Postfix as mail relay/edge server
Hey Folks,
I am a super newb at linux (probably know just enough to be dangerous and break things) and am really just doing this because linux servers are super cheap to host in the cloud, otherwise I would use a Windows box to serve this purpose. Here's the scenario I need solved My ISP blocks incoming and outgoing port 25 (as you would expect). I have an internal mail server listening on port 26 for incoming mail. Currently I use rollernet as an incoming mail relay. However, I also need to be able to send mail out. Previously I was using gmail to relay but then I realized that all of my mail was going out as my gmail account. Obviously not satisfactory. What I would like is a linux box that will accept incoming mail for my domains (i manage 6) and forward them to my in house mail server on port 26. I also need this same box to accept incoming mail from my mail server (preferrably encrypted and authenticated) to send out to the internet, wherever it needs to go, but deny relay if it's not coming from my mail server (which is on a dynamic IP) I've google searched my heart out and could not find docs to set this up, or at least docs I could understand how to piece together to make it work the way I need. Any assistance would be helpful, and I appreciate the time anyone takes to read/reply to this Thanks! |
Hmmm.
Too cheap to pay MS to do it for you. Too lazy to learn to do it yourself. So ask LQ'ers to do it for you ... http://www.postfix.org/docs.html If you are running a mail server, you should at least learn enough to do it safely and responsibly. |
I'm asking because I've never done this before. I've setup postfix in a regular configuration, however this steps out of the bounds of my knowledge so I thought I would ask, you know, on a site dedicated to answering questions about linux.
I am more familiar with exchange and windows based servers like hMailServer, and know how to easily do this in Windows. I am sure if someone can point me to more than just a product doc I am capable but I think the terms I was looking for may not have been appropriate for my scenario Descendent_Command, your answer is insulting and useless... If you don't want to answer questions related to linux, you probably shouldn't be frequenting linuxquestions.org Anyway, a constructive answer would be appreciated. I couldn't find a doc that outlined a configuration near what I'm looking for so even a hint of the terminology would be appreciated. |
Quote:
Quote:
What have you already tried? How does it not work as you want? I'd also point out that there's a reason your ISP blocks port 25...have you contacted them to see if you could relay mail through their mail servers? That's what most home users have to do. Many ISPs will allow you to "fudge" the domain name part of such mail, as long as you authenticate with their server first. Where are your domains hosted? Are they also on your home-based dynamic IP hosted server? If not, set up your mail server(s) under those domain(s) and use them. I'm going to repeat this one point: Quote:
|
Quote:
Quote:
I thought the official postfix documentation would be the obvious place, and assuming you had been there already, I linked you to their pagefull of 'further reading' including many (endorsed) howto's and examples. Quote:
Quote:
http://www.postfix.org/STANDARD_CONF...ME.html#backup Looks pretty close to what you want, yes? PS Have requested thread to be moved to "Server" subforum. |
Setting up a mail server using Postfix can be overwhelming. This is a good guide: https://workaround.org/ispmail. It uses Debian, and the tutorials are pretty much focused towards apt-based distros. So if you decide to follow the tutorial, choose the appropriate distro.
I stopped doing this completely manually a few years ago, as it really became complicated. Mail servers have to be configured quite precisely in order they are recognized as clean. I install and use VirtualMin now. Which makes setting up a mail server real easy. jlinkels |
Well after lots more googling and reviewing the docs that were posted here I think I've got 90% of this figured out and working. The last part is trying to figure out why my internal mail server fails to authenticate with postfix. I do have a dynamic IP with a dns alias that gets updated every time it changes, but it looks like from the logs it is trying to reconcile my comcast issued hostname in my sasl_passwd file? I would rather not have to update postfix every time my IP changes, and I can't afford to buy a static IP. So if anyone has any suggestions as to how I can permit maybe a connection from anywhere as long as the username/password is correct? That'd be close enough I think.... I am trying to keep my configuration as simple as possible
I've tried the following formats in my sasl_passwd file (ofcourse doing postmap /etc/postfix/sasl_passwd after each change), however none of this seems to work. Maybe i'm not setting up the auth correctly? [arecord.mydomain.com] user:pass arecord.mydomain.com user:pass myipaddress user:pass Here's my files and the log data Postfix main.cf # See /usr/share/postfix/main.cf.dist for a commented, more complete version # General Settings myorigin = /etc/mailname myhostname = mta.my.domain smtpd_banner = $myhostname biff = no readme_directory = no compatibility_level = 2 mydestination = mynetworks = [my.hostname.alias] mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all # appending .domain is the MUA's job. append_dot_mydomain = yes # TLS parameters smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_security_level = encrypt # Relay Settings relay_domains = serveral.relay domains.are here.to relay.mail relayhost = [my.relay.domain]:26 smtpd_relay_restrictions = permit_sasl_authenticated reject_unauth_destination #local_recipient_maps = local_header_rewrite_clients = static:all smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd #smtp_sasl_auth_enable = yes #smtp_sasl_security_options = Postfix master.cf # # Postfix master process configuration file. For details on the format # of the file, see the master(5) manual page (command: "man 5 master" or # on-line: http://www.postfix.org/master.5.html). # # Do not forget to execute "postfix reload" after editing this file. # # ========================================================================== # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (no) (never) (100) # ========================================================================== smtp inet n - y - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=no #smtp inet n - y - 1 postscreen #smtpd pass - - y - - smtpd #dnsblog unix - - y - 0 dnsblog #tlsproxy unix - - y - 0 tlsproxy submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no # -o smtpd_client_restrictions=$mua_client_restrictions # -o smtpd_helo_restrictions=$mua_helo_restrictions # -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes #628 inet n - y - - qmqpd pickup unix n - y 60 1 pickup cleanup unix n - y - 0 cleanup qmgr unix n - n 300 1 qmgr #qmgr unix n - n 300 1 oqmgr tlsmgr unix - - y 1000? 1 tlsmgr rewrite unix - - y - - trivial-rewrite bounce unix - - y - 0 bounce defer unix - - y - 0 bounce trace unix - - y - 0 bounce verify unix - - y - 1 verify flush unix n - y 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - y - - smtp relay unix - - y - - smtp # -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 showq unix n - y - - showq error unix - - y - - error retry unix - - y - - error discard unix - - y - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - y - - lmtp anvil unix - - y - 1 anvil scache unix - - y - 1 scache # # ==================================================================== # Interfaces to non-Postfix software. Be sure to examine the manual # pages of the non-Postfix software to find out what options it wants. # # Many of the following services use the Postfix pipe(8) delivery # agent. See the pipe(8) man page for information about ${recipient} # and other message envelope options. # ==================================================================== # # maildrop. See the Postfix MAILDROP_README file for details. # Also specify in main.cf: maildrop_destination_recipient_limit=1 # maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} # # ==================================================================== # # Recent Cyrus versions can use the existing "lmtp" master.cf entry. # # Specify in cyrus.conf: # lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 # # Specify in main.cf one or more of the following: # mailbox_transport = lmtp:inet:localhost # virtual_transport = lmtp:inet:localhost # # ==================================================================== # # Cyrus 2.1.5 (Amos Gouaux) # Also specify in main.cf: cyrus_destination_recipient_limit=1 # #cyrus unix - n n - - pipe # user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} # # ==================================================================== # Old example of delivery via Cyrus. # #old-cyrus unix - n n - - pipe # flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} # # ==================================================================== # # See the Postfix UUCP_README file for configuration details. # uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) # # Other external delivery methods. # ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} Failure log Feb 23 12:41:15 mta postfix/submission/smtpd[10441]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled Feb 23 12:41:15 mta postfix/submission/smtpd[10441]: connect from my.crappy.comcast.net.dns.name[12.23.45.67] Feb 23 12:41:16 mta postfix/submission/smtpd[10441]: warning: my.crappy.comcast.net.dns.name[12.23.45.67]: SASL LOGIN authentication failed: authentication failure Feb 23 12:41:16 mta postfix/submission/smtpd[10441]: disconnect from my.crappy.comcast.net.dns.name[12.23.45.67] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5 |
OK, so to clarify what you are setting up, you have postfix as an inbound MX for 6 domains, forwarding inbound mail to your "internal" mail server (what?) behind your comcast "home" connection.
You also want to use your "external" postfix as an outbound smtp relay. The sasl settings you are using above are for postfix's SMTP client, so for connections postfix makes to send mail, and to authenticate on that server (i.e. another relay). If you want to use smtpd_sasl_auth_enable so you can authenticate on your posftix, to relay outbound mail from your "comcast" connection, you need to set it up as per http://www.postfix.org/SASL_README.html using either the dovecot or cyrus sasl method. As you probably only need a single user, probably the cyrus / saslauthd / /etc/shadow method and just make a system user for the job. |
Hey Folks,
Sorry I haven't updated this thread in a few days I've been crazy busy! Anyway, I think I have this about 99% resolved. I am now able to send mail from gmail to my mail server via the Linux mail proxy. However, I am unable to return the message as I get an authentication failure. See below, when I run testsaslauth from the terminal, it works fine. Only when I attempt to send mail do I get the auth failure I have reviewed several tutorials for setting up sasalauthd and postfix but cannot seem to resolve the issue. I've verified that the link is in place, the files are all correct, and post reboot I am still able to auth in the terminal Termainal Command: testsaslauthd -u user -p pass (also work swith the -s pam switch) Terminal Response: 0: OK "Success." mail.log entry on send: SASL LOGIN authentication failed: authentication failure NDR Report from the MTA: Remote server replied: 535 5.7.8 Error: authentication failed: authentication failure here are the latest versions of my files etc/postfix/main.cf Quote:
Quote:
Quote:
Quote:
|
Quote:
A generic postfix tutorial may not fit with the configuration implemented by different distro's. Quote:
Code:
testsaslauthd -u user -p password -f /var/spool/postfix/var/run/saslauthd/mux Quote:
Code:
smtpd_sasl_path = smtpd Quote:
Also, do you need the 'realm' switch (-r)? You probably don't with system users. Also etc/postfix/main.cf Code:
relayhost = [homestead.tsquared.us]:26 It relays ALL OUTBOUND (from postfix) MAIL via your home server. Probably you want to use the 'transport_maps' directive, with a transport_maps file pointing your relay domains to the above destination, so your incoming is properly relayed, and your outgoing is sent via regular MX lookups. |
Hey Descendant, to answer your questions in order:
I am using this Ubuntu release Code:
Distributor ID: Ubuntu Quote:
When I changed smtpd_sasl_path in main.cf to your suggestion, I got file not found again in the mail log, when I restored the full path it worked (STill with an auth failure, but not with file not found) The postfix user IS in the sasl group, I verified by trying to add it again, should I add my user that I am using to authenticate with? I removed the -r from the Options section of saslauthd config (after restoring it from "PARAMS', and replaced PARAMS with OPTIONS, these changes did not seem to have an impact, although I do not believe I need it -r, as I am simply authing using a local user I was under the impression that relay host was a setting that only applied to relay_domains. I will test this further once we get the rest going. Hope this helps, let me know if you need more detail or spot something I didn't Thanks! ~Rick |
Quote:
Check the documentation in /usr/share/doc/sasl2-bin/ for any buntu specific info. I normally use dovecot auth, but saslauthd is now working too. Quote:
Quote:
Post the output of: Code:
ps aux | grep -e 'sasl\|postfix'; groups postfix; ls -laR /var/spool/postfix/var/run/saslauthd/ ; dpkg-statoverride --list | grep sasl Code:
# service saslauthd stop (ctrl-c to stop the debug version then restart the normal service to get back where you were) |
Hey Descended, so after all this troubleshooting I've finally got it working. I want to do some more testing before I say its 100% solid, once I'm done I will post all the things I needed to do to get it working the way I intended
Thanks for all your help! |
Quote:
|
Yes, the final piece was setting MECHANISMS="shadow" in /etc/default/saslauthd
For some reason, I was reading the documentation as shadow and pam were interchangable, but after reading that over and over again (lol) I THINK i realized that shadow is local users, and pam is for when you are using something like dovecot to provide authentication via saslauthd. Also, I think another piece I was missing was also adding my relay user (incoming) to the sasl group, which I didn't think I had to do but apparently I did. I am going to do some more testing, then tear it down and rebuild it from scratch and doc the whole thing which I will post in a separate how to thread (should that go anywhere in specific?) so if people need direction on this kind of need they have something to actually follow instead of piecing together several docs like I ended up doing (with help here of course) |
All times are GMT -5. The time now is 04:18 AM. |