Postfix Smarthost using Auth and SMTPS
Posted by simonw on Tue 15 Jul 2008 at 11:25
My email server uses SMTP AUTH with PLAIN or LOGIN. Thus the password is send without encryption (base64 doesn't count honest). The server listens on port 465 so that the password can be encrypted using SSL, if people prefer not to send their password in plain text (my users generally know not to do that, or at least let me set up their mail clients).
My friend wants to set up his laptop to send emails using his account on my email server. He wants to do this using a traditional MTA, so that cron and other system emails "just work".
Here is a config I worked out for him. But I think there must be simpler smarthost configurations for AUTH over SMTPS in Debian. The configuration is not especially secure, as it doesn't validate that there is no man in the middle attack!
Mail server: mail.example.com
Username: user@example.com
Password: password
Server accepts SMTP Authentication on ports 25 and 465.
Based on...
http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailservers.html
Set up Postfix as a satellite mail client
apt-get install postfix stunnel dpkg-reconfigure postfix
Select - Satellite system - accept defaults except for domain name (made example.com but choice yours).
Email sent now to mail.example.com listed as "Greylisted", or rejected as wrong recipient because we still need to authenticate.
Set up Postfix to Authenticate as a mail client
echo "mail.example.com user@example.com:password" >>/etc/postfix/sasl_passwd chown root:root /etc/postfix/sasl_passwd chmod 600 /etc/postfix/sasl_passwd cd /etc/postfix/ postmap hash:/etc/postfix/sasl_passwd echo "smtp_sasl_auth_enable = yes" >>/etc/postfix/main.cf echo "smtp_sasl_security_options =" >>/etc/postfix/main.cf
Now we have auth working? Test if you brave your password going in plain text!
Now use SSL for connections to mail.example.com
Postfix doesn't do SMTPS natively in 2.3 and later (well see comments at end of this article).
http://www.postfix.org/TLS_README.html#client_smtps
vim /etc/default/stunnel Change "ENABLED=0" to "ENABLED=1"
Append this to /etc/stunnel/stunnel.conf
[smtp-tls-wrapper] accept = 11125 client = yes connect = mail.example.com:465
Modify "/etc/hosts.allow" adding.
smtp-tls-wrapper: 127.0.0.1
In /etc/postfix/main.cf make the relay host line read:
relayhost = [127.0.0.1]:11125
In /etc/postfix/sasl_passwd make the credential line read
[127.0.0.1]:11125 user@example.com:password
Remake the hashed version of the authentication credentials
cd /etc/postfix postmap hash:/etc/postfix/sasl_passwd
Restart everything
/etc/init.d/postfix restart /etc/init.d/stunnel restart
Now in one shell window as root...
tcpdump -X -i eth0 host mail.example.com
And send an email, and make sure it looks encrypted.
I'm not sure the stunnel configuration explained above is complete, but stunnel logs good error messages! Using Thunderbird is a lot less effort ;)
Some discussion on the Internet says you can make Postfix smtpd use TLS in wrapper mode - but I hate editing /etc/postfix/master.cf - it is one of those bits of postfix that makes me nervous!
The nullmailer packager still has AUTH and SMTPS in its to-do list - bored Debian Developers could do worse than add these, as this should be a configuration done by dpkg for some MTA (preferably one simpler than postfix!) by now.
Managed AntiSpam
Fully managed filtering of your incoming email.
[ Parent | Reply to this comment ]
Does msmtp queue messages if the smart host is unreachable? The documentation was a little unclear to me on this point.
The documentation omits an SSMTP example, although I assume it is just adding "tls_starttls off" to the tls example.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
http://www.postfix.org/TLS_README.html#server_tls_auth
Instead of echoing to the main.cf file you can use the postfix command postconf.
It's a bit more safe.
i.e.
postconf -e "smtp_sasl_auth_enable = yes"
postconf -e "smtp_sasl_security_options ="
[ Parent | Reply to this comment ]
I could enable TLS on the server I use, but a lot of folk seem to want to connect to servers using SMTPS still, which Wietse seems to believe is deprecated, but I suspect is more easily scaled (which is probably why Google and Yahoo offer it).
Good point about postconf....
[ Parent | Reply to this comment ]
and restart postfix. You also want to setup normal TLS to use STARTTLS.
Also have a look at the TLS_README which comes with postfix. It explains in detail how to setup postfix for all this.
[ Parent | Reply to this comment ]
To quote http://tools.ietf.org/html/rfc5068
"Submission Port Availability:
If external submissions are supported -- that is, from outside a site's administrative domain -- then the domain's MSAs MUST support the SUBMISSION port 587 [RFC4409]. Operators MAY standardize on the SUBMISSION port for both external AND LOCAL users; this can significantly simplify submission operations."
[ Parent | Reply to this comment ]
The draft is overly dictatorial - but hey I don't have time to correct all of Eric Allman's mistakes ;)
[ Parent | Reply to this comment ]
urd 465/tcp URL Rendesvous Directory for SSM
Although I am pretty sure it was assigned to some Cisco tv thingy not so long ago, for over a decade. But maybe my mind is playing tricks. Below it you can find:
# Toerless Eckert <eckert&cisco.com>
digital-vrc 466/tcp digital-vrc
digital-vrc 466/udp digital-vrc
[ Parent | Reply to this comment ]