Thanks for your incredibly useful advice Victor... May I ask some
follow up questions?..
On 7/09/2010 10:06 PM, Victor Duchovni wrote:
On Tue, Sep 07, 2010 at 12:53:13PM +0800, Richard Chapman wrote:
I am running postfix 2.3.3 as part of Centos 5.5.
I am trying to set up a hybrid mail system which involves postfix, dovecot
and Google Apps.
Ideally - I would like the email clients to use a authenticated TLS
connection to postifix (which is working fine) and then postfix to relay
the mail through smtp.google.com also through a authenticated TLS
connection using the same credentials as the "Client-Postfix" connection.
You cannot clone and should not attempt to clone authentication credentials
from an incoming Postfix SMTP server session to an outgoing Postfix SMTP
client session.
Understood and agreed.
AFAIK smtp.google.com requires an authenticated TLS connection.
If you have a Google Apps hosted domain, you use fixed MTA credentials,
(possibly just an IP whitelist) negotiated with Google and send to
alternate servers (not smtp.gmail.com 587). No per-user credentials
required.
Not sure I fully understand this...
I AM using a google apps hosted domain - and I think I need to use per
user credentials because that is what would happen if the users
connected direct to smtp.google.com as described in the google apps
setup instructions. If I don't use per user credientials - I think
google apps will change the sender address to a "fixed" sender address.
It seems that you don't agree with me here? Also - part of the rationale
of sending via smtp.google.com with user credentials - is to ensure that
the google apps users "sent email folders" are maintained correctly.
Perhaps you are describing an alternative method for google apps smtp
which I am unaware of. If so - can you point me to a description of this
alternative option?
Otherwise, Postfix can make use of per-sender stored passwords, as
described in SASL_README and SOHO_README.
http://www.postfix.org/SOHO_README.html#client_sasl_sender
http://www.postfix.org/SASL_README.html#client_sasl_sender
This looks fine - and looks like it will do what I need. I only have a
small and stable number of users - so this method looks manageable.
What is less clear to me is how to enable/enforce TLS to keep
smtp.google.com happy. I saw a possibly related posting today discussing
"Relay to another internal server using TLS" - with these instructions
referred to in that thread:
http://www.postfix.org/TLS_README.html#client_tls
Based on both these threads - I am proposing to add the following to
main.cf, and build the sasl_passwd file:
smtp_tls_security_level = may
smtp_sender_dependent_authentication = yes
# sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
relayhost = smtp.gmail.com:587
Can you confirm that the ":587" is the correct syntax? The help file
appears to suggest that the word "submission" is a keyword that should
be used rather than a port number. I am assuming that the port number is
the correct parameter here.
Do you know whether it is permissible to have a username of the form
"u...@domain.com" in the sasl_passwd file. This will be required for
google apps credentials.
Thanks again for your expertise...
Richard.
