Configuring Postfix as a relayEdit
This section gives configuration sections for Postfix in order to allow it to relay email through Fastmail's servers. This requires Postfix to know a username/password, but allows sending mail to any destination (not only to domains hosted at Fastmail).
This mode is appropriate for personal installations, where Postfix-via-Fastmail replaces the classical use of an ISP's outgoing mail servers.
Before You StartEdit
- These instructions have been prepared using Linux Fordoa Core 10, however they should apply to all versions of Linux that have Postfix. The location of the configuration files may be different.
- Postfix should already be installed. These instructions assume Postfix has SASL authentication and OpenSSL installed.
- In order to get Postfix to be able to relay email through Fastmail's servers using the Postfix client mode, the lines should be added to the main Postfix configuration.
- On Ubuntu and Fedora this is /etc/postfix/main.cf. These lines tell Postfix to use SASL authentication and STARTTLS encryption (both required by Fastmail) and point it to the file that contains the username and password to use when sending email. The square brackets around the host name are required
- Note: postfix doesn't support pure SSL/TLS over port 465 for sending but it does support STARTTLS on port 587, which Fastmail also supports
relayhost = [mail.messagingengine.com]:587 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = smtp_tls_security_level = encrypt
- Next, create the password map file using your favourite text editor (vi, gedit, emacs) at /etc/postfix/sasl_passwd, and put the following in the file:
- Don't forget to replace <username> with your Fastmail username and <domain> with the domain of your Fastmail account (eg fastmail.fm, eml.cc, etc), and <password> with your Fastmail password. The '#' seems to be important, using the regular '@' symbol caused authentication errors.
- Now we need to hash the file so Postfix will actually use it. Execute the following at a command prompt. This will create the sasl_passwd.db file that is used by Postfix.
PROMPT> postmap hash:/etc/postfix/sasl_passwd
- At this point, you can restart Postfix and verify you can use it to send email through Fastmail's servers. Keep reading for some security tweaks.
- UPDATE: it would seem that the steps below for enabling TLS are mandatory now.
- The password map file (/etc/postfix/sasl_passwd) contains your Fastmail password in plain text. It is probably a good idea to restrict access to this file so only root can read it. Run the following as root at a command prompt:
PROMPT> chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db PROMPT> chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
Configuring Postfix at a remote SMTP serverEdit
This section assumes you're running your own MSA --- that is, that you administer a Postfix instance that delivers mail by connecting directly to the destination's MX servers. While this case typically requires zero special configuration, there exist various knobs that may be useful for some better-than-average behaviour.
This mode is appropriate for server installations.
The following settings will cause Postfix to use Transport Layer Security (TLS) with Fastmail.
It has been tested on a Linux Fedora Core 10 system. A similar configuration should work on any Unix-like system.
The directives below assume that the SSL certificates are installed in a folder at /etc/postfix/ssl. SSL certificates issues for securing web servers will work. The certificates could be located in the Postfix folder or another folder of your choice. The Postfix documentation mentions that certificates should be in PEM format. The internal format of the *.crt file is the same as the .pem file. The file extension is merely a convention is this case. There is no need to convert a *.crt file into a *.pem file.
The Postfix documentation also mentions that the TLS directives are in the format of smtpd_tls. The smtp_tls form shown below does indeed work.
You can obtain a certificate from a public certificate authority. The process to obtain a certificate is beyond the scope of this topic but the process is described at: http://www.cyberciti.biz/tips/postfix-smtp-ssl-certificate-csr-installation-guide.html
If you do not want the expense of a certificate from a public certificate authority you can generate a self-issued certificate using OpenSSL. The difference between a self issued certificate and a pubic certificate is that the authenticity of the self issued certificate cannot be verified by a 3rd party certificate authority. However in both types of certificates, the messages can be encrypted. Open a command shell or terminal and issue the following commands to create the self issued certificates that you will need. In the examples below the "your.domain.com" would typically be the common name (a.k.a. web address or DNS address) of your server. However, this file name is merely a convention and the file names of the certificates can be any legal file name.
#Become root su root #Make a folder to hold the certificates mkdir /etc/postfix/ssl #Generate your Private Key (*.key) openssl genrsa -out /etc/postfix/ssl/your.domain.com.key 2048 #Generate your Certificate Signing Request (CSR) openssl req -new -key /etc/postfix/ssl/your.domain.com.key -out your.domain.com.csr #Generate self Signed Public Key (*.crt) openssl x509 -req -days 1825 -in /etc/postfix/ssl/your.domain.com.csr -signkey /etc/postfix/ssl/your.domain.com.key -out /etc/postfix/ssl/your.domain.com.crt
In the case of your public certificate, the file that contains your certificate (*.crt) can also contain a chain of intermediate certificates leading back to the root certificate. The intermediate certificates are appended to the end of your certificate in the *.crt file.
# TLS (aka SSL) CONFIGURATION DIRECTIVES smtp_tls_security_level = may smtp_tls_key_file = /etc/postfix/ssl/your.domain.com.key smtp_tls_cert_file = /etc/postfix/ssl/your.domain.com.crt smtp_tls_CAfile = /etc/postfix/ssl/intermediate.crt smtp_tls_loglevel = 1 tls_append_default_CA = yes
- From a command prompt enter the command to cause Postfix to reload the main.cf:
At the TLS log level 1, entries such as the following will be logged to /var/logs/mail:
Jun 30 12:07:52 localhost postfix/postfix-script: refreshing the Postfix mail system Jun 30 12:07:52 localhost postfix/master: reload configuration /etc/postfix Jun 30 12:08:15 localhost postfix/smtpd: connect from localhost.localdomain[127.0.0.1] Jun 30 12:08:15 localhost postfix/smtpd: 16EA9582057: client=localhost.localdomain[127.0.0.1] Jun 30 12:08:15 localhost postfix/cleanup: 16EA9582057: message-id=<email@example.com> Jun 30 12:08:15 localhost postfix/qmgr: 16EA9582057: from=<firstname.lastname@example.org>, size=618, nrcpt=1 (queue active) Jun 30 12:08:15 localhost postfix/smtpd: disconnect from localhost.localdomain[127.0.0.1] Jun 30 12:08:15 localhost postfix/smtp: setting up TLS connection to mail.messagingengine.com[18.104.22.168]:587 Jun 30 12:08:15 localhost postfix/smtp: Trusted TLS connection established to mail.messagingengine.com[22.214.171.124]:587: TLSv1 with cipher AES256-SHA (256/256 bits) Jun 30 12:08:15 localhost postfix/smtp: 16EA9582057: to=<email@example.com>, relay=mail.messagingengine.com[126.96.36.199]:587, delay=0.74, delays=0.05/0.04/0.5/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as ACEF68E01D8) Jun 30 12:08:15 localhost postfix/qmgr: 16EA9582057: removed
Note that the configuration shown above is for causing Postfix to use TLS in the relay to FastMail (MTA to MTA relay). The configuration is not adequate if you want Postfix to use TLS between the email client and Postfix. For example this might be the case if you are using Postfix as an smtp relay for email clients on you local area network.
See http://www.postfix.org/TLS_README.html for background on configuring TLS in Postfix
Errors and warningsEdit
If you get an error/warning like the one below in your Postfix logs:
Untrusted TLS connection established to mail.messagingengine.com[188.8.131.52]
This is a known problem with postfix on Ubuntu/debian, where its not being able to lookup the certificate files.
More details here:
A summary of the solution copied from the above link:
The part that drove me nuts the last time I briefly looked into this, is that the CA cert it was complaining about was there, in "/etc/ssl/certs", along with many others, symlinked to "/usr/share/ca-certificates", but there just the same. All provided by the package ever so aptly named "ca-certificates". After scouring the web for a bit and coming across solutions that just seemed wrong, it finally dawned on me -- Postfix on Debian (and Ubuntu) runs chrooted by default. So of course it can't access the certs in "/etc"!
My first instinct was to just disable the chroot, which is done easily enough in master.cf, and be done with it. But that felt like a surrender, so kept digging, then after a few more minutes, a perfect solution emerged.
The certs are actually already inside the chroot, all in one big file "/var/spool/postfix/etc/ssl/certs/ca-certificates.crt", all we have to do is tell Postfix to look there, which can be done by adding the following to "/etc/postfix/main.cf":
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
Restart Postfix and problem is solved. Yay.