I have configured my postfix so as users under my server shall send mails through port 587 and port 25 will only be used to receive mails from mail servers.
I am successful to the extent that on connecting to port 25 mails are not allowed outside the mail server and it is being rejected as relay-access denied. whereas on port 587 the clients are able to sent mail to outside mail servers.
To achieve this I have set in my main.cf
smtpd_recipient_restriction=permit_mynetworks, reject_unauth_destination
that is I removed permit_sasl_authenticated.
if I add this condition, the mails are allowed to be sent outside the network and if I am removing the condition, any one can connect to port 25 and since there is no authentication can sent any number of mails to local recipients.
what is way that I can use sasl authenticaton on port 25, yet prevent it from relaying mails outside my nework.
I'm by no means proficient when it comes to administering postfix but I do know that you can always overwrite the restrictions on a per daemon level.
Take a look at postfix's master.cf, specifically the -o smtpd_xxx entries and google for an example.
Postfix allows relaying based on two criteria:
authentication (you removed that!)
network (this is controlled by $mynetworks)
I recommend you set the mynetworks variable to a single IP and localhost, something like:
mynetworks = ip.of_ser.ver, 127.0.0.1
Related
Honestly, I think I have a fundamental gap in understanding how SMTP works. I can't seem to find a good explanation of what is happening behind the scenes and I think this is preventing me from being able to do what I am attempting to do.
To explain, I'm trying to setup an application which sends notifications to users by connecting to an SMTP server. Fair enough. I figure, since I'm using my own domain, I have SPF/DKIM/DMARC configured, I can add an MX record for the host I set the application up on (my SPF record has the mx keyword to authorize any hosts in my MX records to send/receive mails). Then, I can have that same host run a super lightweight SMTP server that can accept mails from the application, and send them on to recipients.
Almost crucially, I want this server to basically just run on localhost so that only this application can connect and send mails through it, but so that it can't really "receive" mails sent to my domain (I have set the MX priority very low (well, a high number) for this app server). I figure since I'm running my own SMTP server, that I don't really need to authenticate against it (it's running on localhost), just take in any mail and send it on to recipient domains.
When sending on to recipient domains... does the SMTP server need to authenticate to say, the gmail SMTP server as a user in order to send mails over there? That seems weird, since it's not a user logging into gmail to send mails, it's an SMTP server that is authorized within SPF sending mail from my domain (From address from my domain as well) to where ever the app server user's email is based (in this example, the user would be e.g., some_user#gmail.com).
I tried using python's aiosmtpd command-line and telnet to send a mail from test#MY_DOMAIN.TLD to test#MY_DOMAIN.TLD and it didn't seem to deliver the message; I figured aiosmtpd would connect to the preferred MX servers for my domain (my "real" MX's) to transfer the message, which would then put it in my inbox. That didn't seem to be the case, and I'm not sure why.
Exact repro steps, where example.com is my domain, and terminals are running on a box with a hostname listed in my MX records.
Terminal A:
$ aiosmtpd -n
Terminal B:
$ telnet localhost 8025
EHLO <example.com>
MAIL FROM: test#example.com
RCPT TO: test#example.com
DATA
FROM: Application Notifications <test#example.com>
TO: User Name <test#example.com>
SUBJECT: App Notify Test
This is a test!
.
QUIT
How do SMTP servers normally send mail between each other? Do they each get some login to each other's SMTP servers to authenticate with, and since I'm not doing that, this is a problem? Can I run a SMTP server on localhost and have it send mail out of the network without receiving mails (a no-reply service)? Is there something obvious that I'm just missing here that solves all my problems?
Thanks
It sounds like you want to run a mail transfer agent (MTA) that relays email to remote SMTP servers. An MTA will typically act as an SMTP server to receive messages, and then it will act as an SMTP client when it relays the messages to remote hosts.
MTAs generally operate in two different modes: (1) They will relay messages from authenticated users to remote hosts, and (2) they will receive messages from remote hosts to its users and store them somehow. The combination of those two modes - where the MTA will accept messages from remote hosts and relay them to different remote hosts - is called an open relay and is sure to attract spammers and place your server on spam blacklists.
aiosmtpd is not an MTA or an email relay out of the box - it is merely an SMTP server that will receive messages and do whatever with the messages you program it to do. By default it will do nothing - that is, it will receive the messages and throw them away. If you want to implement an email relay in aiosmtpd, then you need to implement the SMTP client portion of the MTA, e.g. by implementing an aiosmtpd handler that instantiates smtplib.SMTP to connect to remote hosts.
However, if all you want is an email relay, then you most likely don't need aiosmtpd at all - postfix is probably a better choice.
aiosmtpd can be a good choice if you need to implement mailing list software or perform some automation tasks based on incoming emails from e.g. cameras or scanners.
If you want to implement an email relay in aiosmtpd, then you need to ensure that both the software and your server are configured in a way that you don't relay unauthenticated messages from the outside internet.
See also: Python aiosmtpd - what is missing for an Mail-Transfer-Agent (MTA)?
So, I actually figured out what was missing here.
I need to run an SMTP server, yes, but I also needed to write code to parse the "to" domain (the recipient domain), perform a DNS request for the MX server(s) of the recipient domain, and then use the smtplib client to then send mail over to the recipient domain. Authentication is not needed to relay that message to the recipient server, authentication is only required for reading from a given inbox or authenticating a sender to send on behalf of a domain (I trust myself and myself only to send mail). I can do all this while also only listening for mail on localhost so that only my local server can use the local SMTP server for relaying messages/emails off to recipient domains.
Additionally, I don't need to have my external IP listed as an MX server since it's not accepting mail for the domain, only sending. I do need an SPF record for it though so that it is an authorized relay/sender for email from my domain.
I'm trying to configure hMailServer on my computer to be able to send email out and also receive emails. I'm not sure if I have everything set up correctly as some tests works and some others do not so I am confused.
I have already set up in the DNS of my domain these 3 MX records:
mail.example.com
smtp.example.com
imap.example.com
Each one of those records points to the domain name of my server. I am able to connect to the web server of my domain. In my router, I have forwarded ports 25, 110, 143, 465 and 587 to my local computer running the hMailServer application. When running a port check on the web, it looks like port 25, 110 and 465 are blocked, but the rest are not.
If I open my Mozilla Thunderbird mail client, I set up an account I created in hMailServer for the domain in question.
I have also allowed the hMailServer application through my Windows firewall for both the private and public networks. I did the same for the Thunderbird email client.
I can locally send emails to myself and other local domains set up in hMailServer. However, I cannot send or receive any email to/from external recipients, like to/from Gmail or Hotmail for example. I'm getting this error message:
Error Type: SMTP
Connection to recipients server failed.
Error: Host name: 1.1.1.1 (edited) message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond
Here are the TCP/IP ports summary in hMailServer:
The second part of my question is once I can actually send and receive email to/from external domains, how would I secure the connection (SSL/TSL...)? I already have a SSL certificate for my web server (example.com and www.example.com). Do I just need to generate another one for say mail.example.com or do email servers use a different kind of certificate?
Not sure if this belongs on Stack Overflow or somewhere else but I'll try here first.
I have multiple servers, each with the same setup where nearly everything running on the server is in a docker container. I have two goals I would like to achieve. First, the host machine is setup to send emails for users with uid < 1000 to my external email address. Second, on one server, I have a docker-mailserver container running to handle random, seldom used emails (for log files, etc.).
It seems I can have either the host machine running postfix OR the docker-mailserver running (and bound to port 25). Currently, I have the docker container, running the mail server, full operational and everything can send and receive just fine.
However, now I am unable to start postfix on the host machine so that I can receive emails sent to the root user (things like cron output) since port 25 is --rightfully-- in use by the actual mail server receiving email.
Questions:
1) How can I tell postfix on the host to not bind to port 25? If port 25 is only used for receiving mail, why would my outgoing-only postfix config need to use port 25?
2) I am perfectly comfortable not receiving emails for the root user, if whatever would normally be sent to the root user is logged elsewhere (perhaps, syslog?). Are the emails to root only maintained as emails or are they somewhere else, negating the need for postfix on the host for forwarding to a real account?
Thanks in advance.
Specifically answering your questions first:
You should be able to have postfix listen on any port you specify by editing the main.cf configuration file and changing the smtp listener to a numbered port of your choice. Of course, if it isn't a "known" port, I'm not sure what/who will ever connect to it, but maybe you don't care in this situation as you are only using postfix as a relay?
It may depend some on the Linux distribution or setup of your host, but most systems will leave email in the local delivery "mail spool" if there is no system/daemon set up to move it anywhere else. Back when that was the normal way to handle multi-user mail on UNIX systems, a login user used a mail reader client to read through email in your local "spool", and of course if you don't have that, you can simply vi your mail file and read the raw contents if necessary. These mail files are normally located in /var/spool/mail on most systems.
Stepping away from your questions, I would guess you don't necessarily need postfix running on your host, especially as your containerized mailserver is handling the port 25 SMTP traffic for the host. Local email will stay local, I assume, without postfix, and be available through local means; and you might even find a simpler solution to external forwarding (e.g. a script that can parse mail spools and just connect to an SMTP relay and send it to an external address) if you want that.
How can I email to a domain whose SMTP server does not listen on the standard port 25? I need to email to it through webmail, like GMail.
I thought this would work:
user#domain.com:port
You can't do it with gmail. You need to configure a mail server to do this, and it's hard. The only other option is using a firewall to redirect traffic from 25 to your port.
(And this probably belongs on serverfault).
As I know the email message sending process looks like this:
The message is sent from sender's client to his server (say mail.com).
The mail.com server redirects the message to recipients server (say gmail.com).
Recipient's client connects to gmail.com and recieves new messages.
I'm interested in stage 2.
I thought that the servers use SMTP protocol to make this negotiation. And gmail.com server should listen to 25 port to recieve a connection from mail.com and other servers.
But then I try to connect gmail.com (exactly, Google service) on port 25, the server is not responding...
Why? What's wrong?
You need to delve into MX records a bit: Oversimplified DNS and MX record. The SMTP gateways use the MX records to route emails between each other. So, for a domain X the SMTP gateway might be mail.X : in other words, for gmail.com the mail gateway might be mail.gmail.com (example).
Mail servers do not redirect.
You have to use MX records to find a mail server. You can't just assume that there will be one on the bare domain name.
But then the mail server will either accept or reject your message. In some cases, usually only between very close and trusted friends, the mail server might RELAY your message onward to another mail server.
At one time, in the mid 90's, just about any mail server would accept a message and relay it. Many people relied on this behavior because IP packets would only travel 30 hops, and the edges of the Internet were more than 30 hops apart. For instance, Peru and Ukraine could not contact each other with IP packets, but they could both send mail to a server at aol.com and that mail server would relay it on to its destination.
It is best not to play around with email unless you read some modern up-to-date descriptions of how it works, and perhaps check the white papers at maawg.org. Also, many domains now expect strangers to submit their email via port 587 and authentication is required.