | [2] http:// |
- | http:// | + | [3] http:// |
+ | [4] http:// |
notes/postfix-stunnel-smtps.1416748210.txt.gz · Last modified: 2014/11/23 13:10 by admin