Set a simple SMTP relay with TLS and authentication

The goal of this post is to show how to configure quickly a SMTP relay for a postfix server. This may allow for example a local postfix server to use a remote SMTP to send emails. It is very useful if your ISP block port 25 and you want to use secure SMTP connection to send email from your local server using a remote server.

The system described here is:

• a local postfix server
• a remote SMTP server ( smtp.myserver.com) with TLS secure connection and which require authentication (login + password)

All the configuration is done in  /etc/postfix/main.cf. To edit this file, use this command:

gksudo gedit /etc/postfix/main.cf

First we will set the relay host. Add the following line and replace www.myserver.com:587 with your server information

relayhost = smtp.myserver.com:587

By default, your port may be 25. Set it according to your remote server configuration.

Next, we will set authentication parameters with the following lines:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous

 /etc/postfix/sasl/sasl_passwd is the path to the hash file containing login and password information. You need to create this file and insure only root will have read and write capability. The edit the file and write:

smtp.myserver.com username:password

Replace  smtp.myserver.com, username and password with your SMTP server address, the username and password you want to use to login. Then execute the following command:

sudo postmap /etc/postfix/sasl/sasl_passwd

Now, we have to configure the TLS parameters. Add the following lines to /etc/postfix/main.cf:

smtp_use_tls = yes
smtp_enforce_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

In this configuration, we will force TLS use and enforce ssl certificate verification.
If the ssl key used for your server is valid, you may not require more configuration. However, since postfix may try to connect to myserver.com and not smtp.myserver.com, it may not work correctly. Same thing if you uses a self signed ssl key. To fix that, we will use a fingerprint digest verification. To do that, add the following lines:

smtp_tls_security_level = fingerprint
smtp_tls_fingerprint_digest = sha1
smtp_tls_fingerprint_cert_match = 00:11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66:77:88:99

 Replace 00:11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66:77:88:99 with the sha1 fingerprint of your ssl key. You can use md5 instead of sha1, but sha1 is better.
To find the sha1 or md5 fingerprint, you can connect with firefox on your server (if you uses the same ssl key for the web) and just check ssl certificate information where md5 and sha1 info are displayed.

Now, restart postfix and it should work.

sudo /etc/init.d/postfix restart

Now you can test if everything work by sending email with this command:

echo "test" | mail -s "Test subject" youremail@youremail.com

Replace  youremail@youremail.com with your email address.

You should receive this email.

This configuration allow to relay email, but do not configure your postfix server to allow you to  use the SMTP fonctionnality of your local postfix server ton send email outside. It may need more configuration to give the right to relay email outside. By default postfix prevents it to avoid the server to be used for spam. Setting the following parameters may allow you to send email to email addresses hosted on the remote server (myserver.com), but not to all email addresses.

relay_domains = myserver.com
local_recipient_maps =
smtpd_recipient_restrictions = permit_auth_destination permit_mynetworks reject_unauth_destination

To allow relaying to all addresses, check required configuration in postfix documentation.

Linux conspiracy against Microsoft Windows and against you

Everybody knows now that Linux and open source community are in a war against Microsoft and its operating system Windows.
What is impressive is to see the amount of energy and ingenuity spent by Linux fans to hurt Microsoft Windows. Recently, the Linux community has found a way nobody may thought possible to prevent Windows 7 Service Pack 1  to install and, in this way, hurt Microsoft Windows 7 security and credibility.
Indeed, they were able to prevent Win 7 SP1 to install as soon as a hard drive with a Linux partition is present in the computer.
Since the reason of the installation error is not understandable for standard humans like you and me, everybody will think that Win 7 SP1 can't install because of a bug in Windows 7 when the source of the issue is in fact Linux.

This is cheap, but this is the way Linux tries to discredit Microsoft Windows.

So, be warn, Linux community is here and is fighting against you....





Ok, I confess, I should have enclosed this post with <troll></troll> or <sarcasm></sarcasm> tags. However you must agree that with such nice, well documented and well thought article I should have been published on slate.com.


Last thing: the issue reported here with Win 7 SP1 installation is real. Crazy, stupid, unbelievable,... but real. This is a very bad issue from Windows 7, not Linux fault.

Ubuntu logo used to sell Windows 7

We know that Ubuntu and Linux in general is more and more widely used.
So much used that we can see Ubuntu logo on the screen of a laptop advertised by a major electronic shop brand (The Source) both on the flyers and the home page of the web site.
You can see below pictures of the flyers and web site advertisement. But wait, this computer is sold with Windows 7, not Ubuntu.

Is Ubuntu so good that they use it to trick customer into buying Windows 7?

Flyer:

Web Site Advertisement:

Ubuntu logo used to sell Windows 7

This Post Has Moved Here

Mac AppStore revolutionizes software installation???????

Have I missed something or it is the way it works on all Linux distributions for years now?

Prevent mythtv from shutting down while you are connected to it

This is a simple python script I use to prevent my mythtv backend to stop when I'm connected to it with samba, http, ssh or other streaming systems...

Just replace 192.168.0.3 or 192.168.0 with the ip numbers from your mythtv backend.

#!/usr/bin/env python
# coding: utf-8

import commands
import sys

res = commands.getoutput('netstat | grep ESTABLISHED | grep -v -e .*192.168.0.3.*192.168.0.3.* -e .*192.168.0.3.*192.168.0.:microsoft-ds.*')
if len(res) > 10:
    sys.exit(1)
sys.exit(0)

 I know that it is possible to use only shell script without python to do that, but I do not master shell script so feel free to modify it to use only shell.

Use this script as the command to launch before shutting down mythtv backend to verify that it can really shutdown.

Do not buy a Linksys WRT610N

UPDATE 2
Since I use dd-wrt, my random deconnections on irc are gone...  Everything works perfectely!
do not hesitate, switch to dd-wrt.

UPDATE
 After playing a few with the v2 (switch to 5Ghz wifi N), things went wrong. Wireless G stopped working correctly like before. Connection drop, ssid disappeared, etc.. Tried factory default configuration, flash firmware again, hard 30-30-30 reset...Nothing saved my router. This router is really a shame. It is clearly defective by design! Finally, I decided to install dd-wrt on, and since this time, everything works perfectly.  To find the last versions of dd-wrt, it's here (just write wrt610n in the field and choose your version of the router). For instructions on how to flash the router, it's here for v1 and  here for v2. Follow all instructions very carefully, this manipulation is risky for your router. Be informed that you may brick your expensive router. When the tutorial says do "hard reset", this means press the reset button during several seconds until the lights on the router blink.

Last but not least: with dd-wrt you will be able to do much more things with your router than what you could do with the original firmware.
END OF THE UPDATE


Here is a my experience with one.... in fact two Linksys WRT610N routers.
Basically, on the paper this router is really good:

• Dual b,g,n Wifi card with 2.4 and 5Ghz support
• 4 Gigabits ethernet connectors
• 1 USB connecteor for mass storage disks or anything you want with specific linux distribution like dd-wrt.

When I received my first WRT610N v1, everything was fine. The 5Ghz wifi N worked perfectly with a 10MB/s (100Mb/s) bandwidth.

Then, I bought a PS3 old generation. And things started to go wrong. I switched the router to 2.4Ghz mixed b,g,n and tried to connect. The result: a very bad or impossible connection from the PS3. It seems that there is an incompatibility with the PS3. I changed my PS3 with a new slim version. The wifi started workimg correctly except that regularly, the wifi crashed, and the router needed to be rebooted. This was not a PS3 issue since all my wifi system stopped working.

Since this was not an acceptable behavior, I returned my router to the shop and get a new WRT610N v2 for free, as a replacement.

I expected major improvements with this new release. Unfortunately, things were as bad as before. The wifi regularly stopped working. It was even impossible to see the wifi (no ssid broadcast) from any of my computers. The ultimate solution I found was to set only the wifi G. With only G and no mixed mode, everything started working well.

When I say well... I don't talk about my normal connections using ethernet cable. Indeed, since I replaced this router, I am randomly disconnected from irc. This is something I never had before.

So basically, this router is really a shame, and should have been removed from the market since a long time.

It seems that most of the problems are hardware, since I tested the v1 of the router with standard firmware and dd-wrt and I had the same issues in both cases.