Linux Admin Zone » mail

quickly setup relay/smarthost with smtp auth in postfix mail server

jagbir — Tue, 16 Nov 2010 11:20:03 +0000

When we decided to host our mail with some other provider, the question of configuring our web servers to use that provider to send mail arise. Having CentOS and postfix as mail service in our hosts, we followed these steps to tell local postfix to use other smtp service to send mails.

1. Suppose you have example.com domain, create one separate mail account to be used in your scripts residing on web server for sending mails. As an example, let’s assume we have mailer@example.com with password mailer123 and mail server address as mail.example.com. Here mail.example.com points to provider mail server which is managing our mail infrastructure. Create a password map file which will contain this information:

# vi /etc/postfix/relaypwd
mail.example.com     mailer:mailer123

2. Check that permissions are ok for that file, or you can set them quickly:

# chown root:root /etc/postfix/relaypwd; chmod 600 /etc/postfix/relaypwd

3. Create hash from this password file:

# postmap /etc/postfix/relaypwd

4. Change/add following configs in your main.cf file, remember that these config may exist already so update them with your values or uncomment them:

# vi /etc/postfix/main.cf

relayhost = [mail.example.com]
 
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/relaypwd
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
mailbox_size_limit = 256000000
myorigin = example.com

5. Restart the postfix service to apply changes:

# service postfix restart

6. Your server now should use the configured mail service to send mails, I’ve already posted one article here to test your mail service completely. Please get confirmed before marking it as done.

quickly check your mail server using telnet, mail or mutt

jagbir — Sun, 31 Oct 2010 13:03:00 +0000

There are of course various ways to check whether your mail server is now configured ok or not but what I found is that checking through telnet is quick and easy.

let’s check our mail server now, it may be mail.youdomain.com or localhost depending on what you are using right now, here’s the full process:

# telnet localhost smtp
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
mail from: me@example.com
250 2.1.0 Ok
rcpt to: other@example.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: Just a test. 
This is test mail using telnet.  
.
250 2.0.0 Ok: queued as 6846838401D6
quit
221 2.0.0 Bye
Connection closed by foreign host.
#_

here,

# telnet localhost smtp

We are trying connecting localhost on port 25 (smtp). It should get connected and ready to accept your next command

mail from: me@example.com

here you are specifying the sender mail id, it should be a valid mail account otherwise mail server can reject the sender address.

rcpt to: other@example.com

This is the recipient mail address.
then write ‘data’ and then in new line write ‘Subject: your subject’, press Enter and start writing contents of your mail. when you want to close, write a dot (.) and press Enter. message should be sent/queued in mail queue.
Check the recipient mail address, if mail server is working ok, you should get this mail there.

Other than this method where you can quickly use mail command also, like this:

# echo "This is a test mail to check mail server." | mail - s "This is test subject" other@example.com

This is a single line command but alas! we didn’t supply sender here which may trigger rejection from mail server.

You can also use mutt tool to facilitate this, if its there in your machine, like this:

# mutt -s "Test mail" other@example.com < message.txt

here message.txt contains mail message.

QuickTip use exim for normal mail but stop for secure smtp server

jagbir — Fri, 05 Feb 2010 07:38:57 +0000

Isn’t this weird? most people ask how to configure a mail server for secure smtp but one of my friend told me that he has a server which running Exim mail server on both port 25 (normal) and port 465 (secure smtp) now he is facing difficulties because the SSL certificates which Exim uses are expired. He wanted to close port 465 without affecting port 25 used by their scripts.

Here’s what I did and worked but if you have better idea or something to add, I’ll be glad to hear.

1. Check that Exim is listening on which ports or which ports are open:

# netstat -ant | grep LIST
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:587                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      
tcp        0      0 :::587                      :::*                        LISTEN      
tcp        0      0 :::80                       :::*                        LISTEN      
tcp        0      0 :::465                      :::*                        LISTEN      
tcp        0      0 :::22                       :::*                        LISTEN      
tcp        0      0 :::25                       :::*                        LISTEN      
tcp        0      0 :::443                      :::*                        LISTEN

here port 25, 465 and 587 are used by exim (mail server). how to know which ports are used by which program?

simple, use lsof command. like we want to know which program is listening on port 25:

# lsof -i :25
COMMAND   PID USER   FD   TYPE  DEVICE SIZE NODE NAME
exim    11290 exim    3u  IPv6 7144552       TCP *:smtp (LISTEN)
exim    11290 exim    4u  IPv4 7144553       TCP *:smtp (LISTEN)

so its Exim.

2. Open config file for exim (/etc/exim/exim.conf on redhat based distros) and search and comment out following lines:

$ vi /etc/exim/exim.conf
  tls_advertise_hosts = * ## comment this line to prevent clients connecting for tls
 
  tls_certificate = /etc/pki/tls/certs/exim.pem  ## comment, we dont need to specify ssl certificates
  tls_privatekey = /etc/pki/tls/private/exim.pem ## comment
 
  daemon_smtp_ports = 25 : 465 : 587  ## comment this line, copy and paste in next line but with only 25 as port number
  tls_on_connect_ports = 465  ## comment, we dont need tls on port 465

so after commenting/updating, the above lines should look line below in /etc/exim/exim.conf file:

 
  # tls_advertise_hosts = *
 
  # tls_certificate = /etc/pki/tls/certs/exim.pem  ## comment, we dont need to specify ssl certificates
  # tls_privatekey = /etc/pki/tls/private/exim.pem ## comment
 
  # daemon_smtp_ports = 25 : 465 : 587  ## comment this line, copy and paste in next line but with only 25 as port number
  # tls_on_connect_ports = 465  ## comment, we dont need tls on port 465
 
  daemon_smtp_ports = 25  ## dont comment this.

3. Restart exim server and check open ports again:

# /etc/init.d/exim restart
Shutting down exim:                                        [  OK  ]
Starting exim:                                             [  OK  ]
 
[root@ds-29142 ~]# netstat -ant | grep LIST
tcp        0      0 0.0.0.0:3306                0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:10000               0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      
tcp        0      0 :::80                       :::*                        LISTEN      
tcp        0      0 :::22                       :::*                        LISTEN      
tcp        0      0 :::25                       :::*                        LISTEN      
tcp        0      0 :::443                      :::*                        LISTEN

Port 465 is not there now, so we have stopped secure stmp service in this host.