Difference between revisions of "Setting up postfix for authenticated relay"
(Created page with '<u>Work in progress, not finnished yet.</u> This howto should work on both Bubba|TWO and Excito B3. But note that you should most likely only use this howto when your Bubba a...') |
|||
| Line 1: | Line 1: | ||
<u>Work in progress, not finnished yet.</u> | <u>Work in progress, not finnished yet.</u> | ||
<br> | |||
This howto should work on both Bubba|TWO and Excito B3. But note that you should most likely only use this howto when your Bubba act as a Router in your lan. Security might be compromised otherwise. '''You have been warned'''. | |||
<br> | |||
This howto is a short description on howto configure Postfix to accept email for relay when the user authenticates himself. The usecase for this is to be able to use Bubba as an always available mailserver for sending emails when not at home. I myself use this setup and have all my laptops etc configured to send mail via my Bubba at home wherever i am in the world.<br> | |||
This howto is a short description on howto configure Postfix to accept email for relay when the user authenticates himself. The usecase for this is to be able to use Bubba as an always available mailserver for sending emails when not at home. I myself use this setup and have all my laptops etc configured to send mail via my Bubba at home wherever i am in the world.<br> | |||
Start by logging into Bubba via ssh and become root.<br> | Start by logging into Bubba via ssh and become root.<br> | ||
| Line 13: | Line 13: | ||
== Postfix configuration == | == Postfix configuration == | ||
Edit the file ''/etc/postfix/main.cf'' | Edit the file ''/etc/postfix/main.cf'' | ||
Locate the lines with: | |||
<pre>smtpd_recipient_restrictions = | |||
permit_mynetworks | |||
</pre> | |||
And add the line: | |||
<pre> permit_sasl_authenticated | |||
</pre> | |||
So the end result looks something like: | |||
<pre>smtpd_recipient_restrictions = | |||
permit_mynetworks | |||
permit_sasl_authenticated | |||
reject_unauth_destination | |||
reject_unauth_pipelining | |||
reject_invalid_hostname | |||
reject_non_fqdn_sender | |||
reject_unknown_sender_domain | |||
reject_non_fqdn_recipient | |||
reject_unknown_recipient_domain | |||
reject_rbl_client dnsbl.njabl.org | |||
reject_rbl_client dnsbl.sorbs.net | |||
reject_rbl_client bl.spamcop.net | |||
permit | |||
</pre> | |||
Then at the end of the file append: | |||
<pre>smtpd_sasl_auth_enable = yes | <pre>smtpd_sasl_auth_enable = yes | ||
smtpd_sasl_type = dovecot | smtpd_sasl_type = dovecot | ||
| Line 63: | Line 88: | ||
*Log in to the web based admin UI as admin. | *Log in to the web based admin UI as admin. | ||
*Select ''Administration '' | *Select ''Administration '' | ||
*Select''Network'' | *Select''Network'' | ||
*Select ''Firewall'' | *Select ''Firewall'' | ||
If you only use the standard port make sure that ''"Email server (Port 25)" ''is On. If not click the checkbox and then click update. | If you only use the standard port make sure that ''"Email server (Port 25)" ''is On. If not click the checkbox and then click update. | ||
If you decided to also use the extra port above you need to set this up manually. | If you decided to also use the extra port above you need to set this up manually. | ||
Revision as of 20:36, 5 December 2010
Work in progress, not finnished yet.
This howto should work on both Bubba|TWO and Excito B3. But note that you should most likely only use this howto when your Bubba act as a Router in your lan. Security might be compromised otherwise. You have been warned.
This howto is a short description on howto configure Postfix to accept email for relay when the user authenticates himself. The usecase for this is to be able to use Bubba as an always available mailserver for sending emails when not at home. I myself use this setup and have all my laptops etc configured to send mail via my Bubba at home wherever i am in the world.
Start by logging into Bubba via ssh and become root.
Postfix configuration
Edit the file /etc/postfix/main.cf
Locate the lines with:
smtpd_recipient_restrictions = permit_mynetworks
And add the line:
permit_sasl_authenticated
So the end result looks something like:
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination reject_unauth_pipelining reject_invalid_hostname reject_non_fqdn_sender reject_unknown_sender_domain reject_non_fqdn_recipient reject_unknown_recipient_domain reject_rbl_client dnsbl.njabl.org reject_rbl_client dnsbl.sorbs.net reject_rbl_client bl.spamcop.net permit
Then at the end of the file append:
smtpd_sasl_auth_enable = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_tls_auth_only = yes
Dovecot configuration
Edit the config file /etc/dovecot/dovecot.conf
Locate the section that starts with:
auth default {
and there append the following:
socket listen {
client {
path = /var/spool/postfix/private/auth
mode = 0660
user = postfix
group = postfix
}
}
Optional, let Postfix listen on another port than the default one
A big problem for most home users is that their ISP blocks all traffic on the default mailserver port (25) and thus our solution won't work. A workaround for this is to let Postfix, our mailserver, listen on an additional non standard port for connections.
To do this edit the file /etc/postfix/master.cf
Locate the line that says
smtp inet n - - - - smtpd
and add the additional line below
20025 inet n - - - - smtpd
This tells Postfix to listen on both the standard smtp port (25) and also on 20025
Restart services
To finnish this up restart Dovecot and Postfix
/etc/init.d/dovecot restart /etc/init.d/postfix restart
Open ports in the firewall
Finally to be able to use this solution outside your Lan you will have to open upp the corresponding ports in Bubbas firewall.
- Log in to the web based admin UI as admin.
- Select Administration
- SelectNetwork
- Select Firewall
If you only use the standard port make sure that "Email server (Port 25)" is On. If not click the checkbox and then click update.
If you decided to also use the extra port above you need to set this up manually.