Skip to Content

relaying to an smtps host with postfix and stunnel

Alaa's picture

relaying to an smtps host with postfix and stunnel

last week the brilliant admins at InternetEgypt decided to block smtp traffic without even sending us an email. naturally no one in the office was able to send any emails. talking to techsupport got me no where the person who takes the support calls thinks ports are things you find in a dslam switch or something after wasting a whole afternoon shouting at the phone I gave up and decided to find a workaround.

the mail server we use is the standard thing you get with shared hosting accounts, cpanel based shared hosting usually configures the mail server to use ssl encryption, there are two ways to do ssl encryption over smtp, the standard way is to open a normal smtp connection on port 25 and explicitly start an ssl session by sending the command starttls, the other non standard but very common is to connect to port 465 which automatically opens an ssl session (which is why /etc/services lists 456/tcp as smtps).

a quick test using telnet revealed that InternetEgypt did not block smtps port

$ telnet cospe-egypt.org smtps
Trying 67.15.52.34...
Connected to cospe-egypt.org (67.15.52.34).
Escape character is '^]'.

so the solution was simple configure all mail clients to open an encrypted connection on port 465, no problems the clients where configured to use starttls anyway, just a simple config change in mozilla-mail, problem solved.

but then MUAs are not the only software used to send emails in the office, we have a server that sends diagnostic emails, a group calendar that sends reminders about meetings and stuff, a trouble ticket system etc.

so our lan server runs postfix, postfix is configured to relay emails to our hosting smtp, which means /etc/postfix/main.cf has these lines

...

#relay setup
relayhost = cospe-egypt.org
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd

config options that relate to postfix acting as an smtp client are always prefixed with smtp_, options that relate to postix as an smtp server are prefixed with smtpd_

this was basically telling postfix to relay all emails it recieves to cospe-egypt.org, to encrypt using tls, to authenticate the smtp session using sasl auth, and to look for the username and password in /etc/postfix/sasl/passwd

the file /etc/postfix/sasl/passwd had one entry

cospe-egypt.org [email protected]:PASSWORD

that setup worked fine until smtp ports got blocked. now all I needed to do was figure out how to make postfix connect to the SSLed port directly instead of using starttls. turned out it wasn't such an easy thing, the postfix smtp client does not support connecting to smtps

the solution I can up with is to setup an ssl tunnel, this way postfix will act as if the connection is normal plain text and the tunnel will take care of the ssl part.

first of all I had to test this, II don't know much about ssl and how smtps is implemented, so instead of reading tons of webpages I decided to do a crude tests.

normally one can test communication with an smtp server this way

$ telnet cospe-egypt.org smtp
Trying 67.15.52.34...
Connected to cospe-egypt.org (67.15.52.34).
Escape character is '^]'.
220-server25.fastbighost.com ESMTP Exim 4.52 #1 Sun, 05 Mar 2006 19:49:35 +0000 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.
ehlo cospe-egypt.org
250-server25.fastbighost.com Hello cospe-egypt.org [62.135.86.144]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
starttls
220 TLS go ahead

but you can't do that with SSLed connections unless someone takes care of the ssl part, openssl provides a nice tool to test and debug ssl connections, just run this instead of the telnet command

$ /usr/bin/openssl s_client -quiet -connect cospe-egypt.org:smtps
depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=server25.fastbighost.com/[email protected]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=server25.fastbighost.com/[email protected]
verify return:1
220-server25.fastbighost.com ESMTP Exim 4.52 #1 Sun, 05 Mar 2006 19:51:05 +0000 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.
ehlo cospe-egypt.org
250-server25.fastbighost.com Hello cospe-egypt.org [62.135.86.144]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
quit
221 server25.fastbighost.com closing connection

ok so it worked, which means just tunneling smtp traffic will also work, notice how the server did not offer startls this time, since the session is already encrypted.

great so now all I needed to do was setup stunnel. the way stunnel works is it acts as a middle layer between the local smtp and the hosting smtp, it listens to a port, postfix will connect to that port instead of directly connection to the shared server, postfix will talk to stunnel in plain text, and anything postfix says will be encrypted and sent to the hosting server, the hosting server will send encrypted replies, stunnel will decrypt them and deliver them to postfix.

we configure stunnel by creating /etc/ssl/stunnel/stunnel.conf

client = yes
foreground = no

[smtps]
accept = 5000
connect = cospe-egypt.org:smtps

stunnel can be used to wrap servers or clients, by default it assumes you're trying to tunnel incoming connections, client = yes makes it tunnel outgoing connections.

accept specifies the port stunnel will listen to, and connect specifies where the ssled traffic should go.

and now to test

# stunnel
$ telnet localhost 5000
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220-server25.fastbighost.com ESMTP Exim 4.52 #1 Sun, 05 Mar 2006 20:03:28 +0000 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.
ehlo cospe-egypt.org
250-server25.fastbighost.com Hello cospe-egypt.org [84.36.31.9]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
quit
221 server25.fastbighost.com closing connection
Connection closed by foreign host.

our tunnel works, plain text connections to localhost:5000 are tunneled to ssl connections to cospe-egypt.org:smtps. notice how the starttls option is missing.

and finally we change postfix configs so it relays to localhost:5000 instead of the hosting server by making these changes to /etc/main.cf

...
#relay setup
relayhost = localhost:5000
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_use_tls = no
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd

we have to change the password map too since postfix now connects to localhost

/etc/postfix/sasl/passwd had one entry

localhost [email protected]:PASSWORD

that's all, restart postfix, add the command /usr/sbin/stunnel to /etc/rc.d/rc.local to make sure stunnel runs on the next server restart, problem solved easier than explaining tcp/ip to tech support over the phone. and might be useful for other occasions too.

Comments

DarKnesS_WolF's picture

Cool

Thats really cool but why this option " smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd" i didn't get it ur not using saslauthd with unix users accounts ? or what ?

and really great howto

peace


Live Free Or Die...

Alaa's picture

rakez showaya, sasl is the

rakez showaya, sasl is the way smtp authentication happens, config options that start with smtp_ control postfix as an smtp client, when postfix is relaying it is acting as an smtp client.

so the smpt_sasl_password_maps option points at the file the includes the username and password I need to authenticate with the hosting server (cospe-egypt.org) because it will not accept relay emails without authentication.

saslauthd and unix user accounts and all that jazz are how you configure an authentication in postfix as an smtp server (smtpd_ options) not as a client. this howto does not involve server configuration.

Alaa


"context is over-rated. who are you anyway?"

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


Dr. Radut | book