After messing with hosting my own email server on and off for years (sendmail, qmail, postfix, etc), with more off than on, I decided I need the ability to receive and forward mail outbound.  I do NOT need to receive email, that is what Gmail is for.  This server will not be exposed to the Internet and any real mail addressed to <user>@jamestimberlake.com is handled by my DNS provider, relaying it to Gmail.

Why the need to relay email? Primarily I have a multi-function printer/copier/scanner/fax and I’d like to be able to scan directly to email from the front panel.  Secondly I have numerous things I’d like to receive alerts on, for example SMART data from a dying hard drive.  All these things can be told to email to a SMTP server. The postfix MTA comes installed on even a minimal Centos install, but it doesn’t scale well to configure each vm as a Postfix forwarder.  But the big kick in the teeth is my ISP.

Like nearly every residential ISP, Verizon Fios blocks outbound mail on port 25.  To add insult to injury, Verizon has also chosen to not support TLS over port 587 but only SSL over port 465.  Guess what? Postfix doesn’t support SSL.  Stunnel to the rescue.  Postfix will connect to stunnel which will then connect via TLS to Verizon. I will leave Postfix accepting unencrypted connections on SMTP/25 because it is just easier to config my various clients.  I did need to allow port 25 from VLAN10 to VLAN1 in order for my printer to send scans out.

Stunnel

Stunnel will listen only on localhost. I gave it port 2525 because it is similar to 25 and unprivileged. It will relay mail from Postfix and handoff via encrypted session to Verizon.

# cat /etc/stunnel/stunnel.conf
setuid = nobody
setgid = nobody
foreground = no
[smtp.verizon.net]
client = yes
accept = 127.0.0.1:2525
connect = smtp.verizon.net:465

# systemctl enable stunnel && systemctl start stunnel

Postfix

Postfix has a number of configurable items depending on how you want the server to function.  I’m going to leave Postfix delivering local mail, but forwarding “real” addresses on to Verizon.  The LAN hostname of my server is svcs01.home.jamestimberlake.com, but I want all my outbound email to appear that it comes from “smtp.home.jamestimberlake.com” (as determined by $myorigin). In the DNS Forwarder config on my pfSense fw/router I added a record with the IP and that hostname.  This is what I will configure in my printer as the SMTP server (a short name like smtp works), and will allow me to move the service to another vm at a later date.  The $mydestination variable is where most of the magic happens. This tell Postfix what domains to accept mail for; anything NOT in this list will get relayed. So I put all internal hostnames/domains I think Postfix could ever see in the list, while allowing [email protected] to relay outbound.

# postconf -n
inet_interfaces = all
inet_protocols = ipv4
myhostname = smtp.home.jamestimberlake.com
mydomain = $myhostname
myorigin = $mydomain
mydestination = svcs01 svcs01.$mydomain svcs01.localdomain $myhostname $mydomain localhost.$mydomain localhost.localdomain localhost
mynetworks_style = subnet
relayhost = [127.0.0.1]:2525
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

# cat /etc/postfix/sasl_passwd
[127.0.0.1]:2525 [email protected]:password

# sudo chmod 600 /etc/postfix/sasl_passwd
# sudo postmap hash:/etc/postfix/sasl_passwd

# systemctl enable postfix.service && systemctl start postfix.service

If mail is getting stuck in the queue (postqueue -p), run “postsuper -d ALL” to purge it.

Helpful links:

If in the off-chance I want mail delivered from a local user account (root) on a machine I can add a line to /etc/aliases like “root [email protected]” and run newaliases. Or create a ~/.forward file with “[email protected]” as the content.  FYI, Verizon will reject mail if it can’t resolve the domain of the sending address, so my normal sending address is “[email protected]”.

UPDATE:

moved my postfix server from Arch Linux to Centos 7, and discovered my outbound mail kept getting rejected by Verizon with a message in the logs “warning: SASL authentication failure: No worthy mechs found”.  Installing “cyrus-sasl” and “cyrus-sasl-plain” fixed this, after a postfix restart.