Postfix Smarthost using Auth and SMTPS
Posted by simonw on Tue 15 Jul 2008 at 11:25
My email server uses SMTP AUTH with PLAIN or LOGIN. Thus the password is send without encryption (base64 doesn't count honest). The server listens on port 465 so that the password can be encrypted using SSL, if people prefer not to send their password in plain text (my users generally know not to do that, or at least let me set up their mail clients).
My friend wants to set up his laptop to send emails using his account on my email server. He wants to do this using a traditional MTA, so that cron and other system emails "just work".
Here is a config I worked out for him. But I think there must be simpler smarthost configurations for AUTH over SMTPS in Debian. The configuration is not especially secure, as it doesn't validate that there is no man in the middle attack!
Mail server: mail.example.com
Server accepts SMTP Authentication on ports 25 and 465.
Set up Postfix as a satellite mail client
apt-get install postfix stunnel dpkg-reconfigure postfix
Select - Satellite system - accept defaults except for domain name (made example.com but choice yours).
Email sent now to mail.example.com listed as "Greylisted", or rejected as wrong recipient because we still need to authenticate.
Set up Postfix to Authenticate as a mail client
echo "mail.example.com firstname.lastname@example.org:password" >>/etc/postfix/sasl_passwd chown root:root /etc/postfix/sasl_passwd chmod 600 /etc/postfix/sasl_passwd cd /etc/postfix/ postmap hash:/etc/postfix/sasl_passwd echo "smtp_sasl_auth_enable = yes" >>/etc/postfix/main.cf echo "smtp_sasl_security_options =" >>/etc/postfix/main.cf
Now we have auth working? Test if you brave your password going in plain text!
Now use SSL for connections to mail.example.com
Postfix doesn't do SMTPS natively in 2.3 and later (well see comments at end of this article).
vim /etc/default/stunnel Change "ENABLED=0" to "ENABLED=1"
Append this to /etc/stunnel/stunnel.conf
[smtp-tls-wrapper] accept = 11125 client = yes connect = mail.example.com:465
Modify "/etc/hosts.allow" adding.
In /etc/postfix/main.cf make the relay host line read:
relayhost = [127.0.0.1]:11125
In /etc/postfix/sasl_passwd make the credential line read
Remake the hashed version of the authentication credentials
cd /etc/postfix postmap hash:/etc/postfix/sasl_passwd
/etc/init.d/postfix restart /etc/init.d/stunnel restart
Now in one shell window as root...
tcpdump -X -i eth0 host mail.example.com
And send an email, and make sure it looks encrypted.
I'm not sure the stunnel configuration explained above is complete, but stunnel logs good error messages! Using Thunderbird is a lot less effort ;)
Some discussion on the Internet says you can make Postfix smtpd use TLS in wrapper mode - but I hate editing /etc/postfix/master.cf - it is one of those bits of postfix that makes me nervous!
The nullmailer packager still has AUTH and SMTPS in its to-do list - bored Debian Developers could do worse than add these, as this should be a configuration done by dpkg for some MTA (preferably one simpler than postfix!) by now.