how to set up a mail hub to allow mail relaying for road warriors

recent versions of postfix make secure smtp via tls (relatively) easy. fortunately, it’s easily installed on bsd, linux, and macosx. this will allow remote users to use a mail hub to relay their mail, and also allow them to bypass an isp’s intercepting mta or blocked port 25.

mail hub configuration

etc/postfix/master.cf

add this line:

  • 2525 inet n - n - - smtpd

2525 is an alternate port chosen arbitrarily. whatever value is used must be configured in the other hosts. see the relayhost option in the remote host main.cf configuration below.

etc/postfix/main.cf

to smtpd_recipient_restrictions and smtpd_sender_restrictions add:

  • permit_sasl_authenticated

for tls add:

smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_CAfile = /etc/ssl/grox.net.pem
smtpd_tls_cert_file = $smtpd_tls_CAfile
smtpd_tls_key_file = $smtpd_tls_CAfile
smtpd_tls_loglevel = 1
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s

for authentication add:

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = no

remote user configuration

etc/postfix/main.cf

this example is for my laptop, wox, that should usually appear as a remote member of the grox.net domain. the mail hub is grox.net.

myhostname = wox
myorigin = grox.net
# don't allow remote connections
mynetworks = 127.0.0.0/8
# don't deliver locally, to the laptop, i'll use imap
mydestination =
# the mail hub listens on port 2525 as well as port 25
# so users can get around port 25 blockages.
relayhost = grox.net:2525
relay_domains = grox.net
#
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtp_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_sasl_auth_enable = yes
# see below
smtp_sasl_password_maps = hash:/etc/postfix/smtp.auth
# important
smtp_sasl_security_options = noanonymous
#
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
inet_interfaces = loopback-only

/etc/postfix/smtp.auth

  • grox.net:2525 dave:mypasswordgoeshere

this file should be owned and readable only by root:

chown root:root /etc/postfix/smtp.auth
chmod 600 /etc/postfix/smtp.auth

SASL

/usr/lib/sasl2/smtpd.conf

pwcheck_method: saslauthd
mech_list: plain login

don’t forget to set saslauthd to start automatically at boot.