postfix the Mail Transfer Agent

Postfix is a popular free mail transfer agent (MTA).

configuration tricks

Relaying mail through a smarthost that requires authentication

One common use case for an MTA is to run on a machine that is only intermittently connected to the global network.

For machines which may need to queue messages during stints of offline operation, having a full-fledged MTA like postfix is a good thing, because processes can inject mail into the local queue and not have to worry about actual transmission (which only happens upon network reconnection).

But for machines which often change IP addresses, sending mail as a full SMTP peer is often not possible. This is due to factors like greylisting, DNS runtime blacklists, etc. If you have a remote host running a solid, statically-configured MTA, you may prefer to have your local Postfix instance hand off ("relay") mail to that MTA, which may itself require some form of authentication. In this configuration, the remote MTA is known as a "smarthost".

On a debian etch system, connecting to a smarthost ( which accepts mail on the submission port (port 587), using TLS and requiring authentication (username: exampleuser, password: examplepass), i needed to do the following:

First off, you can use the debian utilities to select the smarthost:

dpkg-reconfigure postfix

Set up the authentication credentials:

touch /etc/postfix/sasl_passwd
chgrp postfix /etc/postfix/sasl_passwd
chmod 0640 /etc/postfix/sasl_passwd
echo ' exampleuser:examplepass' > /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd

Then tell postfix to use these passwords. For the smarthost i was working with, I needed to tell postfix it was ok to use plaintext authentication (smtp_sasl_security_options defaults to noplaintext, noanonymous): :

cat >> /etc/postfix/ <<EOF
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

Figure out which certificate authority has signed the TLS certificate for the remote mailserver. I did this by connecting to it by hand and seeing who the issuer was:

[0 dkg@squeak ~]$ echo QUIT | openssl s_client -starttls smtp -connect 2>/dev/null  | grep ^issuer=
issuer=/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
[0 dkg@squeak ~]$ 

(you might want to remove the 2>/dev/null if you run into problems -- the error output can be useful).

In this case, I found the issuer's certificate in debian's [DebPackage:ca-certificates] package:

[0 dkg@squeak ~]$ dpkg -L ca-certificates | grep Equifax.Secure.Global.eBusiness
[0 dkg@squeak ~]$ 

And then tell postfix to require TLS when connecting to upstream, and to trust that cert:

cat >> /etc/postfix/ <<EOF
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
smtp_tls_CAfile = /usr/share/ca-certificates/mozilla/Equifax_Secure_Global_eBusiness_CA.crt

Finally, restart postfix to re-read the configuration:

/etc/init.d/postfix restart

If you have trouble with TLS, you might also want to set smtp_tls_log_level to 1 in /etc/postfix/ to get more debugging info in /var/log/mail.log.

(i got most of the way to this set of config information from Ben Franske's post on the same subject, and some help from friends).

Last modified 11 years ago Last modified on Mar 7, 2008, 12:52:58 PM