Postfix as mail relay/edge server
 

Hey Folks,

I am a super newb at linux (probably know just enough to be dangerous and break things) and am really just doing this because linux servers are super cheap to host in the cloud, otherwise I would use a Windows box to serve this purpose.

Here's the scenario I need solved

My ISP blocks incoming and outgoing port 25 (as you would expect). I have an internal mail server listening on port 26 for incoming mail. Currently I use rollernet as an incoming mail relay. However, I also need to be able to send mail out. Previously I was using gmail to relay but then I realized that all of my mail was going out as my gmail account. Obviously not satisfactory.

What I would like is a linux box that will accept incoming mail for my domains (i manage 6) and forward them to my in house mail server on port 26. I also need this same box to accept incoming mail from my mail server (preferrably encrypted and authenticated) to send out to the internet, wherever it needs to go, but deny relay if it's not coming from my mail server (which is on a dynamic IP)

I've google searched my heart out and could not find docs to set this up, or at least docs I could understand how to piece together to make it work the way I need.

Any assistance would be helpful, and I appreciate the time anyone takes to read/reply to this

Thanks!

Hmmm.
Too cheap to pay MS to do it for you.
Too lazy to learn to do it yourself.
So ask LQ'ers to do it for you ...

http://www.postfix.org/docs.html

If you are running a mail server, you should at least learn enough to do it safely and responsibly.

I'm asking because I've never done this before. I've setup postfix in a regular configuration, however this steps out of the bounds of my knowledge so I thought I would ask, you know, on a site dedicated to answering questions about linux.

I am more familiar with exchange and windows based servers like hMailServer, and know how to easily do this in Windows. I am sure if someone can point me to more than just a product doc I am capable but I think the terms I was looking for may not have been appropriate for my scenario

Descendent_Command, your answer is insulting and useless... If you don't want to answer questions related to linux, you probably shouldn't be frequenting linuxquestions.org

Anyway, a constructive answer would be appreciated. I couldn't find a doc that outlined a configuration near what I'm looking for so even a hint of the terminology would be appreciated.

IMO, this IS a constructive answer...I don't do postfix, but if I did, this link would be VERY helpful. Did you even look at it?
What have you already tried? How does it not work as you want?

I'd also point out that there's a reason your ISP blocks port 25...have you contacted them to see if you could relay mail through their mail servers? That's what most home users have to do. Many ISPs will allow you to "fudge" the domain name part of such mail, as long as you authenticate with their server first.

Where are your domains hosted? Are they also on your home-based dynamic IP hosted server?
If not, set up your mail server(s) under those domain(s) and use them.

I'm going to repeat this one point:

Postfix is not "linux" - would you expect constructive advice about a custom Exchange setup in a Windows newbie forum?

So, all you need is somewhere to translate your knowlege of how to do it into the configuration to do it in postfix?
I thought the official postfix documentation would be the obvious place, and assuming you had been there already, I linked you to their pagefull of 'further reading' including many (endorsed) howto's and examples.

Thank you for your feedback :)

Maybe you missed this?
http://www.postfix.org/STANDARD_CONF...ME.html#backup

Looks pretty close to what you want, yes?

PS Have requested thread to be moved to "Server" subforum.

Setting up a mail server using Postfix can be overwhelming. This is a good guide: https://workaround.org/ispmail. It uses Debian, and the tutorials are pretty much focused towards apt-based distros. So if you decide to follow the tutorial, choose the appropriate distro.

I stopped doing this completely manually a few years ago, as it really became complicated. Mail servers have to be configured quite precisely in order they are recognized as clean. I install and use VirtualMin now. Which makes setting up a mail server real easy.

jlinkels

Well after lots more googling and reviewing the docs that were posted here I think I've got 90% of this figured out and working. The last part is trying to figure out why my internal mail server fails to authenticate with postfix. I do have a dynamic IP with a dns alias that gets updated every time it changes, but it looks like from the logs it is trying to reconcile my comcast issued hostname in my sasl_passwd file? I would rather not have to update postfix every time my IP changes, and I can't afford to buy a static IP. So if anyone has any suggestions as to how I can permit maybe a connection from anywhere as long as the username/password is correct? That'd be close enough I think.... I am trying to keep my configuration as simple as possible

I've tried the following formats in my sasl_passwd file (ofcourse doing postmap /etc/postfix/sasl_passwd after each change), however none of this seems to work. Maybe i'm not setting up the auth correctly?
[arecord.mydomain.com] user:pass
arecord.mydomain.com user:pass
myipaddress user:pass


Here's my files and the log data

Postfix main.cf
# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# General Settings
myorigin = /etc/mailname
myhostname = mta.my.domain
smtpd_banner = $myhostname
biff = no
readme_directory = no
compatibility_level = 2
mydestination =
mynetworks = [my.hostname.alias]
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

# appending .domain is the MUA's job.
append_dot_mydomain = yes

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = encrypt

# Relay Settings
relay_domains = serveral.relay domains.are here.to relay.mail
relayhost = [my.relay.domain]:26
smtpd_relay_restrictions = permit_sasl_authenticated reject_unauth_destination
#local_recipient_maps =
local_header_rewrite_clients = static:all
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

#smtp_sasl_auth_enable = yes
#smtp_sasl_security_options =


Postfix master.cf
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (no) (never) (100)
# ==========================================================================
smtp inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=no
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
submission inet n - y - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes

#628 inet n - y - - qmqpd
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent. See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
maildrop unix - n n - - pipe
flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
# mailbox_transport = lmtp:inet:localhost
# virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus unix - n n - - pipe
# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
# Old example of delivery via Cyrus.
#
#old-cyrus unix - n n - - pipe
# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# Other external delivery methods.
#
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
${nexthop} ${user}


Failure log

Feb 23 12:41:15 mta postfix/submission/smtpd[10441]: warning: dict_nis_init: NIS domain name not set - NIS lookups disabled
Feb 23 12:41:15 mta postfix/submission/smtpd[10441]: connect from my.crappy.comcast.net.dns.name[12.23.45.67]
Feb 23 12:41:16 mta postfix/submission/smtpd[10441]: warning: my.crappy.comcast.net.dns.name[12.23.45.67]: SASL LOGIN authentication failed: authentication failure
Feb 23 12:41:16 mta postfix/submission/smtpd[10441]: disconnect from my.crappy.comcast.net.dns.name[12.23.45.67] ehlo=2 starttls=1 auth=0/1 quit=1 commands=4/5

OK, so to clarify what you are setting up, you have postfix as an inbound MX for 6 domains, forwarding inbound mail to your "internal" mail server (what?) behind your comcast "home" connection.
You also want to use your "external" postfix as an outbound smtp relay.

The sasl settings you are using above are for postfix's SMTP client, so for connections postfix makes to send mail, and to authenticate on that server (i.e. another relay).

If you want to use smtpd_sasl_auth_enable so you can authenticate on your posftix, to relay outbound mail from your "comcast" connection, you need to set it up as per http://www.postfix.org/SASL_README.html using either the dovecot or cyrus sasl method.

As you probably only need a single user, probably the cyrus / saslauthd / /etc/shadow method and just make a system user for the job.

Hey Folks,

Sorry I haven't updated this thread in a few days I've been crazy busy!

Anyway, I think I have this about 99% resolved. I am now able to send mail from gmail to my mail server via the Linux mail proxy. However, I am unable to return the message as I get an authentication failure. See below, when I run testsaslauth from the terminal, it works fine. Only when I attempt to send mail do I get the auth failure

I have reviewed several tutorials for setting up sasalauthd and postfix but cannot seem to resolve the issue. I've verified that the link is in place, the files are all correct, and post reboot I am still able to auth in the terminal

Termainal Command: testsaslauthd -u user -p pass (also work swith the -s pam switch)
Terminal Response: 0: OK "Success."

mail.log entry on send: SASL LOGIN authentication failed: authentication failure
NDR Report from the MTA: Remote server replied: 535 5.7.8 Error: authentication failed: authentication failure

here are the latest versions of my files

etc/postfix/main.cf
[B]/etc/postfix/master.cf

/etc/postfix/sasl/smtpd.conf

/etc/default/saslauthd

What distro / version are you running?
A generic postfix tutorial may not fit with the configuration implemented by different distro's.
What about This should just beAlso, make sure you have added the postfix user to the sasl group.

Why use "PARAMS" rather than "OPTIONS"?
Also, do you need the 'realm' switch (-r)?
You probably don't with system users.

Also
etc/postfix/main.cf
This isn't what you want.
It relays ALL OUTBOUND (from postfix) MAIL via your home server.
Probably you want to use the 'transport_maps' directive, with a transport_maps file pointing your relay domains to the above destination, so your incoming is properly relayed, and your outgoing is sent via regular MX lookups.

Hey Descendant, to answer your questions in order:

I am using this Ubuntu release
This command: testsaslauthd -u user -p password -f /var/spool/postfix/var/run/saslauthd/mux did not work at first until I added the following
I also removed -r from the Options

When I changed smtpd_sasl_path in main.cf to your suggestion, I got file not found again in the mail log, when I restored the full path it worked (STill with an auth failure, but not with file not found)

The postfix user IS in the sasl group, I verified by trying to add it again, should I add my user that I am using to authenticate with?

I removed the -r from the Options section of saslauthd config (after restoring it from "PARAMS', and replaced PARAMS with OPTIONS, these changes did not seem to have an impact, although I do not believe I need it -r, as I am simply authing using a local user

I was under the impression that relay host was a setting that only applied to relay_domains. I will test this further once we get the rest going.

Hope this helps, let me know if you need more detail or spot something I didn't

Thanks!
~Rick

OK, I'm testing on Debian Wheezy, which should be pretty close to that.
Check the documentation in /usr/share/doc/sasl2-bin/ for any buntu specific info.

I normally use dovecot auth, but saslauthd is now working too.

Odd - I don't have, or appear to need, that.

No.

Post the output of:Also you can see what saslauthd is doing by running it in debug mode.
Then test from another terminal and by sending mail and see if there is any further clues.
(ctrl-c to stop the debug version then restart the normal service to get back where you were)

Hey Descended, so after all this troubleshooting I've finally got it working. I want to do some more testing before I say its 100% solid, once I'm done I will post all the things I needed to do to get it working the way I intended

Thanks for all your help!

Care to share the final pieces of your puzzle, for the next person searching?

Yes, the final piece was setting MECHANISMS="shadow" in /etc/default/saslauthd

For some reason, I was reading the documentation as shadow and pam were interchangable, but after reading that over and over again (lol) I THINK i realized that shadow is local users, and pam is for when you are using something like dovecot to provide authentication via saslauthd.

Also, I think another piece I was missing was also adding my relay user (incoming) to the sasl group, which I didn't think I had to do but apparently I did.

I am going to do some more testing, then tear it down and rebuild it from scratch and doc the whole thing which I will post in a separate how to thread (should that go anywhere in specific?) so if people need direction on this kind of need they have something to actually follow instead of piecing together several docs like I ended up doing (with help here of course)