====== Postfix Authenticated Smarthost ======
See also **[[networking:linux:ssmtp|SSMTP]]**
http://www.mechanicalfish.net/classic-blog/posts/92-configuring-postfix-relay-mail-secure-host/
http://www.stefanolocati.it/blog/?p=737
**Gmail**: http://www.stevemccann.net/2012/12/changing-freepbx-smtp-server-to-gmail.html
**From Address**: http://www.cyberciti.biz/tips/howto-postfix-masquerade-change-email-mail-address.html
There are various reasons that you may want to configure Postfix to relay all mail to a 'smarthost'.
* Spam filtering
* Port blocking by your ISP
* SPF DNS record doesn't permit your IP to send mail
* Blacklisted IP address
* Etc.
You need a package installed (CentOS, Ubuntu):
yum install cyrus-sasl-plain
apt install libsasl2-modules
You can copy and paste the following into an editor, then adjust the $SMTPHOST and $USERPASS variables for your needs. Then, as root, paste it to the command line:
FILE=/etc/postfix/password
SMTPHOST=your.mailserver.domain
#SMTPHOST=your.mailserver.domain:587
#SMTPHOST=[123.123.123.123]:587
USERPASS=user:pass
# This will overwrite any existing contents
cat << EOF > $FILE
#smtp.isp.com username:password
$SMTPHOST $USERPASS
EOF
chown root:root $FILE
chmod 0600 $FILE
postmap hash:$FILE
postconf -e "relayhost = $SMTPHOST"
postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/password'
postconf -e 'smtp_sasl_security_options ='
systemctl restart postfix
===== TLS =====
Additionally, you may be forced to use TLS which may authenticate differently. Here are some additional steps to implement TLS.
==== Prerequisites ====
Debian/Ubuntu:
apt-get install libsasl2-modules
Redhat/CentOS:
yum install cyrus-sasl-plain cyrus-sasl-ntlm
==== Postfix Configuration ====
First we configure the authentication credentials for Postfix.
:!: Newer FreePBX machines create and maintain ''/etc/postfix/sasl_passwd'' for you.
Edit ''/etc/postfix/password'' to point to a TLS capable host:port:
#smtp.isp.com username:password
:587 :
postmap hash:/etc/postfix/password
Here we enable TLS in Postfix:
postconf -e 'smtp_use_tls=yes'
postfix reload
===== Envelope-From =====
**Envelope-From**: http://serverfault.com/questions/533912/how-do-i-change-the-envelope-from-in-postfix
Some mail servers require the ''envelope-from'' header to be a **valid sender** in order to accept mail via authenticated SMTP. Many servers also require that the **authentication user must match the sender address**.
vim /etc/postfix/canonical
:!: This is **not a best practice**...it's something you might use on a PBX just to get it to send mail.
Append something like this to force all mail to have the specified ''envelope-from''.
# Use the empty regex '//' to map *any* address to the desired envelope sender.
// validsender@yourdomain.tld
postmap /etc/postfix/canonical
postconf -e "canonical_classes = envelope_sender"
postconf -e "canonical_maps = regexp:/etc/postfix/canonical"
postfix reload
===== FreePBX Distro =====
:!: Includes **SMTP authentication**, **TLS**, **envelope-from** and **trusted CAs**
- **Copy** to a text editor
- **Edit** for your needs
- **Paste** into FreePBX Distro CLI as ''root''
:!: This package must be installed on older FreePBX Distro installations:
yum install cyrus-sasl-plain
Copy, edit, then paste in the CLI:
FILE=/etc/postfix/password
# Your valid mail server - colon and port number optional
SMTPHOST=yoursmtphost.yourdomain.tld:587
# SMTP auth credentials - username may have @
USERPASS=yoursmtpusername:yoursmtpuserpassword
CANONICAL=/etc/postfix/canonical
# Must be a valid authorized sender e-mail address in your domain
SENDER=validsender@yourdomain.tld
# Trusted CAs aren't configured by default?!
CAFILE=/etc/ssl/certs/ca-bundle.trust.crt
# This will overwrite any existing contents
cat << EOF > $FILE
#smtp.isp.com username:password
$SMTPHOST $USERPASS
EOF
chown root:root $FILE
chmod 0600 $FILE
postmap hash:$FILE
postconf -e "relayhost = $SMTPHOST"
postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/password'
postconf -e 'smtp_sasl_security_options ='
postconf -e 'smtp_use_tls=yes'
# This will overwrite any existing contents
cat << EOF > $CANONICAL
# Use the empty regex to map *any* address to the desired envelope sender (a valid sender).
// $SENDER
EOF
postmap $CANONICAL
postconf -e "canonical_classes = envelope_sender"
postconf -e "canonical_maps = regexp:$CANONICAL"
# Configure trusted CAs
postconf -e "smtp_tls_CAfile = $CAFILE"
postfix reload