Installing and configuring a postfix relay

This has been tested to work completely from a base build of CentOS 6. Copy and change the commands, then run.

I have some old school stuff that can’t use SMTP AUTH to send Email. So I needed to set up an SMTP relay that turns around and sends Email with SMTP AUTH to our externally hosted SMTP server.

Stop sendmail:

service sendmail stop #stop the service neatly
chkconfig --del sendmail #remove the sucker from startup

Install postfix:
and just postfix, we don’t care about IMAP services (with support for PLAIN authentication and TLS encryption):

yum -y install postfix cyrus-sasl-plain ca-certificates mailx

Configure postfix’s main.cf:

postconf -e 'myorigin = externaldomain.com'
postconf -e 'mynetworks = 192.168.100.10/32, 192.168.100.11/32, 127.0.0.0/8'
postconf -e 'relay_domains = $myorigin'
#this will be the only destination domain that this postfix server will relay to relayhost or relay_transport
postconf -e 'relayhost = [external.smtpserver.com]:587'
postconf -e 'sender_canonical_maps = regexp:/etc/postfix/sender_canonical'
postconf -e 'smtp_header_checks = regexp:/etc/postfix/header_checks'
postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'

Create the sender canonical map file so that all addresses are sent from robot@externaldomain.com:

echo /\.\*/ robot@externaldomain.com > /etc/postfix/sender_canonical

Change the From: within the header so that all addresses are From: robot@externaldomain.com

echo /From\:\.\*/ REPLACE From\: robot@externaldomain.com > /etc/postfix/header_checks

Create the postfix password map file:

echo "[external.smtpserver.com]:587 robot@externaldomain.com:password" > /etc/postfix/sasl_passwd
chown root:root /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd

Add aliases for ‘root’:
There are a variety of ways to, well, get mail destined for ‘root’ to another mailbox. I’ve seen really convoluted methods, including editing HOSTS and writing re-write rule maps.

There seem to be two “real” ways to do this: “the wrong way,” and the right way. I’ll review both:

The wrong way:
If you want to route mail to an external address, while maintaining originally destined address you can simply do the following:
1) With /etc/postfix/main.cf having been configured using ‘postconf -e’ above, edit /etc/postfix/main.cf and comment out the following two lines:

#myorigin = externaldomain.com
#relay_domains = $myorigin

2) update the alias for root to your externally destined domain

vim /etc/aliases
 #root: dstaddr@externaldomain.com
#exit vim
newaliases
postfix reload

3) Mail to ‘root’ should then be routed to dstaddr@externaldomain.com with the To: address in the header be the “fully qualified” user name for the ‘root’ user.

This is not secure, and it probably breaks RFCs.

The right way:
1) Configure a virtual alias map to route mail to an external domain:

postconf -e 'virtual_alias_maps = hash:/etc/postfix/virtual'
echo root dstaddr@externaldomain.com > /etc/postfix/virtual
postmap /etc/postfix/virtual

2) Re-writing the To: can be done using a canonical maps:

postconf -e 'recipient_canonical_maps = regexp:/etc/postfix/recipient_canonical'
echo /\.\*root\.\*/ dstaddr@externaldomain.com > /etc/postfix/recipient_canonical

If your relay supports it, enable STARTTLS for delivery:
Generally, if your server only supports PLAIN AUTH sending of your creds, you should require encryption (otherwise use ‘may’)

postconf -e 'smtp_tls_security_level = encrypt'
postconf -e 'smtp_tls_CApath = /etc/ssl/certs'

You can do tweaking as needed.

Provide some security by restricting by IP
Right now, you’ve got an open relay. This is sort of what you want, but it’s always good to provide some level of restriction. In addition to using iptables, you can restrict the IP of senders with that postfix will accept mail from using the following parameter.

postconf -e 'smtpd_client_restrictions = permit_inet_interfaces, permit_mynetworks, restrict'

Change the MTA service from sendmail to postfix:

alternatives --config mta
#select/verify postfix

Start postfix and test mail relay:

service postfix restart
echo $(netstat -apn | grep :) | mail -v -s "$(date)" root && tail -f /var/log/maillog

If you see “No worthy mechs found,” the $relayhost wants plaintext passwords and/or anonymous authentication. It is reasonable to assume that with an encrypted channel, plaintext passwords are okay.

To fix errors, enable plain text passwords:

postconf -e 'smtp_sasl_security_options = noanonymous'

As the default value stops plaintext.

with reference:
Postfix SMTP AUTH (SASL) client example docs
Postfix TLS client example docs.
Postfix config docs
HowToForge
Postfix sender address rewriting, changing mails “from” field in header on relay server
Thread that lead me to a solution for routing mail destined to root in Postfix 2.0+ to an external domain

Advertisements
  1. June 28, 2015 at 12:16 am

    Very helpful and well-explained post. Thank you.

  2. August 21, 2017 at 6:08 pm

    2+ years later, and still very helpful. Thank you. For anyone that stumbles upon this for null clients and relays (or any topic where you need to rewrite), don’t worry about the OS, the postfix commands work perfectly, i’m currently on 3.1

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: