Saturday, November 23, 2024

Port 25? Nope. Configure Postfix to Send Mail Using an External SMTP Server

There are many reasons why you would want to configure Postfix to send email using an external SMTP provider such as Mandrill, SendGrid, Amazon SES, or any other SMTP server. One reason is to avoid getting your mail flagged as spam if your current server’s IP has been added to a spam list. Another very common reason would be being stuck behind port 25 (other ports included with some hosts) – host restricted, it’s becoming ever so common now due to the vulnerable nature of a mail-server being on such a common port. To name a few restricting hosts – LinodeGoogle Cloud.

In this tutorial, you will learn how to install and configure a Postfix server to send email through Mandrill, or SendGrid.

Prerequisites

Before starting this tutorial, you should have:

  • Your fully qualified domain name (FQDN)
  • All updates installed :sudo apt-get update
  • A valid username and password for the SMTP mail provider, such as Mandrill, or SendGrid
  • Make sure the libsasl2-modules package is installed and up to date:sudo apt-get install libsasl2-modules

(All commands featured in this guide are intended for non-root users)

Installing Postfix

In this section, you will install Postfix and set the domain and hostname.

  1. Install Postfix with the following command:sudo apt-get install postfix
  2. During the installation, a prompt will appear asking for your General type of mail configuration.Select Internet Site.
  3. Enter the fully qualified name of your domain, fqdn.example.com.
  4. Once the installation is finished, open the /etc/postfix/main.cf file with your favorite text editor:sudo nano /etc/postfix/main.cf
  5. Make sure that the myhostname parameter is configured with your server’s FQDN:File: /etc/postfix/main.cf1 myhostname = fqdn.example.com

Configuring SMTP Usernames and Passwords

Usernames and passwords are generally stored in a file called sasl_passwd in the /etc/postfix/ directory. In this section, you’ll add your external mail provider credentials to this file and to Postfix.

Recommended:  500,000+ Android Users Downloaded a New Joker Malware App from Play Store

If you want to use Mandrill, or SendGrid as your SMTP provider, you may want to reference the appropriate example while working on this section. For Google Apps and Gmail-specific settings (Scroll down)

Open or create the /etc/postfix/sasl_passwd file, using your favorite text editor:

sudo nano /etc/postfix/sasl_passwd

Add your destination (SMTP Host), username, and password in the following format:

File: /etc/postfix/sasl_passwd
[mail.isp.example] username:password

If you want to use a port other than the default smtp port use the following format:

[mail.isp.example]:587 username:password

Create the hash db file for Postfix by running the postmap command:

sudo postmap /etc/postfix/sasl_passwd

Securing Your Password and Hash Database Files

The /etc/postfix/sasl_passwd and the /etc/postfix/sasl_passwd.db files created in the previous steps contain your SMTP credentials in plain text.

For security reasons, you should change their permissions so that only the root user can read or write to the file. Run the following commands to change the ownership to root and update the permissions for the two files:

sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

Configuring the Relay Server

In this section, you will configure the /etc/postfix/main.cf file to use the external SMTP server.

  1. Open the /etc/postfix/main.cf file with your favorite text editor:sudo nano /etc/postfix/main.cf
  2. Update the relayhost parameter to show your external SMTP relay host. Important: If you specified a non-default TCP port in the sasl_passwd file, then you must use the same port when configuring the relayhost parameter.
File: /etc/postfix/main.cf
relayhost = [mail.isp.example]:587

3. At the end of the file, add the following parameters to enable authentication:

File: /etc/postfix/main.cf
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

3. Save your changes

Recommended:  Over 7k SOL ($1.2M) got lost on Solana NFT mint due to a hack

4. Restart the post fix server – “sudo service postfix restart”

Walla. Job done.

OH! But what about configurations with other providers?

This section shows you settings for some popular mail services you can use as external SMTP servers. You may have to do some fine-tuning on your own to avoid Postfix logins being flagged as suspicious.

Settings for Mandrill

Use these settings for Mandrill.

  1. For /etc/postfix/sasl_passwd, use the following configuration with your own credentials:
File: /etc/postfix/sasl_passwd
[smtp.mandrillapp.com]:587 USERNAME:API_KEY

2. For /etc/postfix/main.cf, use the following relayhost:

File: /etc/postfix/main.cf
relayhost = [smtp.mandrillapp.com]:587

3. Create the hash db file for Postfix by running the postmap command:

sudo postmap /etc/postfix/sasl_passwd

4. Restart postfix

sudo service postfix restart

Settings for SendGrid

Use these settings for SendGrid.

  1. For /etc/postfix/sasl_passwd, use the following configuration with your own credentials:
File: /etc/postfix/sasl_passwd
[smtp.sendgrid.net]:587 USERNAME:PASSWORD

2. For /etc/postfix/main.cf, use the following relayhost:

File: /etc/postfix/main.cf
relayhost = [smtp.sendgrid.net]:587

3. Create the hash db file for Postfix by running the postmap command:

sudo postmap /etc/postfix/sasl_passwd

4. Restart Postfix:

sudo service postfix restart

5. Go enjoy.

Bookmark
Please login to bookmarkClose
Just your average information security researcher from Delaware US.
Latest posts by RiSec.Mitch (see all)
Recommended:  How to Perform Threat Modeling & Security Analysis in 5 Steps
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

RiSec.Mitch
Just your average information security researcher from Delaware US.

more infosec reads

Subscribe for weekly updates

explore

more

security