Linux: Postfix with a remote SMTP relay host

From Luky-Wiki
Jump to: navigation, search

This is short guide how to setup postfix to use another server as email relay. Most of the dynamic IP address assigned to broadband (home) network are blacklisted. This is desired behavior as users should use email service instead of direct email delivery. If your are using server or Linux box to send notifications from local services then you may find problem to deliver such a notifications. Configuration of postfix is flexible and it is possible to configure it to act as "user" which use user/pass for authentication. Once postfix is authenticated on relay host it's possible to send emails through it. Here is example how to configure postifx in this way:

You should have running postfix. It should be installed with options sasl and ssl enabled. I don't cover installation itself here.

In order to configure postfix set following options in /etc/postfix/main.cf by editing configuration file or by postconf:

  • by editing:
relayhost = mail.example.com:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
  • via command:
postconf -e 'relayhost = mail.example.com:587'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'
postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'

Description of configuration:

  • relayhost - dns name (or IP) used for client connection on remote server
  • smtp_use_tls - enable TLS/SSL connection to remote servers
  • smtp_sasl_auth_enable - sasl authentication to remote SMTP server (e.g. client login)
  • smtp_sasl_password_maps - map file with password
  • smtp_tls_CAfile - list of CAs to trust

Syntax for password file (/etc/postfix/sasl_passwd) is:

mail.example.com:587 user:password

Once this file is in place access should be secured. I recommend root:root owner and 600 permisions.

chown root:root /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd

Postfix access its files in binary form so before restart it is necessary to convert password file:

postmap /etc/postfix/sasl_passwd

Last step is restart or reload of postfix:

/etc/init.d/postfix restart

Sender email rewrite

If relay host is configured properly and you are using client connection credential then there is one problem. Email service provider should refuse to resend emails with different user details and envelope information. For example if your email account is name.surname@example.com then email from root@home.net should be rejected. Reason is simple. Clients should use theirs own email address not address of someone else.

Rewriting of sender/recipient address is really simple with postfix but there is one catch. If you rewrite all source addresses then also postmaster address is rewritten. In case of delivery error postfix try to return email to source which is rewritten address. As error message is handled in similar way then also origin of it is rewritten and email is stuck in bounce loop. To prevent this there are two possibilities.

static rewrite of sender and recipient

sender_canonical_maps    = static:sender@example.com
recipient_canonical_maps = static:recipient@example.com

Each message will be rewritten to match one "source" address and delivered to one specific recipient. This is good option if there is one recipient for all emails generated on system. For example I am using this configuration on my media PC. If there is some kind of problem then I would like to see it in my mailbox. This will also disable local delivery. If you would like to deliver notification to several recipients depending on some condition then check second option

regular expression rewrite rule

Sender and also recipient can be rewritten using regular expression or by simple combination of key:value. During mail delivery postfix examine file line by line and if match is found then address from this line is used. Configuration type regexp is read by postfix directly so it is not necessary to create binary representation via command postmap.

sender_canonical_maps = regexp:/etc/postfix/sender_map

Content of the file is in format:

/regular_expression/ rewrite_target

Note: I don't recommend following configuration.

/.*/ user@example.com

or

/.+/ user@example.com

Both of them rewrite also postmaster and "empty" source used for bounce message. If you would like to use such a configuration then make sure that system accounts (postmaster, double-bounce, root, etc.) are in configuration so you will not end up with bounce loop.

Secure postfix

To ensure that postfix server is not misused it is necessary to restrict access. Simple way how to restrict access only to local is set following options:

inet_interfaces = localhost
mynetworks_style = host