Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Can postfix work with a TLS, authenticated smtp relay server?

181 views
Skip to first unread message

Richard Chapman

unread,
Sep 7, 2010, 12:53:13 AM9/7/10
to
I am running postfix 2.3.3 as part of Centos 5.5.

I am trying to set up a hybrid mail system which involves postfix,
dovecot and Google Apps.
Ideally - I would like the email clients to use a authenticated TLS
connection to postifix (which is working fine) and then postfix to relay
the mail through smtp.google.com also through a authenticated TLS
connection using the same credentials as the "Client-Postfix"
connection. AFAIK smtp.google.com requires an authenticated TLS connection.

The motivations for doing this is to ensure that all mail gets saved in
the google apps sent mail folder. I would prefer the clients to connect
to postfix rather than direct to smtp.google.com to improve client
apparent sending speed for large emails.

All suggestions welcome.

Thanks.

Richard.

Victor Duchovni

unread,
Sep 7, 2010, 10:06:08 AM9/7/10
to
On Tue, Sep 07, 2010 at 12:53:13PM +0800, Richard Chapman wrote:

> I am running postfix 2.3.3 as part of Centos 5.5.
>
> I am trying to set up a hybrid mail system which involves postfix, dovecot
> and Google Apps.
> Ideally - I would like the email clients to use a authenticated TLS
> connection to postifix (which is working fine) and then postfix to relay
> the mail through smtp.google.com also through a authenticated TLS
> connection using the same credentials as the "Client-Postfix" connection.

You cannot clone and should not attempt to clone authentication credentials
from an incoming Postfix SMTP server session to an outgoing Postfix SMTP
client session.

> AFAIK smtp.google.com requires an authenticated TLS connection.

If you have a Google Apps hosted domain, you use fixed MTA credentials,
(possibly just an IP whitelist) negotiated with Google and send to
alternate servers (not smtp.gmail.com 587). No per-user credentials
required.

Otherwise, Postfix can make use of per-sender stored passwords, as
described in SASL_README and SOHO_README.

http://www.postfix.org/SOHO_README.html#client_sasl_sender
http://www.postfix.org/SASL_README.html#client_sasl_sender

--
Viktor.

Richard Chapman

unread,
Sep 7, 2010, 11:12:45 PM9/7/10
to
Thanks for your incredibly useful advice Victor... May I ask some
follow up questions?..

On 7/09/2010 10:06 PM, Victor Duchovni wrote:
> On Tue, Sep 07, 2010 at 12:53:13PM +0800, Richard Chapman wrote:
>
>> I am running postfix 2.3.3 as part of Centos 5.5.
>>
>> I am trying to set up a hybrid mail system which involves postfix, dovecot
>> and Google Apps.
>> Ideally - I would like the email clients to use a authenticated TLS
>> connection to postifix (which is working fine) and then postfix to relay
>> the mail through smtp.google.com also through a authenticated TLS
>> connection using the same credentials as the "Client-Postfix" connection.
> You cannot clone and should not attempt to clone authentication credentials
> from an incoming Postfix SMTP server session to an outgoing Postfix SMTP
> client session.
>

Understood and agreed.

>> AFAIK smtp.google.com requires an authenticated TLS connection.
> If you have a Google Apps hosted domain, you use fixed MTA credentials,
> (possibly just an IP whitelist) negotiated with Google and send to
> alternate servers (not smtp.gmail.com 587). No per-user credentials
> required.
>

Not sure I fully understand this...
I AM using a google apps hosted domain - and I think I need to use per
user credentials because that is what would happen if the users
connected direct to smtp.google.com as described in the google apps
setup instructions. If I don't use per user credientials - I think
google apps will change the sender address to a "fixed" sender address.
It seems that you don't agree with me here? Also - part of the rationale
of sending via smtp.google.com with user credentials - is to ensure that
the google apps users "sent email folders" are maintained correctly.

Perhaps you are describing an alternative method for google apps smtp
which I am unaware of. If so - can you point me to a description of this
alternative option?

> Otherwise, Postfix can make use of per-sender stored passwords, as
> described in SASL_README and SOHO_README.
>
> http://www.postfix.org/SOHO_README.html#client_sasl_sender
> http://www.postfix.org/SASL_README.html#client_sasl_sender
>

This looks fine - and looks like it will do what I need. I only have a
small and stable number of users - so this method looks manageable.

What is less clear to me is how to enable/enforce TLS to keep
smtp.google.com happy. I saw a possibly related posting today discussing
"Relay to another internal server using TLS" - with these instructions
referred to in that thread:
http://www.postfix.org/TLS_README.html#client_tls

Based on both these threads - I am proposing to add the following to
main.cf, and build the sasl_passwd file:

smtp_tls_security_level = may
smtp_sender_dependent_authentication = yes
# sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
relayhost = smtp.gmail.com:587

Can you confirm that the ":587" is the correct syntax? The help file
appears to suggest that the word "submission" is a keyword that should
be used rather than a port number. I am assuming that the port number is
the correct parameter here.

Do you know whether it is permissible to have a username of the form
"us...@domain.com" in the sasl_passwd file. This will be required for
google apps credentials.

Thanks again for your expertise...

Richard.

Mikael Bak

unread,
Sep 8, 2010, 8:58:18 AM9/8/10
to
Richard Chapman wrote:
> Perhaps you are describing an alternative method for google apps smtp
> which I am unaware of. If so - can you point me to a description of this
> alternative option?
>

I fail to see why you need postfix if your domain is hosted on Google
Apps. Google Apps provide you with Webmail, IMAP4, and SMTP (submission).

https://www.google.com/a/

http://mail.google.com/support/a/google.com/bin/answer.py?answer=33384

HTH,
Mikael

Victor Duchovni

unread,
Sep 8, 2010, 1:09:46 PM9/8/10
to
On Wed, Sep 08, 2010 at 11:12:45AM +0800, Richard Chapman wrote:

>>> AFAIK smtp.google.com requires an authenticated TLS connection.
>> If you have a Google Apps hosted domain, you use fixed MTA credentials,
>> (possibly just an IP whitelist) negotiated with Google and send to
>> alternate servers (not smtp.gmail.com 587). No per-user credentials
>> required.
>
> Not sure I fully understand this...
> I AM using a google apps hosted domain - and I think I need to use per user
> credentials because that is what would happen if the users connected direct
> to smtp.google.com as described in the google apps setup instructions. If I
> don't use per user credientials - I think google apps will change the
> sender address to a "fixed" sender address. It seems that you don't agree
> with me here? Also - part of the rationale of sending via smtp.google.com
> with user credentials - is to ensure that the google apps users "sent email
> folders" are maintained correctly.
>

> Perhaps you are describing an alternative method for google apps smtp which
> I am unaware of. If so - can you point me to a description of this
> alternative option?

The implementation I am familiar with has users submitting mail directly
via Gmail (Webmail or SMTP, their choice). Mail from Google hosted users,
even to other Google hosted users, flows through a corporate (non-Google)
relay and only then to its destination. Mail to Google hosted users is
only accepted from the corporate relay, and the MX records are not handled
by Google. In other words Gmail is just a large alternative mailstore,
but is not the edge SMTP service.

It is not clear what your use-case is, perhaps you should describe it in
more detail. I probably misunderstood what you are trying to achieve in
my initial reply.

--
Viktor.

Victor Duchovni

unread,
Sep 9, 2010, 11:10:53 AM9/9/10
to
On Thu, Sep 09, 2010 at 10:38:12AM +0800, Richard Chapman wrote:

> Here is the relevant part of my main.cf, but the system is not delivering
> mail to google.:

Always post "postconf -n" output.

>
> smtp_tls_security_level = may
> smtp_sender_dependent_authentication = yes
> # sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> relayhost = smtp.gmail.com:587

Do you really have the leading white-space on these lines?

The best solution would be for Google to allow a single login account for
your server to *impersonate* all your users. If this would also require
Postfix to support PLAIN with an authentication id that is different
from the authorization id, that feature could be added... It would
be simpler if Google treated all submission mail from the shared id,
with a sender address in your domain, to be from the user, and saved
a copy in "Sent".

You could also consider delivering the mail to the user's Google mailbox
with sender_bcc_maps, rather than submission via Gmail. I think that they
automatically refile in Sent, when the sender address is also the mailbox
user...

--
Viktor.

0 new messages