Ryan (tekman) wrote,
Ryan
tekman

SMTP forwarding based on sender with postfix on Ubuntu 7.10

Ok, so I went ahead and played around with postfix to see if I could get it to forward the mail the way I wanted. This seems like a really bad idea on a true multi-user system, since I'm pretty sure it would let anybody on my box send mail as me simply by specifying my email address in the smtp envelope.

There's an article on setting up two postfix instances to do smtp forwarding where the assumption is that each account on your box should be magically transformed into a single outgoing smtp account. I was able to glean a lot of info from it, but it wasn't quite what I wanted.

I've got postfix 2.4.5-3ubuntu1. Docs suggest that I would have had less trouble with the TLS configuration in 2.5, but I didn't really feel like recompiling it.

Set up sender-dependent relaying

Create sender_dependent_relayhost, which maps sender addresses to outgoing servers (don't forget postmap).

# cat > /etc/postfix/sender_dependent_relayhost
ryandjohnson@gmail.com  [smtp.gmail.com]:25
ryan@innerfence.com     [server1.gambitdesign.com]:25
# postmap sender_dependent_relayhost

Require TLS for the relays

Create smtp_tls_policy that requires TLS with valid certs for our relay hosts. In part this is necessary to guarantee that our passwords aren't sent in the clear, since gmail doesn't support anything else.

# cat > /etc/postfix/smtp_tls_policy
[smtp.gmail.com]:25             secure
[server1.gambitdesign.com]:25   secure
# postmap smtp_tls_policy

Set up passwords

Create sasl_password that configures your username/password for each host.

# cat > /etc/postfix/sasl_password
[smtp.gmail.com]:25 ryandjohnson@gmail.com:nopaste
[server1.gambitdesign.com]:25 ryan@innerfence.com:nopaste
# chmod 600 sasl_password
# postmap sasl_password

Fix TLS certificate validation

We need to link in the openssl roots and take the smtp client process out of chroot. This kind of sucks, but I didn't really see any other way to do it.

# ln -s /etc/ssl/certs /etc/postfix/certs
# $EDITOR /etc/postfix/master.cf
-smtp      unix  -       -       n       -       -       smtp
+smtp      unix  -       -       -       -       -       smtp

Hook it all up in main.cf

# $EDITOR /etc/postfix/main.cf
+
+# Relay according to the sender address
+sender_dependent_relayhost_maps = hash:/etc/postfix/sender_dependent_relayhost
+
+# Turn on TLS for the smtp *client* (for relaying)
+smtp_tls_CApath = /etc/postfix/certs
+smtp_tls_policy_maps = hash:/etc/postfix/smtp_tls_policy
 smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
 
+# Use SASL authentication over smtp *client* (for relaying)
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
+# allow plaintext (over TLS)
+smtp_sasl_security_options = noanonymous
+

Fire it up, test it out

# postfix reload
# sendmail -f ryandjohnson@gmail.com -t ryan@innerfence.com
From: ryandjohnson@gmail.com
To: ryan@innerfence.com
Subject: test message

The quick brown fox jumps over the lazy dog.
# tail /var/log/mail.log

Be sure when you're testing it you view all the headers on the mail you receive, to ensure that you get domain key signatures, SPF passes, and all the other modern goodness which is really why you want to do it.

Next steps

Well, now it's time to figure out how to get mutt to do the right thing. I'm pretty sure that account_hook + envelope_from will save the day.

Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments