Postfix help!
 

Hello,

I'm in need of some assistance with Postfix mail server. I'm not great with Linux. I'm trying to setup a null client postfix server (no mailboxes). All I want it to do is act as an SSL SMTP server. But i'm stuggling to ever get it to do that.

I can get PHP to sendmail through the postfix server, but I cannot setup SSL SMTP.

Does anyone have any ideas or would anyone be willing to have a look for me?

Thanks,

Since your mail server is send/relay only, there are two cases where I see that SSL/TLS will be of benefit to you.

The first will be to authenticate your sending clients, assuming you are using it for more than local services such as PHP's mail function. In this case you will want to combine it with SASL. Postfix supports SASL via Dovecot or Cyrus, with Dovecot generally being easier. However, Dovecot is your receiving and delivery server, so this may not be what you want.

The second case is that you can have postfix attempt to connect to the next hop via SSL. The problem is that you can't enforce the use of SSL when the recipient domain doesn't support it. For this reason you will probably want to set your SSL/TLS settings to "may" use, rather than require.

There is another 'half' case and that is if you are accepting mail with the intent to relay. I would hope that you don't do this unless you have authenticated users, which goes back to the first usage case. Consequently, I think overall activating SSL/TLS may be of limited value to you in your application. Having said that, here are some links that should help you out. The first is a link to the postfix documentation. It tends to be complete, but can be difficult to interpret. I think the section on Enabling TLS in the Postfix SMTP server will be of particular interest. The second is a link to a how-to that I think is good for Postfix. It contains more information than you will need, but shows the how-to steps to enable and configure postfix. Between these two documents, there should be enough information to get it working and fine tune it to your send-only application.

Thanks for your response Noway2.

Let me explain a little better. One of our servers (we'll call it server10 for this purpose) has historically had postfix on it, so that our developers can use sendmail in their PHP code to deliver mail. This works fine off the default postfix install, delivers mail to any domain given to it. perfect.

Now, in addition to this we want remote clients out in the field on the internet to be able to use this same server (server10) to deliver mail to another server (exchange server). I have setup DNS for this postfix server (server10.ourdomain.com), and forwarded port 25 through to it from the firewall. I guess it is a relay rather than an mail server as I don't want the mail to stay locally I just want it to deliver.

We already have a hosted microsoft exchange on the MX20 & MX50 for ourdomain.com. However we would like the postfix server to relay mail from server10.ourdomain.com to mailboxes on our exchange server.

Would be great to hear your response.

Thanks again.

Your description makes perfect sense. There are a couple of ways that I can think of to handle this situation. The first of course would be to use SASL over TLS to provide a secure SMTP authentication - the SSL approach mentioned in your earlier post, if you will. With this method, remote users can authenticate to this server and it will forward their mail for them as you describe. A second approach would be to change the permit_my_networks to a less restrictive value, which would work if, for example, you clients use a VPN. A third approach would be to configure this server as a backup MX for the desired server. This can be done with a couple of changes to main.cf. The down side to this approach is that it will attempt to pass all mail for the destination domain, but it will only accept it for that domain. If the final recipient is an invalid user, e.g. spam, it will be handled at the final destination.

If you decide to go with secure authentication over SSL/TLS you will need either Cyrus or Dovecot to handle this for postfix. There is nothing that says you can't install Dovecot and not configure to handle any POP/IMAP accounts, using just the SASL portion. The one how-to document I referenced earlier should show you how to set this up.

ok, that makes more sense. So postfix can't handle the SSL/TLS connections (from say outlook express) without this Dovecot program you mention?

Not entirely. Postfix can handle SSL/TLS on the smtp side, but it can't handle it on the user authentication side (without assistance). Postfix support a few different authentication methods. By default, it will accept and relay messages that come from the "my_networks" parameter. The other methods include pop before smtp and some other methods I can't think of off hand.

So, without this, the SSL will work on the SMTP server-server transactions if both ends support it, but your users can't authenticate. With the addition of the Dovecot or Cyrus components, it can. The (not really a) weakspot in this is that it can only support 'plain' authentication over TLS. Normally, without TLS you want to avoid this as anyone with a packet sniffer can capture your credentials. When used over TLS, it becomes a non issue.

In doing some digging, I found this article. It might be worth taking a look at. It mentions using PAM and MYSQL and a round-about method of authentication for Postfix.

Also, the more I think about it, you may want to look at the Cyrus SASL libraries since you don't want pop-imap. The authentication portion MAY be separate from the POP/IMAP portion which could be more in line with your goals.