This site is now 100% read-only, and retired.

Postfix Smarthost using Auth and SMTPS

Posted by simonw on Tue 15 Jul 2008 at 11:25

My email server uses SMTP AUTH with PLAIN or LOGIN. Thus the password is send without encryption (base64 doesn't count honest). The server listens on port 465 so that the password can be encrypted using SSL, if people prefer not to send their password in plain text (my users generally know not to do that, or at least let me set up their mail clients).

My friend wants to set up his laptop to send emails using his account on my email server. He wants to do this using a traditional MTA, so that cron and other system emails "just work".

Here is a config I worked out for him. But I think there must be simpler smarthost configurations for AUTH over SMTPS in Debian. The configuration is not especially secure, as it doesn't validate that there is no man in the middle attack!

Mail server: mail.example.com
Username: user@example.com
Password: password
Server accepts SMTP Authentication on ports 25 and 465.

Based on...
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html

Set up Postfix as a satellite mail client

apt-get install postfix stunnel
dpkg-reconfigure postfix

Select - Satellite system - accept defaults except for domain name (made example.com but choice yours).

Email sent now to mail.example.com listed as "Greylisted", or rejected as wrong recipient because we still need to authenticate.

Set up Postfix to Authenticate as a mail client

echo "mail.example.com user@example.com:password" >>/etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd
cd /etc/postfix/
postmap hash:/etc/postfix/sasl_passwd
echo "smtp_sasl_auth_enable = yes" >>/etc/postfix/main.cf
echo "smtp_sasl_security_options =" >>/etc/postfix/main.cf

Now we have auth working? Test if you brave your password going in plain text!

Now use SSL for connections to mail.example.com

Postfix doesn't do SMTPS natively in 2.3 and later (well see comments at end of this article).
http://www.postfix.org/TLS_README.html#client_smtps

vim /etc/default/stunnel 
Change "ENABLED=0" to "ENABLED=1"

Append this to /etc/stunnel/stunnel.conf

[smtp-tls-wrapper]
accept = 11125
client = yes
connect = mail.example.com:465

Modify "/etc/hosts.allow" adding.

smtp-tls-wrapper: 127.0.0.1

In /etc/postfix/main.cf make the relay host line read:

relayhost = [127.0.0.1]:11125

In /etc/postfix/sasl_passwd make the credential line read

[127.0.0.1]:11125 user@example.com:password

Remake the hashed version of the authentication credentials

cd /etc/postfix
postmap hash:/etc/postfix/sasl_passwd

Restart everything

/etc/init.d/postfix restart
/etc/init.d/stunnel restart

Now in one shell window as root...

tcpdump -X -i eth0 host mail.example.com

And send an email, and make sure it looks encrypted.

I'm not sure the stunnel configuration explained above is complete, but stunnel logs good error messages! Using Thunderbird is a lot less effort ;)

Some discussion on the Internet says you can make Postfix smtpd use TLS in wrapper mode - but I hate editing /etc/postfix/master.cf - it is one of those bits of postfix that makes me nervous!

The nullmailer packager still has AUTH and SMTPS in its to-do list - bored Debian Developers could do worse than add these, as this should be a configuration done by dpkg for some MTA (preferably one simpler than postfix!) by now.

 

 


Re: Postfix Smarthost using Auth and SMTPS
Posted by bma (81.79.xx.xx) on Tue 15 Jul 2008 at 21:41
msmtp does smtp-auth and tls just fine.

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by simonw (84.45.xx.xx) on Tue 15 Jul 2008 at 22:40
[ View Weblogs ]
Thanks Ben, looks like a useful tool.

Does msmtp queue messages if the smart host is unreachable? The documentation was a little unclear to me on this point.

The documentation omits an SSMTP example, although I assume it is just adding "tls_starttls off" to the tls example.

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by bma (81.79.xx.xx) on Tue 15 Jul 2008 at 23:23
No, it doesn't. There's a pair of scripts to do that, but I could never get them to work properly. I actually don't know of any that do; I tried several (though not all of the ones available) and it seemed that if you're not willing to run a full MTA, you don't get to queue.

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by sphaero (80.100.xx.xx) on Wed 16 Jul 2008 at 09:44
[ View Weblogs ]
Postfix supports TLS so the password is encrypted. If you're that keen on security you shouldn't be using email. IMHO. You can force TLS encryption:
http://www.postfix.org/TLS_README.html#server_tls_auth

Instead of echoing to the main.cf file you can use the postfix command postconf.
It's a bit more safe.

i.e.

postconf -e "smtp_sasl_auth_enable = yes"
postconf -e "smtp_sasl_security_options ="

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by simonw (212.24.xx.xx) on Wed 16 Jul 2008 at 13:13
[ View Weblogs ]
Yes postfix supports TLS but not SMTPS, which is the whole essence of the article.

I could enable TLS on the server I use, but a lot of folk seem to want to connect to servers using SMTPS still, which Wietse seems to believe is deprecated, but I suspect is more easily scaled (which is probably why Google and Yahoo offer it).

Good point about postconf....




[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by Anonymous (85.179.xx.xx) on Sun 20 Jul 2008 at 15:35
Uhm, there is in the master.cf the smtps services just remove the comment sign
and restart postfix. You also want to setup normal TLS to use STARTTLS.
Also have a look at the TLS_README which comes with postfix. It explains in detail how to setup postfix for all this.

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by kroshka (66.252.xx.xx) on Wed 23 Jul 2008 at 21:14
[ View Weblogs ]
You should enable TLS, on port 587. Which is considered "best current practice". The only excuse for keeping port 465 open, in addition to 587, for email submission is to support older braindead versions of outlook which insist on using 465 for encryption and don't allow you to change that.

To quote http://tools.ietf.org/html/rfc5068

"Submission Port Availability:

If external submissions are supported -- that is, from outside a site's administrative domain -- then the domain's MSAs MUST support the SUBMISSION port 587 [RFC4409]. Operators MAY standardize on the SUBMISSION port for both external AND LOCAL users; this can significantly simplify submission operations."

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by simonw (84.45.xx.xx) on Wed 23 Jul 2008 at 21:23
[ View Weblogs ]
This is a draft, and the RFC4409 is also a draft, and specifies only that submission is usually on 587.

The draft is overly dictatorial - but hey I don't have time to correct all of Eric Allman's mistakes ;)

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by kroshka (66.252.xx.xx) on Wed 23 Jul 2008 at 22:17
[ View Weblogs ]
Sure, but it'd be nice if everyone'd take it to heart so we wouldn't have so much confusion. :-) Port 465 by the way has been assigned to something totally different. Quoting http://www.iana.org/assignments/port-numbers

urd 465/tcp URL Rendesvous Directory for SSM

Although I am pretty sure it was assigned to some Cisco tv thingy not so long ago, for over a decade. But maybe my mind is playing tricks. Below it you can find:

# Toerless Eckert <eckert&cisco.com>
digital-vrc 466/tcp digital-vrc
digital-vrc 466/udp digital-vrc

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by Anonymous (79.112.xx.xx) on Thu 2 Oct 2008 at 13:45
Thanks dude, I spent hours yesterday trying to do this. Some notes:

- you need this line in main.cf:

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

- if stunnel fails to start, you need to check /etc/stunnel4/mail.pem. It needs to contain both a key and a certificate. This file can be generated with:

openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mail.pem -out mail.pem
chmod 600 mail.pem

I also commented out default services (pop3s, imaps, https).

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by Anonymous (64.81.xx.xx) on Thu 11 Jun 2009 at 01:42
God bless you all. I've been trying to get this working for ever, even without the SSL.

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by Anonymous (84.222.xx.xx) on Tue 5 Jan 2010 at 18:56
missing in main.cf:
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by Anonymous (216.86.xx.xx) on Mon 11 Jan 2010 at 21:51
While this method does work, I've not been able to get any logging of the smtp connection between stunnel and the relay host. Stunnel itself does not log the connection, and postfix only shows handing off to the stunnel port, eg:
Jan 10 09:09:27 mail2 postfix/smtp[19748]: 04E34A2933: to=<xxxxxxxx@gmail.com>, relay=127.0.0.1[127.0.0.1]:11125, delay=0.54, delays=0.07/0.03/0.22/0.22, dsn=2.0.0, status=sent (250 OK id=1NU1I7-00023u-B7)

So if I wanted to troubleshoot on the relayhost I only have the message id to search. (OK id=1NU1I7-00023u-B7). This is fine if your relayhost is a single server, but in my case it's a virtual IP behind which a load balancer hands off to one of several smtp hosts.

So, I'm wondering if anyone has been sucecssful in getting stunnel to log the smtps hostname to which it actually connects?

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by simonw (84.45.xx.xx) on Mon 11 Jan 2010 at 22:13
[ View Weblogs ]
Enabled mail.debug logging, and put "debug_peer_list = 127.0.0.1" in main.cf, and the mail log will contain the whole conversation including remote server greeting and password in plain text, now all you need is to filter out the 250-[hostnames] lines so you don't log more than you need.

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by Anonymous (41.78.xx.xx) on Wed 16 Mar 2011 at 16:52
Hi, please explain to me how this works. I don't have many tries to get it right because my domain gets blacklisted everytime then it's missions to get it unlisted. I always see example.com in tutorials but never know whether they mean local or remote. I have set everything up but want my backup program (amanda) to send notifications to my hosted domain address. ie: my local server is localhost, I want amandabackup@localhost to send notifications to my email chris@remotehost.com using mail.remotehost.com. I've tried using sendmail and then my IP and subsequently my domain name got blacklisted. If this is the wrong place to ask please direct me if you can. Thanks.

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by simonw (84.45.xx.xx) on Wed 16 Mar 2011 at 17:12
[ View Weblogs ]
If you just want a server set up to forward system email to a named email account I just set it up as a regular Internet email server using the Postfix dpkg configuration. Sometime I change the domain it sends from if the recipient system doesn't like it for some reason. Typically all I need to do after that is add "root: sys-admin@example.com" to /etc/aliases and run the "newaliases" command. You'd have to add "amandabackup: root" to the same file if the installer doesn't do it for you.

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by Anonymous (41.78.xx.xx) on Thu 17 Mar 2011 at 16:12
Cool, thanks I'll try it. Would I then use the same method in this article to authenticate at mail.example.com for sys-admin@example.com?

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by simonw (84.45.xx.xx) on Thu 17 Mar 2011 at 19:29
[ View Weblogs ]
No, in that case you are just delivering email normally, so no authentication needs to take place.

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by Anonymous (41.78.xx.xx) on Fri 18 Mar 2011 at 16:41
Thanks simonw, works perfect.

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by Anonymous (84.88.xx.xx) on Thu 25 Oct 2012 at 14:08
Hi,

I made a small user-friendly script for no-questions-asked installation of postfix and configuring it to use smtp.gmail.com for sending the mails to the world.
Check out the https://gist.github.com/3952294

P.S. I checked the script on Ubuntu 12.04

[ Parent ]

Re: Postfix Smarthost using Auth and SMTPS
Posted by Anonymous (70.246.xx.xx) on Wed 14 Nov 2012 at 00:38
Your one liner is pure magic.
I have struggled a lot ... going through forums and what not ... I fix one problem and another comes up.
I had postfix already installed and ... it gives a message to remove it. But your one liner still worked for me without removing and reinstalling postfix.
Thanks ... this is what linux should be like. Just make it work ... I do not need to know this and that about it.
Did I say Thank you ... Thank you again.

[ Parent ]