postfix relayhost configuration (SMTPS)

rutgerw · 02-21-2008, 05:01 AM

Hi Everybody,

I'm trying to setup my postfix configuartion to send email via my ISP.

I've understand that you should use the "relayhost=" in postfix.cf
However my ISP uses SMTP-AUTH on port 465 (with SSL)

I've read that i should add the following lines and create the sasl_passwd file:
relayhost = [smtps.isp.com]
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes

However I've also read that my passwords are send in plain text on port 25.

How do I setup postfix so that my passwords are sent encrypted (SSL/TLS?!) over port 465 (this is the port my ISP uses)?

billymayday · 02-21-2008, 09:59 PM

have a look at smtp_sasl_tls_security_options at http://www.postfix.org/postconf.5.ht...curity_options

rutgerw · 02-22-2008, 04:07 PM

Thnx,

I think the noplaintext option was just what is was looking for.

Milan Knizek · 02-19-2011, 02:02 AM

I know that this thread is a bit old, but it popped up in google while I was trying to setup relaying local email to my external SMTP server (SSL encryption on port 465, plain text authentification).

Postfix version 2.8.0 does not support SMTP client mode on SSL port 465. Instead, one has to use a separate daemon stunnel (refer elsewhere how to set it up and run) to wrap the communication into ssl. Do not forget to check /etc/hosts.allow to allow connections to stunnel ("stunneld: ALL")

Once setup, add this to your stunnel.conf:

Code:

[smtp-tls-wrapper]
 accept = 11125
 client = yes
 connect = your.smtp.server.com:465

and test by running "telnet localhost 11125" - you should be redirected to your.smtp.server.com and get its greetings. Type "quit" to exit.
If you get error with libwrap (check /var/log/...), try adding "libwrap = no" to stunnel.conf and restart stunnel service.

The /etc/postfix/main.cf configuration is similar as above, just the relay host is local:

Code:

relayhost = [127.0.0.1]:11125
smtp_sasl_type = cyrus
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_auth_enable = yes
   # optional: necessary if email provider
   # requires passwords sent in clear text
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain, login
  # optional: necessary if email provider uses load balancing and
  # forwards emails to another smtp server
  # for delivery (ie: smtp.yahoo.com --&gt; smtp.phx.1.yahoo.com)
smtp_cname_overrides_servername = no

Also do not forget to create the credentials file /etc/postfix/sasl_passwd (set chmod go-rwx to protect it from non-root users):

Code:

# The server info must exactly match the value
# for "relayhost" in /etc/postfix/main.cf
[127.0.0.1]:11125 my_login:my_password

and rebuild the password hash by typing "postmap hash:/etc/postfix/sasl_passwd".

Then restart postfix and try "telnet localhost 25" and type

Code:

EHLO localhost
MAIL FROM: <from-email>
RCPT TO: <recipient-email>
DATA
Type message here.
. <Enter>

=>
The last line leaves DATA mode and email should be relayed by postfix. Watch /var/log files to see if it goes okay.