Setup Postfix to Login to Your Email Account and Deliver Mail
Unless you're a sysadmin you don't generally have to worry that much about getting email delivered, you just hookup your GUI email client to your external email account and you're done. But what if your system tries to deliver mail, for example from cron? Normally, this just goes to root or perhaps some designated user on your system, but what if you'd like it to get delivered to your external email account?
The obvious answer is you setup your system to forward root's email to your external email account, eg change this line in /etc/aliases:
or you can change root's .forward file to accomplish the same thing.
So, what's the problem? The problem comes when your IP address (or your ISP's IP address) someday gets blacklisted and all of a sudden you're not getting any system mail anymore. This problem can also arise if you have scripts which deliver mail to somebody: at some point their email server may refuse to talk to your system because it thinks you're a spammer or something.
In these cases, assuming your email provider allows you to have SMTP access, one solution is to have your system deliver email to your email provider and let your email provider deliver it to the final destination. Your email provider is probably (hopefully) more likely to stay on top of problems related to their IP addresses and blacklists so your email has a higher probability of getting delivered (in the case of cron it's already at its destination).
Getting your system to deliver mail to an external email account, ie getting your system to relay mail via another server requires a bit of configuration. Few, if any, email providers allow their servers to be used as open relays, an open relay being an email relay that anyone can use. So one of the first things you have to do is tell your system how to login to your email account so that it can relay email. Furthermore you may also have to, or want to, configure your system to use TLS/SSL when it logs in so that your username and password are protected.
In this example, I'll show you how I set up my system to deliver mail to my fastmail account. I use openSUSE and therefore my system uses postfix to deliver email. If you use another Linux distro these steps may require modification, and if you use exim or some other system for email delivery this won't help at all.
First, if it's not already installed and running, install the SASL authentication daemon saslauthd and start it. Next edit the file /etc/postfix/sasl_passwd and add this line to the bottom of the file:
The values in this file determine the username and password that SASL uses when logging in to a particular server. Obviously, change these values for your external email account. You should be able to find the server name on your email provider's web site, although it usually takes some digging.
Now run postmap to convert the text password file to a .db file:
Next edit the file /etc/postfix/master.cf and uncomment the tlsmgr line:
tlsmgr unix - - n 1000? 1 tlsmgr
Now edit the file /etc/postfix/main.cf and add the following lines to the bottom of the file:
smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_type = cyrus smtp_sasl_mechanism_filter = PLAIN, LOGIN smtp_tls_security_level = verify smtp_tls_mandatory_ciphers = high smtp_tls_verify_cert_match = nexthop smtp_sasl_tls_security_options = noanonymous relayhost = [mail.messagingengine.com]:587 #debug_peer_list = mail.messagingengine.com
These options tell postfix to use SASL authentication when doing SMTP (ie delivering mail) and they also tell it to use TLS security when logging in. The relayhost option tells postfix the default server to use when relaying email, the :XXX value is the port number to use (another value you'll have to dig out of your email provider's help pages). The last option, the commented out one, debug_peer_list allows you tell postfix to show TLS related debug information on a per server basis. This is often useful when trying to diagnose TLS connection problems. In this case it turned out to be useful because postfix did not recognize the CA (certificate authority) that issued Fastmail's SSL certificate (Entrust). (Actually, I don't know if postfix recognizes any CA's out of the box.)
After some groping around on the Entrust site my SSL memory came back to me and I did a search for "root certificates" and got to a page where I could download a copy of Entrust's root certificate (you may need to start here).
Once you've downloaded the certificate, save a copy in /etc/postfix and remove group/other read/write access. Then add the following line to /etc/postfix/main.cf:
smtp_tls_CAfile = /etc/postfix/entrust_ssl_ca.cer
$ /etc/init.d/postfix restart
Now send a test email from the command line:
$ mail -s test firstname.lastname@example.org <<<test
And hopefully it will arrive in your external email account.
Mitch Frazier is an Associate Editor for Linux Journal.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- The Qt Company's Qt Start-Up
- Devuan Beta Release
- May 2016 Issue of Linux Journal
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- The US Government and Open-Source Software
- Open-Source Project Secretly Funded by CIA
- The Humble Hacker?
- The Death of RoboVM
- BitTorrent Inc.'s Sync
- New Container Image Standard Promises More Portable Apps
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide