Let’s say you’ve just installed your own virtual server running Postfix. Now you want to send mail from it to the outside world. You don’t want the work of running a full-blown mail server. That would be like delivering a letter in person, instead of letting the United States Postal Service pick it up. You want an easier way, one where you can hand off (relay) the mail, using a single e-mail account you already own.

Problem is, all mail services aren’t equal. Ones like Gmail are sophisticated and support the more recent TLS protocol. Many shared and budget hosting services don’t. They use an older SSL protocol, and Postfix isn’t designed to handle it. The solution is to create your own local SSL tunnel between Postfix and the relay server.

Stunnel configuration

Install stunnel in Ubuntu or Debian with…

sudo apt-get install stunnel

Enable it on startup by editing /etc/default/stunnel4:

#ENABLED=0
ENABLED=1

Create a .conf file in etc/stunnel directory. I named this one /etc/stunnel/stunnel.conf. 11125 is our local port. The connect line has the fully qualified domain name and port number at the external relay host (SMTP server). Check with your e-mail or web hosting provider if you’re unsure. Cpanel has this information under “Email Accounts” in a “Configure Email Client” option:

[smtp-tls-wrapper]
accept = 11125
client = yes
connect: MY_SMTP_HOSTNAME:465

Optionally, if your tunnel doesn’t work, consider ading this line to /etc/hosts.allow:

smtp-tls-wrapper: 127.0.0.1

Postfix configuration

Put these lines in /etc/postfix/main.cf and be sure to comment out any earlier ones that compete with them. The relayhost is localhost (127.0.0.1), not the external relay server, because we will be creating a local tunnel for the SSL. Only smtp (client) settings need to be tweaked; the stmtpd (server) settings can be left alone, including the TLS configuration.

relayhost = [127.0.0.1]:11125
inet_interfaces = loopback-only
# SASL Settings
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options =

The SASL settings point to a password file, which we haven’t yet created. Let’s do that now, using the same email address from which we send messages. Change permissions (chmod) on the file to 600 so that your password can’t be read by others:

[127.0.0.1]:11125     MY_USER_NAME@MY_EMAIL_DOMAIN

Finishing up

Restart both servers:

sudo service stunnel4 restart
sudo service postfix reload

Send a test message to an external e-mail account. I prefer mutt mail client; you might use the mail command instead:

echo "This is the body of a test message" | mutt -s "Test message" username@domain_name

Check the mail logs (tail -f /var/log/messages/) or your local mailbox (mutt) for errors.