how to set up a mail hub to allow mail relaying for road warriors

recent versions of postfix make secure smtp via tls (relatively) easy. fortunately, it’s easily installed on bsd, linux, and macosx. this will allow remote users to use a mail hub to relay their mail, and also allow them to bypass an isp’s intercepting mta or blocked port 25.

mail hub configuration


add this line:

  • 2525 inet n - n - - smtpd

2525 is an alternate port chosen arbitrarily. whatever value is used must be configured in the other hosts. see the relayhost option in the remote host configuration below.


to smtpd_recipient_restrictions and smtpd_sender_restrictions add:

  • permit_sasl_authenticated

for tls add:

smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_security_level = may
smtpd_tls_CAfile = /etc/ssl/
smtpd_tls_cert_file = $smtpd_tls_CAfile
smtpd_tls_key_file = $smtpd_tls_CAfile
smtpd_tls_loglevel = 1
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s

for authentication add:

smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = no

remote user configuration


this example is for my laptop, wox, that should usually appear as a remote member of the domain. the mail hub is

myhostname = wox
myorigin =
# don't allow remote connections
mynetworks =
# don't deliver locally, to the laptop, i'll use imap
mydestination =
# the mail hub listens on port 2525 as well as port 25
# so users can get around port 25 blockages.
relayhost =
relay_domains =
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_sasl_auth_enable = yes
# see below
smtp_sasl_password_maps = hash:/etc/postfix/smtp.auth
# important
smtp_sasl_security_options = noanonymous
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
inet_interfaces = loopback-only


  • dave:mypasswordgoeshere

this file should be owned and readable only by root:

chown root:root /etc/postfix/smtp.auth
chmod 600 /etc/postfix/smtp.auth



pwcheck_method: saslauthd
mech_list: plain login

don’t forget to set saslauthd to start automatically at boot.