Postfix, SASL, SMTHAUTH, TLS and Relay

Posted by Joshua Schmidlkofer 01/10/2011 at 17h09

Relaying with Postfix, SASL, Authentication and TLS

Create All The Files!

/etc/postfix/sasl/saslpass

mail.myserver.com relayuser:my password with spaces

/etc/postfix/tls_policy

[mail.myserver.com]:587 encrypt protocols=TLSv1 ciphers=high
[mail.myserver.com]:msa encrypt protocols=TLSv1 ciphers=high
[mail.myserver.com]:submission encrypt protocols=TLSv1 ciphers=high

Set File Permissions on SASL password file

chown root:root /etc/postfix/sasl/saslpass
chmod 600 /etc/postfix/sasl/saslpass

Hash All The Files!

postmap /etc/postfix/sasl/saslpass
postmap /etc/postfix/tls_policy

Configure All The Postfix!

## Since I am using TLS, I will allow plain text and LOGIN (which are disabled by default
postconf -e "smtp_sasl_security_options = "

## Enable SASL for outgoing SMTP traffic.
postconf -e  "smtp_sasl_auth_enable = yes"

### Add the SASL password map
postconf -e " smtp_sasl_password_maps = hash:/etc/postfix/sasl/saslpass"

### Set the TLS Policy map so that my mail server uses TLS w/ the appropriate policies.
postconf -e " smtp_tls_policy_maps = hash:/etc/postfix/tls_policy"

### Add the relayhost as my upstream mail server, note the format, it's important.
postconf -e "relayhost = [mail.myserver.com]:587"

Brief Explanation

I needed to relay from my in-house Linux box, which runs Postfix (on Ubuntu, incidentally), through my colo-hosted mail server. This recipe will work for Comcast, Verizon, Frontier, and Gmail. Those are the only places I have tested it. All of those mailservers have a Submission port (587) which accepts TLS.

This should work for just about any setup.

Props

There are tons of howto's. I own much to Bens Bits, Patrick Koetter, Postfix Documentation, and of course, Google.

Query Exchange with Postfix

Posted by Joshua Schmidlkofer 01/09/2006 at 16h23

This is a simple, but cool, recipe for querying Exchange from Postfix. This is used with a Windows 2003 Small Business Server, running (s)Exchange 2003.

We don't often use this, because of the obvious problem of being unable to receive mail when Exchange crashes or must be rebooted. It is nice though, and a straight forward solution.

exchangemap.cf

binddn          = cn=Spamfilter User,cn=Users,dc=MySBS,dc=org
bindpw          = kill$pam
scope            = sub
searchbase      = dc=MySBS,dc=org
serverhost      = ldaps://Server.MySBS.org:636
starttls        = no
version          = 3
resultattribute = mail
queryfilter     = (&(objectClass=user)(|(mail=%s)(proxyAddresses=SMTP:%s)))

test

firewall postfix #  postmap -q kelly@MySBS.org ldap:/etc/postfix/exchangemap.cf
kelly@MySBS.org
firewall postfix #  postmap -q fakeuser@MySBS.org ldap:/etc/postfix/exchangemap.cf
firewall postfix #  postmap -q joshua@imrnet.com ldap:/etc/postfix/exchange_map.cf

main.cf

.....
relayrecipientmaps  =  ldap:/etc/postfix/exchange_map.cf
.....

So, Kelly exists, but fakeuser, and Joshua are (mysteriously) absent.

Spam - SPF and Blackberry Handhelds

Posted by Joshua Schmidlkofer 25/07/2006 at 15h51

A growing number of small businesses are using Blackberry handhelds. Microsofts services haven't taken off as strong, but in a year or two I suspect Microsofts products will be kings of the market.

For now, we have a wide range of Blackberry services. Most of my clients use the Blackberry Enterprise Server (BES) with Exchange. It's terribly expensive, the entire operation works nicely and people like it.

Some of my customers use SMTP + POP3, and one in particular uses this with a Postfix based spamfilter.

Postfix uses SPF (policy-spf.pl) and that, in turn, depends on internal SPF records to help reduce spoofing of addresses. Naturally sending from the Blackberry creates a bounce. We fianlly figured out how to set this up with SPF. It was a simple change:

Old Record 

v=spf1 a mx mx:spamfilter.domain.com mx:gw.domain.com mx:gw1.domaim.com 
ip4:10.1.1.0/24 a:server.otherdomain.com -all
New Record 
v=spf1 a mx mx:spamfilter.domain.com mx:gw.domain.com mx:gw1.domaim.com 
ip4:10.1.1.0/24 a:server.otherdomain.com ?ptr:blackberry.com -all
See? Just add the "?ptr:blackberry.com", and boom - all is good.

Postfix: Brewing Drinks With LDAP

Posted by Joshua Schmidlkofer 13/04/2006 at 13h43

We use CRM114, SpamAssassin and Postfix for most of our antispam solutions. We have somehow avoided using LDAP up to this point. Postfix 2.2 seems to have made a lot of relavent changesd regarding LDAP support, and now things are working smoothly and more clearly than ever.

Some don't recommend this, and they will want you to use all sorts of bastardized Perl or God help us, VBS to get entries from LDAP and ship them off to Linux.

Bollocks! I say, use LDAP queries directly, and manage load with proxymap.

Cooking With PacoPablo: Postfix

Posted by Joshua Schmidlkofer 28/03/2006 at 12h19

My esteemed colleague Pacopablo has created a Howto on using Postfix with SMTPAUTH. Now, he can relay via his ISP, bypassing certain mail server restrictions due to having a dynamic IP address.