Postfix SASL relayhost
Contents
Nota Bene: |
|
![/!\](/wiki/modern-CentOS/img/alert.png "/!\"){kind=small}
Notice: This documentation was written for CentOS 5. It may not be accurate for CentOS 6 or subsequent releases.
1. Introduction
This guide is designed to compliment the basic postfix guide. It is written for CentOS 5. Configuration will differ for CentOS 6.
2. What is SASL and do I need it?
SASL (Simple Authentication and Security Layer) provides a mechanism of authenticating users using their username and password. Probably the most well known implementation of SASL is provided by the Cyrus SASL library.
If your ISP blocks port 25 connections and requires you to authenticate to send email, you will need to configure SASL.
3. What about SSL/TLS?
So SASL is able to provide a mechanism to authenticate remote users by username and password who wish to send mail through the mail server. We have a problem in that these mechanisms are sending usernames and passwords in plain text across the Internet (SASL does support various encrypted authentication methods such as DIGEST-MD5 but these aren’t always universally supported by email client software). This poses a security risk as anyone can potentially intercept this information and steal login details so we need to encrypt the connection. SSL (Secure Sockets Layer), and more recently TLS (Transport Layer Security), offer a mechanism to encrypt communications between two hosts, in our case our mail server and our remote client. SSL was renamed TLS by the IETF as of version 3.1.
4. Configuring stunnel for SSL connections
Start by installing and configuring stunnel. In this example we will use outbound.att.net and port 465. Replace these values with your ISP's values.
yum -y install stunnel telnet cat >> /etc/stunnel/stunnel.conf <<EoT [smtps] accept = 10465 client = yes connect = outbound.att.net:465 EoT wget -O /etc/init.d/stunnel https://bugzilla.redhat.com/attachment.cgi?id=325164 chmod 755 /etc/init.d/stunnel chkconfig stunnel on; service stunnel start
Test that the stunnel connection is working with a telnet connection.
$ telnet localhost 10465 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 outbound.att.net ESMTP ready $ quit 221 2.0.0 Bye Connection closed by foreign host.
5. Configuring SASL in postfix
The first step is to create the files with your credentials for the ISP.
echo "[127.0.0.1]:10465 MyUserName@att.net:SecretPassword" >> /etc/postfix/relay_creds postmap /etc/postfix/relay_creds chmod go-rwx /etc/postfix/relay_creds*
The second step is to add new setting to the postfix main.cf file.
cat >> /etc/postfix/main.cf <<EoT #added to enable SASL support for relayhost relayhost = [127.0.0.1]:10465 smtp_sasl_type = cyrus smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/relay_creds smtp_sasl_security_options = noanonymous smtp_use_tls = yes smtp_cname_overrides_servername = no smtp_sasl_mechanism_filter = plain, login EoT service postfix reload
6. Test for Delivery
SASL is configured and email should be routed through the relayhost. Check /var/log/maillog if there are errors. If you need to update the credentials, be sure to run "postmap /etc/postfix/relay_creds" and "service postfix reload".
If you get an error about email being sent from an unknown user, you may need to send all email from the email address of your ISP's account. In this example, replace the email address with the one provided by your ISP.
echo '/.*/ MyUserName@att.net' >> /etc/postfix/sender_canonical postmap /etc/postfix/sender_canonical echo 'sender_canonical_maps = regexp:/etc/postfix/sender_canonical' >> /etc/postfix/main.cf service postfix reload
