Friday, April 15, 2011

Set a simple SMTP relay with TLS and authentication

The goal of this post is to show how to configure quickly a SMTP relay for a postfix server. This may allow for example a local postfix server to use a remote SMTP to send emails. It is very useful if your ISP block port 25 and you want to use secure SMTP connection to send email from your local server using a remote server.

The system described here is:
  • a local postfix server
  • a remote SMTP server ( with TLS secure connection and which require authentication (login + password)

All the configuration is done in  /etc/postfix/ To edit this file, use this command:
gksudo gedit /etc/postfix/

First we will set the relay host. Add the following line and replace with your server information
relayhost =
By default, your port may be 25. Set it according to your remote server configuration.

Next, we will set authentication parameters with the following lines:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
 /etc/postfix/sasl/sasl_passwd is the path to the hash file containing login and password information. You need to create this file and insure only root will have read and write capability. The edit the file and write: username:password
Replace, username and password with your SMTP server address, the username and password you want to use to login. Then execute the following command:
sudo postmap /etc/postfix/sasl/sasl_passwd

Now, we have to configure the TLS parameters. Add the following lines to /etc/postfix/
smtp_use_tls = yes
smtp_enforce_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
In this configuration, we will force TLS use and enforce ssl certificate verification.
If the ssl key used for your server is valid, you may not require more configuration. However, since postfix may try to connect to and not, it may not work correctly. Same thing if you uses a self signed ssl key. To fix that, we will use a fingerprint digest verification. To do that, add the following lines:
smtp_tls_security_level = fingerprint
smtp_tls_fingerprint_digest = sha1
smtp_tls_fingerprint_cert_match = 00:11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66:77:88:99
 Replace 00:11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66:77:88:99 with the sha1 fingerprint of your ssl key. You can use md5 instead of sha1, but sha1 is better.
To find the sha1 or md5 fingerprint, you can connect with firefox on your server (if you uses the same ssl key for the web) and just check ssl certificate information where md5 and sha1 info are displayed.

Now, restart postfix and it should work.
sudo /etc/init.d/postfix restart

Now you can test if everything work by sending email with this command:
echo "test" | mail -s "Test subject"
Replace with your email address.

You should receive this email.

This configuration allow to relay email, but do not configure your postfix server to allow you to  use the SMTP fonctionnality of your local postfix server ton send email outside. It may need more configuration to give the right to relay email outside. By default postfix prevents it to avoid the server to be used for spam. Setting the following parameters may allow you to send email to email addresses hosted on the remote server (, but not to all email addresses.
relay_domains =
local_recipient_maps =
smtpd_recipient_restrictions = permit_auth_destination permit_mynetworks reject_unauth_destination
To allow relaying to all addresses, check required configuration in postfix documentation.

No comments: