Package: postfix Version: 3.3.2-1 Severity: normal Tags: patch Hi,
Debconf offers a 'satellite system' configuration option, where "All mail is sent to another machine, called a 'smarthost', for delivery." but this merely points Postfix toward the smarthost. With real-world, third-party smarthosts, a number of other steps are required to make this actually work, which are not explained to the user. I've included a slightly Debian-centric guide to this configuration for inclusion with the Postfix package, if deemed appropriate. -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages postfix depends on: ii adduser 3.118 ii cpio 2.12+dfsg-6 ii debconf [debconf-2.0] 1.5.69 ii dpkg 1.19.2 ii e2fsprogs 1.44.5-1 ii libc6 2.28-5 ii libdb5.3 5.3.28+dfsg1-0.2 ii libicu63 63.1-5 ii libsasl2-2 2.1.27~rc8-1 ii libssl1.1 1.1.1a-1 ii lsb-base 10.2018112800 ii netbase 5.5 ii ssl-cert 1.0.39 Versions of packages postfix recommends: ii python3 3.7.1-3 Versions of packages postfix suggests: pn dovecot-common <none> ii libsasl2-modules 2.1.27~rc8-1 ii mailutils [mail-reader] 1:3.5-2 pn postfix-cdb <none> ii postfix-doc 3.3.2-1 pn postfix-ldap <none> pn postfix-lmdb <none> pn postfix-mysql <none> ii postfix-pcre 3.3.2-1 pn postfix-pgsql <none> pn postfix-sqlite <none> pn procmail <none> ii resolvconf 1.79 ii sasl2-bin 2.1.27~rc8-1 ii sylpheed [mail-reader] 3.7.0-4 pn ufw <none> -- debconf information excluded
Postfix can be configured to relay mail to a 'smarthost' for delivery. In practice, with real world smarthosts, considerable configuration is required to make this work. Some of this configuration can be done via debconf ('dpkg-reconfigure postfix'), but much of it will usually need to be done manually. This document provides instructions for such configuration. 1. Set the smarthost This can be set via debconf. To do it manually, add a line like the following to /etc/postfix/main.cf: relayhost = [relayhost.example.com]:465 If the port number is omitted, the default is 25. Most smarthosts use TLS/SSL, and accordingly generally use either 465 or 587. Consult the smarthost's documentation for the port used. 2. Enable TLS/SSL As above, most smarthosts use TLS/SSL. To configure Postfix to use TLS, add the following lines to main.cf: smtp_tls_security_level = verify smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt If 'encrypt' is used instead of 'verify', the second line may be omitted, in which case TLS will be used but Postfix will not verify the smarthost's certificate, potentially allowing a man-in-the-middle attack and the stealing of the smarthost authentication credentials. See postconf(5) for details. If 'legacy' SMTPS (sometimes called 'SSL', usually used in conjunction with port 465) is desired, add the following additional line to main.cf: smtp_tls_wrappermode = yes For STARTTLS (usually used in conjunction with port 587), omit this line (or use the value 'no'). Consult the smarthost's documentation for the version of TLS/SSL used. 3. Configure authentication Most smarthosts require authentication. To enable it, ensure that the package 'libsasl2-modules' is installed, and add the following lines to main.cf: smtp_sasl_auth_enable = yes smtp_sasl_security_options = [See postconf(5) for more information about 'security options'. The above version, with no options, is generally fine.] To specify the authentication credentials, create an arbitrarily named file (e.g., '/etc/postfix/example-passwd'), with appropriately restrictive permissions (e.g., 600) containing a single line of the following form: smtp.example.com usern...@example.com:secret_password Where 'smtp.example.com' is the name of the smarthost, 'usern...@example.com' is the login name, and 'secret_password' is the login password. After creating the file, run the command: postmap /etc/postfix/example.com-passwd and add the following line to main.cf: smtp_sasl_password_maps = hash:/etc/postfix/example-passwd 4. Address rewriting Most smarthosts require that the sender (envelope FROM and perhaps also the email From: header) be set to the user's correct mail address with the smarthost. Postfix therefore needs to be configured to rewrite the sender address accordingly. There are multiple ways to do this, including canonical mapping and SMTP generic mapping. 4a. Canonical mapping With sender canonical mapping, all sender addresses are rewritten upon Postfix's receipt of the mail. Create an arbitrarily named file (e.g., '/etc/postfix/sender_canonical'), containing lines of the form local-user1 usern...@example.com local-user2 usern...@example.com where 'local-user1' and 'local-user2' are usernames on the system that will be sending mail via the smarthost After creating the file, run the command: postmap /etc/postfix/sender_canonical and add the following line to main.cf: sender_canonical_maps = hash:/etc/postfix/sender_canonical To use regular expressions to match multiple users, use either 'regexp' or 'pcre' (requires the installation of 'postfix-pcre') tables. See DATABASE_README, regexp_table(5), PCRE_README, pcre_table(5), and postmap(1). 4b. SMTP generic mapping With SMTP generic mapping, all matching addresses are rewritten upon Postfix's delivery of the mail via SMTP. Create an arbitrarily named file (e.g., '/etc/postfix/generic_mapping'), containing lines of the form: @host.domain usern...@example.com with 'host.domain' taken from '/etc/mailname'. One advantage to using generic over canonical mapping is that the latter will be applied to local mail as well. If the system will be configured to send all mail, even mail addressed to local users, via the smarthost (e.g., via aliases), then this point is moot. See the ADDRESS_REWRITING_README for more information. At this point, restart Postfix: /etc/init.d/postfix restart Test: echo 'test' | sendmail someu...@somehost.com Some mail services can be quite picky about what form of the email header From: they accept. It may be necessary to use an additional smtp_header_check rule to rewrite the header From: (whether created by the original sender, or by Postfix itself) into a form that the mail provider will accept. See: https://marc.info/?l=postfix-users&m=154662599103646 https://marc.info/?l=postfix-users&m=154656149717210 5. Aliases As configured so far, local mail will be delivered locally and not sent via the smarthost. To redirect local mail through the smarthost, aliases can be used. In /etc/aliases, add lines like the following: root: someu...@somehost.com Then run: newaliases 6. CREDITS: This guide was based (with considerable elaboration) on a number of other guides on this topic (in addition to the official Postfix documentation), including: https://www.eanderalx.org/linux/postfix http://emanuelesantanche.com/article/85/configuring-postfix-to-relay-email-through-zoho-mail https://www.dnsexit.com/support/mailrelay/postfix.html https://www.cyberciti.biz/faq/postfix-smtp-authentication-for-mail-servers/ https://blog.bravi.org/?p=1065