Installing and configuring a postfix relay
This has been tested to work completely from a base build of CentOS 6. Copy and change the commands, then run.
I have some old school stuff that can’t use SMTP AUTH to send Email. So I needed to set up an SMTP relay that turns around and sends Email with SMTP AUTH to our externally hosted SMTP server.
service sendmail stop #stop the service neatly chkconfig --del sendmail #remove the sucker from startup
and just postfix, we don’t care about IMAP services (with support for PLAIN authentication and TLS encryption):
yum -y install postfix cyrus-sasl-plain ca-certificates mailx
Configure postfix’s main.cf:
postconf -e 'myorigin = externaldomain.com' postconf -e 'mynetworks = 192.168.100.10/32, 192.168.100.11/32, 127.0.0.0/8' postconf -e 'relay_domains = $myorigin' #this will be the only destination domain that this postfix server will relay to relayhost or relay_transport postconf -e 'relayhost = [external.smtpserver.com]:587' postconf -e 'sender_canonical_maps = regexp:/etc/postfix/sender_canonical' postconf -e 'smtp_header_checks = regexp:/etc/postfix/header_checks' postconf -e 'smtp_sasl_auth_enable = yes' postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'
Create the sender canonical map file so that all addresses are sent from firstname.lastname@example.org:
echo /\.\*/ email@example.com > /etc/postfix/sender_canonical
Change the From: within the header so that all addresses are From: firstname.lastname@example.org
echo /From\:\.\*/ REPLACE From\: email@example.com > /etc/postfix/header_checks
Create the postfix password map file:
echo "[external.smtpserver.com]:587 firstname.lastname@example.org:password" > /etc/postfix/sasl_passwd chown root:root /etc/postfix/sasl_passwd chmod 600 /etc/postfix/sasl_passwd postmap /etc/postfix/sasl_passwd
Add aliases for ‘root’:
There are a variety of ways to, well, get mail destined for ‘root’ to another mailbox. I’ve seen really convoluted methods, including editing HOSTS and writing re-write rule maps.
There seem to be two “real” ways to do this: “the wrong way,” and the right way. I’ll review both:
The wrong way:
If you want to route mail to an external address, while maintaining originally destined address you can simply do the following:
1) With /etc/postfix/main.cf having been configured using ‘postconf -e’ above, edit /etc/postfix/main.cf and comment out the following two lines:
#myorigin = externaldomain.com #relay_domains = $myorigin
2) update the alias for root to your externally destined domain
vim /etc/aliases #root: email@example.com #exit vim newaliases postfix reload
3) Mail to ‘root’ should then be routed to firstname.lastname@example.org with the To: address in the header be the “fully qualified” user name for the ‘root’ user.
This is not secure, and it probably breaks RFCs.
The right way:
1) Configure a virtual alias map to route mail to an external domain:
postconf -e 'virtual_alias_maps = hash:/etc/postfix/virtual' echo root email@example.com > /etc/postfix/virtual postmap /etc/postfix/virtual
2) Re-writing the To: can be done using a canonical maps:
postconf -e 'recipient_canonical_maps = regexp:/etc/postfix/recipient_canonical' echo /\.\*root\.\*/ firstname.lastname@example.org > /etc/postfix/recipient_canonical
If your relay supports it, enable STARTTLS for delivery:
Generally, if your server only supports PLAIN AUTH sending of your creds, you should require encryption (otherwise use ‘may’)
postconf -e 'smtp_tls_security_level = encrypt' postconf -e 'smtp_tls_CApath = /etc/ssl/certs'
You can do tweaking as needed.
Provide some security by restricting by IP
Right now, you’ve got an open relay. This is sort of what you want, but it’s always good to provide some level of restriction. In addition to using iptables, you can restrict the IP of senders with that postfix will accept mail from using the following parameter.
postconf -e 'smtpd_client_restrictions = permit_inet_interfaces, permit_mynetworks, restrict'
Change the MTA service from sendmail to postfix:
alternatives --config mta #select/verify postfix
Start postfix and test mail relay:
service postfix restart echo $(netstat -apn | grep :) | mail -v -s "$(date)" root && tail -f /var/log/maillog
If you see “No worthy mechs found,” the $relayhost wants plaintext passwords and/or anonymous authentication. It is reasonable to assume that with an encrypted channel, plaintext passwords are okay.
To fix errors, enable plain text passwords:
postconf -e 'smtp_sasl_security_options = noanonymous'
Postfix SMTP AUTH (SASL) client example docs
Postfix TLS client example docs.
Postfix config docs
Postfix sender address rewriting, changing mails “from” field in header on relay server
Thread that lead me to a solution for routing mail destined to root in Postfix 2.0+ to an external domain