Skip to main content

Relay Mail With Postfix and Stunnel

server apps mail sysadmin

Let’s say you’ve just installed your own virtual server running Postfix. Now you want to send mail from it to the outside world. You don’t want the work of running a full-blown mail server. That would be like delivering a letter in person, instead of letting the United States Postal Service pick it up. You want an easier way, one where you can hand off (relay) the mail, using a single e-mail account you already own.

Problem is, all mail services aren’t equal. Ones like Gmail are sophisticated and support the more recent TLS protocol. Many shared and budget hosting services don’t. They use an older SSL protocol, and Postfix isn’t designed to handle it. The solution is to create your own local SSL tunnel between Postfix and the relay server.

Stunnel configuration
#

Install stunnel in Ubuntu or Debian with…

sudo apt-get install stunnel

Enable it on startup by editing /etc/default/stunnel4:

#ENABLED=0
ENABLED=1

Create a .conf file in etc/stunnel directory. I named this one /etc/stunnel/stunnel.conf. 11125 is our local port. The connect line has the fully qualified domain name and port number at the external relay host (SMTP server). Check with your e-mail or web hosting provider if you’re unsure. Cpanel has this information under “Email Accounts” in a “Configure Email Client” option:

[smtp-tls-wrapper]
accept = 11125
client = yes
connect: MY_SMTP_HOSTNAME:465

Optionally, if your tunnel doesn’t work, consider ading this line to /etc/hosts.allow:

smtp-tls-wrapper: 127.0.0.1

Postfix configuration
#

Put these lines in /etc/postfix/main.cf and be sure to comment out any earlier ones that compete with them. The relayhost is localhost (127.0.0.1), not the external relay server, because we will be creating a local tunnel for the SSL. Only smtp (client) settings need to be tweaked; the stmtpd (server) settings can be left alone, including the TLS configuration.

relayhost = [127.0.0.1]:11125
inet_interfaces = loopback-only
# SASL Settings
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options =

The SASL settings point to a password file, which we haven’t yet created. Let’s do that now, using the same email address from which we send messages. Change permissions (chmod) on the file to 600 so that your password can’t be read by others:

[127.0.0.1]:11125     MY_USER_NAME@MY_EMAIL_DOMAIN

Finishing up
#

Restart both servers:

sudo service stunnel4 restart
sudo service postfix reload

Send a test message to an external e-mail account. I prefer mutt mail client; you might use the mail command instead:

echo "This is the body of a test message" | mutt -s "Test message" username@domain_name

Check the mail logs (tail -f /var/log/messages/) or your local mailbox (mutt) for errors.

Related

Installing a Local DNS Server Behind a Hardware Router
networking router dns hardware sysadmin
There’s not much work to installing and using a typical hardware router.
Tracks: a To-Do List for Getting Things Done
server apps task management
David Allen’s Getting Things Done struck a chord with compulsive organizers as well as people struggling to bring order to their lives.
JIRA Installation with Postgresql
server apps issue tracking sql
Jira is a mature issue tracking system with advanced workflow features.