How to configure Postfix relayhost to send email using an external SMTPS server on port 465

UPDATED for Debian 10

The SMTPS protocol (SMTP over SSL) has been depreciated by the end of 1998 with the introduction of STARTTLS and the IANA has reassigned the SMTPS port 465 for Source-Specific Multicast audio and video. The SMTPS protocol is only in use nowadays for backwards compatibility for mail servers that do not support ESMTP and for cheap shared hosting solution like the one proposed by OVH in France.

The motivation to configure Postfix as a send only client for smtps came about when I switched my NextcloudPi instance to a Odroid HC2 box. I used to generate a report of the server in HTML with deblan-report (deblan/deblan-report - Gitnet) and I wanted to automate this operation and receive the report by mail.

The OVH service required for authentication the use of port 465 to submit an email for delivery.

let’s go:

server debian 10 (Buster)
Postfix version > 3.0
server.smtp.relay = ssl0.ovh.net for OVH
FQDN servername.domainname.com such as cloud.domainname.com
email mail@domainname.com such as postmaster@domainname.com

CONFIGURE THE SERVER :

#sudo -s

note the name for port #465 (smtps) from the details of the reserved ports on your system

#vi /etc/services
submissions for debian 10

verify that TCP port #465 is not listing state on 127.0.0.1

#netstat -tlpn
check running service by PID

verify firewall filtering

#ping server.smtp.relay

Set FQDN (servername.domainname.com)

#vi /etc/hostname
#here’s where you put the server’s host name
servername

activate hostname

#hostname -F /etc/hostname

#vi /etc/hosts
#heres you put the local Network IP of the server and the domain name
192.168.1.x servername.domainname.com servername
#127.0.0.1

Set your server description here:

#vi /etc/machine-info
PRETTY_HOSTNAME=“MyServer” “HC2cloud”
ICON_NAME=computer
CHASSIS=server
DEPLOYMENT=production
LOCATION=“yourlocation”

Verify:

#hostname -s
servername

#hostname -d
domainname.com

#hostname - f
show the FQDN to use in the postfix’s configuration file
servername.domainname.com

#hostname -i
192.168.1.x

or

#hostnamectl

CONFIGURE POSTFIX:

is Postfix deamon active ?

#systemctl is-active Postfix

and whitch Posfix version i’am running ?

#postconf -d | grep mail_version

INSTALL (OR RECONFIGURE) POSTFIX :
install Postfix, a mail client and pluggable authentication modules

#apt update
#apt install mailutils libsasl2-modules
#dpkg-reconfigure postfix (or #apt install postfix )

<ok> (Esc or Tab)
Internet Site
domainname.com
<No>
+
All default

Configuration files :
configuration in the main.cf file as shown:

Replace the myhostname (myhostname = [FQDN]), mydomain (mydomain = domainname.com), relayhost variables to match your own configuration:

#vi /etc/postfix/main.cf

#See /usr/share/postfix/main.cf.dist for a commented, more complete version
debian specific: Specifying a file name will cause the first
#line of that file to be used as the name. The Debian default
#is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
#appending .domain is the MUA’s job.
append_dot_mydomain = no
#Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h
readme_directory = no
#See Postfix Backwards-Compatibility Safety Net – default to 2 on
#fresh installs.
compatibility_level = 2
tls parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
#information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = servername.domainname.com
myorigin = $mydomain
mydomain = domainname.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost
relayhost = [server.smtp.relay]:465
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all
fallback_transport = relay

Create an auth file for login on your smtps host relay: (login = name or user@domainname.com)
such as[server.smtp.relay]:465 postmaster@domainname.com:mypassword

#touch /etc/postfix/sasl_passwd
#echo “[server.smtp.relay]:465 login:password” > /etc/postfix/sasl_passwd

Secure your login information :

#chown root:root /etc/postfix/sasl_passwd*
#chmod 600 /etc/postfix/sasl_passwd*

configuration in the master.cf file as shown :
Enable port 465 (smtps) in postfix mail server and remplace smtps by the service allocated to port 465 by editing (find and remove # for these parameters).

vi /etc/postfix/master.cf

#smtps inet n - y - - smtpd
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
#-o smtpd_client_restrictions=$mua_client_restrictions
#-o smtpd_helo_restrictions=$mua_helo_restrictions
#-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
#-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

After all configurations are in place, restart Postfix daemon to apply changes:
to build the necessary DB file

#postmap /etc/postfix/sasl_passwd

to reload configuration

#systemctl restart postfix

and verify if the service is running:

#systemctl status postfix*

verify that TCP port 465 is listing state on 127.0.0.1

#netstat -tulpn | grep :465

#postfix check

#postconf -n
command in order to dump Postfix main.cf configuration file and check eventual errors

or

#comm -23 <(postconf -n) <(postconf -d)
Replace “-23” with “-12” to show settings that duplicate built-in defaults.

TESTING :

#echo “Test mail from postfix” | mail -s “Test Postfix” postmaster@domainname.com

TROUBLESHOOTING :

#tail -f /var/log/mail.log or cat /var/log/mail.log
#vi /var/log/mail.err (logging errors only)
#journalctl -u postfix

POSTFIX MAINTENANCE :

#postsuper -d ALL “-d ALL” to remove all messages; for example, specify “-d ALL deferred” to delete all mail in the deferred queue.

#postsuper -p Purge old temporary files that are left over after system or software crashes.

Enjoy
konki

bibliography :

http://www.postfix.org/STANDARD_CONFIGURATION_README.html
https://www.postfix.org/postconf.5.html
https://www.postfix.org/master.5.html
https://www.postfix.org/TLS_README.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=_892218

2 Likes