====== Postfix Authenticated Smarthost ======

See also **[[networking:linux:ssmtp|SSMTP]]**

http://www.mechanicalfish.net/classic-blog/posts/92-configuring-postfix-relay-mail-secure-host/

http://www.stefanolocati.it/blog/?p=737

**Gmail**: http://www.stevemccann.net/2012/12/changing-freepbx-smtp-server-to-gmail.html

**From Address**: http://www.cyberciti.biz/tips/howto-postfix-masquerade-change-email-mail-address.html

There are various reasons that you may want to configure Postfix to relay all mail to a 'smarthost'.

  * Spam filtering
  * Port blocking by your ISP
  * SPF DNS record doesn't permit your IP to send mail
  * Blacklisted IP address
  * Etc.

You need a package installed (CentOS, Ubuntu):

<file>
yum install cyrus-sasl-plain
</file>

<file>
apt install libsasl2-modules
</file>

You can copy and paste the following into an editor, then adjust the $SMTPHOST and $USERPASS variables for your needs. Then, as root, paste it to the command line: 

<file>
FILE=/etc/postfix/password
SMTPHOST=your.mailserver.domain
#SMTPHOST=your.mailserver.domain:587
#SMTPHOST=[123.123.123.123]:587
USERPASS=user:pass

# This will overwrite any existing contents
cat << EOF > $FILE
#smtp.isp.com       username:password
$SMTPHOST  $USERPASS
EOF

chown root:root $FILE
chmod 0600 $FILE
postmap hash:$FILE

postconf -e "relayhost = $SMTPHOST"
postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/password'
postconf -e 'smtp_sasl_security_options ='

systemctl restart postfix
</file>

===== TLS =====

Additionally, you may be forced to use TLS which may authenticate differently.  Here are some additional steps to implement TLS.

==== Prerequisites ====

Debian/Ubuntu:

<file>
apt-get install libsasl2-modules
</file>

Redhat/CentOS:

<file>
yum install cyrus-sasl-plain cyrus-sasl-ntlm
</file>

==== Postfix Configuration ====

First we configure the authentication credentials for Postfix.

:!: Newer FreePBX machines create and maintain ''/etc/postfix/sasl_passwd'' for you.

Edit ''/etc/postfix/password'' to point to a TLS capable host:port:

<file>
#smtp.isp.com       username:password
<fqdn_of_mail_svr>:587  <username>:<password>
</file>

<file>
postmap hash:/etc/postfix/password
</file>

Here we enable TLS in Postfix:

<file>
postconf -e 'smtp_use_tls=yes'
postfix reload
</file>

===== Envelope-From =====

**Envelope-From**: http://serverfault.com/questions/533912/how-do-i-change-the-envelope-from-in-postfix

<note warning>Some mail servers require the ''envelope-from'' header to be a **valid sender** in order to accept mail via authenticated SMTP.  Many servers also require that the **authentication user must match the sender address**.</note>

<file>
vim /etc/postfix/canonical
</file>

:!: This is **not a best practice**...it's something you might use on a PBX just to get it to send mail.

Append something like this to force all mail to have the specified ''envelope-from''.

<file>
# Use the empty regex '//' to map *any* address to the desired envelope sender.
// validsender@yourdomain.tld
</file>

<file>
postmap /etc/postfix/canonical
postconf -e "canonical_classes = envelope_sender"
postconf -e "canonical_maps = regexp:/etc/postfix/canonical"
postfix reload
</file>

===== FreePBX Distro =====

:!: Includes **SMTP authentication**, **TLS**, **envelope-from** and **trusted CAs**

  - **Copy** to a text editor
  - **Edit** for your needs
  - **Paste** into FreePBX Distro CLI as ''root''

:!: This package must be installed on older FreePBX Distro installations:

<file>
yum install cyrus-sasl-plain
</file>

Copy, edit, then paste in the CLI:

<file>
FILE=/etc/postfix/password
# Your valid mail server - colon and port number optional 
SMTPHOST=yoursmtphost.yourdomain.tld:587
# SMTP auth credentials - username may have @
USERPASS=yoursmtpusername:yoursmtpuserpassword
CANONICAL=/etc/postfix/canonical
# Must be a valid authorized sender e-mail address in your domain 
SENDER=validsender@yourdomain.tld
# Trusted CAs aren't configured by default?!
CAFILE=/etc/ssl/certs/ca-bundle.trust.crt

# This will overwrite any existing contents
cat << EOF > $FILE
#smtp.isp.com       username:password
$SMTPHOST  $USERPASS
EOF

chown root:root $FILE
chmod 0600 $FILE
postmap hash:$FILE

postconf -e "relayhost = $SMTPHOST"
postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/password'
postconf -e 'smtp_sasl_security_options ='
postconf -e 'smtp_use_tls=yes'

# This will overwrite any existing contents
cat << EOF > $CANONICAL
# Use the empty regex to map *any* address to the desired envelope sender (a valid sender).
// $SENDER
EOF

postmap $CANONICAL
postconf -e "canonical_classes = envelope_sender"
postconf -e "canonical_maps = regexp:$CANONICAL"

# Configure trusted CAs
postconf -e "smtp_tls_CAfile = $CAFILE"

postfix reload
</file>