2

I recently noticed when I add an alias to a Gmail account they ask me for a remote SMTP server, username and password. Then, whenever I try to send an email using that alias it gets relayed by Gmail to the provided SMTP server.

Is there a way I can accomplish this setup on a Postfix install?

To clarify, on my server there's a virtual user person@exemple.com (with the aliases: external.person@xpto.com and external.other@corpx.com) if he sends an email:

  • With a from address of person@exemple.com => server will do the default delivery;
  • With a from address of external.person@xpto.com => server will relay email using smtp.xpto.com (with proper credentials);
  • With a from address of external.other@corpx.com => server will relay email using smtp.corpx.com (with proper credentials);

Ideally it would be nice If I could have a MySQL table with the external alises (for every virtual user) containing the external SMTP server domain, port, username and password. => This way I could setup a small web interface so my users could all their own external alises...

Thank you.

TCB13
  • 1,166
  • 1
  • 14
  • 34
  • If I read your project correctly, your target is to store your users passwords so as to access their external accounts. – dan Apr 15 '16 at 07:10
  • This is already done. Check the answer bellow. – TCB13 Apr 15 '16 at 16:16
  • Right. Then this is a storage of passwords in clear within `/etc/postfix/sender_credentials.cf`. As such, this is a major risk. – dan Apr 15 '16 at 17:22
  • Any suggestions on how to encrypt the passwords and keep the functionality? – TCB13 Apr 16 '16 at 11:12

1 Answers1

2

I guess you can achieve this by tuning the sender_dependent_default_transport_maps or sender_dependent_relayhost_maps Postfix parameters. For example:

# /etc/postfix/main.cf
sender_dependent_default_transport_maps = hash:/etc/postfix/sender_maps.cf
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sender_credentials.cf
smtp_sasl_tls_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_security_level = may

# /etc/postfix/sender_maps.cf
external.person@xpto.com smtp:[smtp.xpto.com]:587
external.other@corpx.com smtp:[smtp.corpx.com]

# /etc/postfix/sender_credentials.cf
external.person@xpto.com xptouser:xptopassword
external.other@corpx.com corpxuser:corpxpassword

This example uses static hash tables. If your Postfix installation supports mysql_table(5), you can use MySQL queries instead.

I am unable to test this solution now. I hope it works.

Anderson Medeiros Gomes
  • 2,477
  • 9
  • 20
  • I tried `sender_dependent_default_transport_maps` and it seems to work (after adding `smtp_sasl_security_options = noanonymous` to the config). However there's a strange behavior happening: After the external alias is added to `sender_*` if I try to send an email from the external server/address to postfix it gets bounced with: `SMTP error from remote mail server after RCPT TO:: 553 5.7.1 : Sender address rejected: not logged in` any ideias? Ty. – TCB13 Apr 02 '16 at 13:25
  • Your Postfix installation tried to send messages to `smtp.xpto.com` without authentication credentials. I wonder if the credential lookup succeeds in your configuration. Please, try `postmap -q 'external.person@xpto.com' 'hash:/etc/postfix/sender_credentials.cf'` and check if credentials are returned correctly. For troubleshooting purposes, please set `soft_bounce = yes` and `debug_peer_list = .xpto.com` in your `main.cf` also. – Anderson Medeiros Gomes Apr 02 '16 at 13:54
  • 1
    Thank you for the feedback. I will add `smtp_sasl_tls_security_options` to my answer instead. `smtp_sasl_security_options = noplaintext, noanonymous` is the default setting and removing `noplaintext` option is OK for encrypted SMTP sessions only. – Anderson Medeiros Gomes Apr 02 '16 at 13:54
  • So I had some settings to avoid users using each other local email alises, namely: `smtpd_sender_login_maps` / `smtpd_sender_restrictions = ... reject_sender_login_mismatch`. After disabling those everything works as expected, if I enable them I got the error above, how can I fix this? Why is postfix checking `sender_login_mismatch` on incoming email? – TCB13 Apr 02 '16 at 13:55
  • "Your Postfix installation tried to send messages to smtp.xpto.com without authentication credentials" => Check my last message. Your config works fine for sending email to `smtp.xpto.com`. However for receiving email from `smtp.xpto.com` seems to fail because of the reason above... – TCB13 Apr 02 '16 at 13:59
  • 1
    If you use `reject_sender_login_mismatch` restriction, Postfix will check `smtpd_sender_login_maps` for all incoming mail. I suggest you to use `reject_authenticated_sender_login_mismatch` instead. – Anderson Medeiros Gomes Apr 02 '16 at 14:10
  • I had just discovered that option as well ahah, do you know if that might rise any security implications? Thank you. – TCB13 Apr 02 '16 at 14:14
  • I guess malicious users may be able to send forged messages to internal destinations only (because of `reject_unauth_destination, permit`, for example). It depends on how your `smtpd_*_restrictions` are configured. SPF or DKIM may mitigate this specific risk. I'm not able to figure anything now. – Anderson Medeiros Gomes Apr 02 '16 at 14:44
  • Thanks for all the help, I've been running some tests, trying to change headers, users etc in/out the network and it seems to be as secure as before. – TCB13 Apr 02 '16 at 15:35
  • Btw, for reference, I changed to `sender_dependent_relayhost_maps` because it looks more appropriate to leave the transport maps alone. That forced me to remove the `smtp:` part from `/etc/postfix/sender_maps.cf`. Now it looks like: `external.person@xpto.com smtp.xpto.com:587`. – TCB13 Apr 02 '16 at 15:36
  • 1
    I would not remove the braces in `$sender_dependent_relayhost_maps`. If you specify a `$relayhost` without them, Postfix will make MX lookups instead of connecting directly to the intended server. – Anderson Medeiros Gomes Apr 02 '16 at 15:57
  • `external.person@xpto.com [smtp.xpto.com]:587` works fine, however the original `external.person@xpto.com smtp:[smtp.xpto.com]:587` gives me: `fatal: valid hostname or network address required in server description: smtp:[smtp.xpto.com]:587`. – TCB13 Apr 02 '16 at 16:24