Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » linux » postfix_smarthost
Trace: postfix_smarthost
networking:linux:postfix_smarthost

Table of Contents

Postfix Authenticated Smarthost

See also SSMTP

http://www.mechanicalfish.net/classic-blog/posts/92-configuring-postfix-relay-mail-secure-host/

http://www.stefanolocati.it/blog/?p=737

Gmail: http://www.stevemccann.net/2012/12/changing-freepbx-smtp-server-to-gmail.html

From Address: http://www.cyberciti.biz/tips/howto-postfix-masquerade-change-email-mail-address.html

There are various reasons that you may want to configure Postfix to relay all mail to a 'smarthost'.

  • Spam filtering
  • Port blocking by your ISP
  • SPF DNS record doesn't permit your IP to send mail
  • Blacklisted IP address
  • Etc.

You need a package installed (CentOS, Ubuntu): 

yum install cyrus-sasl-plain
apt install libsasl2-modules

You can copy and paste the following into an editor, then adjust the $SMTPHOST and $USERPASS variables for your needs. Then, as root, paste it to the command line: 

FILE=/etc/postfix/password
SMTPHOST=your.mailserver.domain
#SMTPHOST=your.mailserver.domain:587
#SMTPHOST=[123.123.123.123]:587
USERPASS=user:pass

# This will overwrite any existing contents
cat << EOF > $FILE
#smtp.isp.com       username:password
$SMTPHOST  $USERPASS
EOF

chown root:root $FILE
chmod 0600 $FILE
postmap hash:$FILE

postconf -e "relayhost = $SMTPHOST"
postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/password'
postconf -e 'smtp_sasl_security_options ='

systemctl restart postfix

TLS

Additionally, you may be forced to use TLS which may authenticate differently. Here are some additional steps to implement TLS.

Prerequisites

Debian/Ubuntu: 

apt-get install libsasl2-modules

Redhat/CentOS: 

yum install cyrus-sasl-plain cyrus-sasl-ntlm

Postfix Configuration

First we configure the authentication credentials for Postfix.

:!: Newer FreePBX machines create and maintain /etc/postfix/sasl_passwd for you.

Edit /etc/postfix/password to point to a TLS capable host:port: 

#smtp.isp.com       username:password
<fqdn_of_mail_svr>:587  <username>:<password>
postmap hash:/etc/postfix/password

Here we enable TLS in Postfix: 

postconf -e 'smtp_use_tls=yes'
postfix reload

Envelope-From

Envelope-From: http://serverfault.com/questions/533912/how-do-i-change-the-envelope-from-in-postfix

Some mail servers require the envelope-from header to be a valid sender in order to accept mail via authenticated SMTP. Many servers also require that the authentication user must match the sender address. 
vim /etc/postfix/canonical

:!: This is not a best practice…it's something you might use on a PBX just to get it to send mail.

Append something like this to force all mail to have the specified envelope-from. 

# Use the empty regex '//' to map *any* address to the desired envelope sender.
// validsender@yourdomain.tld
postmap /etc/postfix/canonical
postconf -e "canonical_classes = envelope_sender"
postconf -e "canonical_maps = regexp:/etc/postfix/canonical"
postfix reload

FreePBX Distro

:!: Includes SMTP authentication, TLS, envelope-from and trusted CAs

  1. Copy to a text editor
  2. Edit for your needs
  3. Paste into FreePBX Distro CLI as root

:!: This package must be installed on older FreePBX Distro installations: 

yum install cyrus-sasl-plain

Copy, edit, then paste in the CLI: 

FILE=/etc/postfix/password
# Your valid mail server - colon and port number optional 
SMTPHOST=yoursmtphost.yourdomain.tld:587
# SMTP auth credentials - username may have @
USERPASS=yoursmtpusername:yoursmtpuserpassword
CANONICAL=/etc/postfix/canonical
# Must be a valid authorized sender e-mail address in your domain 
SENDER=validsender@yourdomain.tld
# Trusted CAs aren't configured by default?!
CAFILE=/etc/ssl/certs/ca-bundle.trust.crt

# This will overwrite any existing contents
cat << EOF > $FILE
#smtp.isp.com       username:password
$SMTPHOST  $USERPASS
EOF

chown root:root $FILE
chmod 0600 $FILE
postmap hash:$FILE

postconf -e "relayhost = $SMTPHOST"
postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/password'
postconf -e 'smtp_sasl_security_options ='
postconf -e 'smtp_use_tls=yes'

# This will overwrite any existing contents
cat << EOF > $CANONICAL
# Use the empty regex to map *any* address to the desired envelope sender (a valid sender).
// $SENDER
EOF

postmap $CANONICAL
postconf -e "canonical_classes = envelope_sender"
postconf -e "canonical_maps = regexp:$CANONICAL"

# Configure trusted CAs
postconf -e "smtp_tls_CAfile = $CAFILE"

postfix reload
networking/linux/postfix_smarthost.txt · Last modified: 2021/11/30 08:01 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki