The system described here is:
- a local postfix server
- a remote SMTP server ( smtp.myserver.com) with TLS secure connection and which require authentication (login + password)
All the configuration is done in /etc/postfix/main.cf. To edit this file, use this command:
gksudo gedit /etc/postfix/main.cf
First we will set the relay host. Add the following line and replace www.myserver.com:587 with your server information
relayhost = smtp.myserver.com:587By default, your port may be 25. Set it according to your remote server configuration.
Next, we will set authentication parameters with the following lines:
smtp_sasl_auth_enable = yes/etc/postfix/sasl/sasl_passwd is the path to the hash file containing login and password information. You need to create this file and insure only root will have read and write capability. The edit the file and write:
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp.myserver.com username:passwordReplace smtp.myserver.com, username and password with your SMTP server address, the username and password you want to use to login. Then execute the following command:
sudo postmap /etc/postfix/sasl/sasl_passwd
Now, we have to configure the TLS parameters. Add the following lines to /etc/postfix/main.cf:
smtp_use_tls = yesIn this configuration, we will force TLS use and enforce ssl certificate verification.
smtp_enforce_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
If the ssl key used for your server is valid, you may not require more configuration. However, since postfix may try to connect to myserver.com and not smtp.myserver.com, it may not work correctly. Same thing if you uses a self signed ssl key. To fix that, we will use a fingerprint digest verification. To do that, add the following lines:
smtp_tls_security_level = fingerprintReplace 00:11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66:77:88:99 with the sha1 fingerprint of your ssl key. You can use md5 instead of sha1, but sha1 is better.
smtp_tls_fingerprint_digest = sha1
smtp_tls_fingerprint_cert_match = 00:11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66:77:88:99
To find the sha1 or md5 fingerprint, you can connect with firefox on your server (if you uses the same ssl key for the web) and just check ssl certificate information where md5 and sha1 info are displayed.
Now, restart postfix and it should work.
sudo /etc/init.d/postfix restart
Now you can test if everything work by sending email with this command:
echo "test" | mail -s "Test subject" firstname.lastname@example.orgReplace email@example.com with your email address.
You should receive this email.
This configuration allow to relay email, but do not configure your postfix server to allow you to use the SMTP fonctionnality of your local postfix server ton send email outside. It may need more configuration to give the right to relay email outside. By default postfix prevents it to avoid the server to be used for spam. Setting the following parameters may allow you to send email to email addresses hosted on the remote server (myserver.com), but not to all email addresses.
relay_domains = myserver.comTo allow relaying to all addresses, check required configuration in postfix documentation.
smtpd_recipient_restrictions = permit_auth_destination permit_mynetworks reject_unauth_destination