Package: postfix
Version: 3.3.2-1
Severity: normal
Tags: patch
Hi,
Debconf offers a 'satellite system' configuration option, where "All
mail is sent to another machine, called a 'smarthost', for delivery."
but this merely points Postfix toward the smarthost. With real-world,
third-party smarthosts, a number of other steps are required to make
this actually work, which are not explained to the user. I've included
a slightly Debian-centric guide to this configuration for inclusion with
the Postfix package, if deemed appropriate.
-- System Information:
Debian Release: buster/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8),
LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages postfix depends on:
ii adduser 3.118
ii cpio 2.12+dfsg-6
ii debconf [debconf-2.0] 1.5.69
ii dpkg 1.19.2
ii e2fsprogs 1.44.5-1
ii libc6 2.28-5
ii libdb5.3 5.3.28+dfsg1-0.2
ii libicu63 63.1-5
ii libsasl2-2 2.1.27~rc8-1
ii libssl1.1 1.1.1a-1
ii lsb-base 10.2018112800
ii netbase 5.5
ii ssl-cert 1.0.39
Versions of packages postfix recommends:
ii python3 3.7.1-3
Versions of packages postfix suggests:
pn dovecot-common <none>
ii libsasl2-modules 2.1.27~rc8-1
ii mailutils [mail-reader] 1:3.5-2
pn postfix-cdb <none>
ii postfix-doc 3.3.2-1
pn postfix-ldap <none>
pn postfix-lmdb <none>
pn postfix-mysql <none>
ii postfix-pcre 3.3.2-1
pn postfix-pgsql <none>
pn postfix-sqlite <none>
pn procmail <none>
ii resolvconf 1.79
ii sasl2-bin 2.1.27~rc8-1
ii sylpheed [mail-reader] 3.7.0-4
pn ufw <none>
-- debconf information excluded
Postfix can be configured to relay mail to a 'smarthost' for delivery. In
practice, with real world smarthosts, considerable configuration is required to
make this work. Some of this configuration can be done via debconf
('dpkg-reconfigure postfix'), but much of it will usually need to be done
manually. This document provides instructions for such configuration.
1. Set the smarthost
This can be set via debconf. To do it manually, add a line like the following
to /etc/postfix/main.cf:
relayhost = [relayhost.example.com]:465
If the port number is omitted, the default is 25. Most smarthosts use TLS/SSL,
and accordingly generally use either 465 or 587. Consult the smarthost's
documentation for the port used.
2. Enable TLS/SSL
As above, most smarthosts use TLS/SSL. To configure Postfix to use TLS, add the
following lines to main.cf:
smtp_tls_security_level = verify
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
If 'encrypt' is used instead of 'verify', the second line may be omitted, in
which case TLS will be used but Postfix will not verify the smarthost's
certificate, potentially allowing a man-in-the-middle attack and the stealing
of the smarthost authentication credentials. See postconf(5) for details.
If 'legacy' SMTPS (sometimes called 'SSL', usually used in conjunction with
port 465) is desired, add the following additional line to main.cf:
smtp_tls_wrappermode = yes
For STARTTLS (usually used in conjunction with port 587), omit this line (or
use the value 'no'). Consult the smarthost's documentation for the version of
TLS/SSL used.
3. Configure authentication
Most smarthosts require authentication. To enable it, ensure that the package
'libsasl2-modules' is installed, and add the following lines to main.cf:
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
[See postconf(5) for more information about 'security options'. The above
version, with no options, is generally fine.]
To specify the authentication credentials, create an arbitrarily named file
(e.g., '/etc/postfix/example-passwd'), with appropriately restrictive
permissions (e.g., 600) containing a single line of the following form:
smtp.example.com usern...@example.com:secret_password
Where 'smtp.example.com' is the name of the smarthost, 'usern...@example.com'
is the login name, and 'secret_password' is the login password.
After creating the file, run the command:
postmap /etc/postfix/example.com-passwd
and add the following line to main.cf:
smtp_sasl_password_maps = hash:/etc/postfix/example-passwd
4. Address rewriting
Most smarthosts require that the sender (envelope FROM and perhaps also the
email From: header) be set to the user's correct mail address with the
smarthost. Postfix therefore needs to be configured to rewrite the sender
address accordingly. There are multiple ways to do this, including canonical
mapping and SMTP generic mapping.
4a. Canonical mapping
With sender canonical mapping, all sender addresses are rewritten upon
Postfix's receipt of the mail. Create an arbitrarily named file (e.g.,
'/etc/postfix/sender_canonical'), containing lines of the form
local-user1 usern...@example.com
local-user2 usern...@example.com
where 'local-user1' and 'local-user2' are usernames on the system that will be
sending mail via the smarthost
After creating the file, run the command:
postmap /etc/postfix/sender_canonical
and add the following line to main.cf:
sender_canonical_maps = hash:/etc/postfix/sender_canonical
To use regular expressions to match multiple users, use either 'regexp' or
'pcre' (requires the installation of 'postfix-pcre') tables. See
DATABASE_README, regexp_table(5), PCRE_README, pcre_table(5), and postmap(1).
4b. SMTP generic mapping
With SMTP generic mapping, all matching addresses are rewritten upon Postfix's
delivery of the mail via SMTP. Create an arbitrarily named file (e.g.,
'/etc/postfix/generic_mapping'), containing lines of the form:
@host.domain usern...@example.com
with 'host.domain' taken from '/etc/mailname'.
One advantage to using generic over canonical mapping is that the latter will
be applied to local mail as well. If the system will be configured to send all
mail, even mail addressed to local users, via the smarthost (e.g., via
aliases), then this point is moot.
See the ADDRESS_REWRITING_README for more information.
At this point, restart Postfix:
/etc/init.d/postfix restart
Test:
echo 'test' | sendmail someu...@somehost.com
Some mail services can be quite picky about what form of the email header From:
they accept. It may be necessary to use an additional smtp_header_check rule to
rewrite the header From: (whether created by the original sender, or by Postfix
itself) into a form that the mail provider will accept. See:
https://marc.info/?l=postfix-users&m=154662599103646
https://marc.info/?l=postfix-users&m=154656149717210
5. Aliases
As configured so far, local mail will be delivered locally and not sent via the
smarthost. To redirect local mail through the smarthost, aliases can be used.
In /etc/aliases, add lines like the following:
root: someu...@somehost.com
Then run:
newaliases
6. CREDITS:
This guide was based (with considerable elaboration) on a number of other
guides on this topic (in addition to the official Postfix documentation),
including:
https://www.eanderalx.org/linux/postfix
http://emanuelesantanche.com/article/85/configuring-postfix-to-relay-email-through-zoho-mail
https://www.dnsexit.com/support/mailrelay/postfix.html
https://www.cyberciti.biz/faq/postfix-smtp-authentication-for-mail-servers/
https://blog.bravi.org/?p=1065
