Sending mails in postfix through external smtp

I have a requirement to enable smtp on all desktops to send the emails to web. But normally those mails send from this untrusted network will cause third party smtp servers to treat this spam mail when the source address is listing the private ips we used and whenever the no. of mails increases from the network.

What I’m planning to do is

1. Install a open relay server in LAN which is using trusted thrid party email account to send the mail.
2. Configure postfix on each desktops to use this as relay server in LAN.
3. Configure php.ini and pointing this out as smtp server for local mails.

Installing open relay server in LAN
#yum install postfix*
#chkconfig postfix on
Now you need to know the ip address of your trusted email smtp providers. Normally it would be resolve the ip of mail.mydomain.com and identify the ip showing on it.

Add the following lines at the end of “/etc/postfix/main.cf“
relayhost =
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtp_sasl_password_maps = hash:/etc/postfix/smtp_passwd
smtp_sasl_type = cyrus
smtp_sasl_auth_enable = yes
smtp_cname_overrides_servername = no
smtp_sasl_security_options = noanonymous

Now we need to configure the smtp account details to Postfix server.
#vi /etc/postfix/smtp_passwd
Add the entry like this
SMTP server ip :port username:password

An eg. should like this,
6.202.165.58:25 smtpuser@domain.com:pass save and exit.

Now you need to run the following command,
# postmap hash:/etc/postfix/smtp_passwd

Verify the configuration by,
$ postmap -q smtp.IP:25 /etc/postfix/smtp_passwd will returns user:password

It’s the time for verifying all the settings made.
#service postfix restart

Ensure the smtp is running
[root@rc-016 ~]# netstat -nlp | grep “:25″
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 23589/master

Sending a test mail to verify whether it’s working,
[root@rc-016 ~]# echo ” SMTP relay mail” | mail -s “Relay mail from new office LAB” liju@serveridol.com

Verify the mail delivery,
[root@rc-016 ~]# tail -f /var/log/maillog
Sep 15 23:13:55 rc-016 postfix/smtp[23600]: 98F227C060B: to=, relay=64.202.165.58[64.202.165.58]:25, delay=4.3, delays=0.05/0.01/2.1/2.2, dsn=2.0.0, status=sent (250 Accepted message qp 21658 bytes 734)
Sep 15 23:13:55 rc-016 postfix/qmgr[23592]: 98F227C060B: removed

Which is showing ,I have success with email delivery to my smtp server and I should be get a new mail in my inbox

Configuring it as a open reply sever in LAN

We need to configure this server listening to all adapters to ensure that other desktops can contact it and this relay access is limited to only from our LAN. There is no any authentication to send email from the LAN.
a.Open the file “/etc/postfix/main.cnf”
uncomment the line and modified it with respect to our network. Assuming that my network is 192.168.0.0/24

mynetworks = 192.168.0.0/24,127.0.0.0/8
inet_interfaces = all

[root@rc-016 ~]# vi /etc/postfix/main.cf
[root@rc-016 ~]# service postfix restart
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
[root@rc-016 ~]# netstat -nlp | grep ":25"
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 23763/master
[root@rc-016 ~]#

Now you need to verify whether we can forward all the mails using this server,

Login to other desktops on the LAN and verify you can contact the open relay smtp server.

$telnet 192.168.10.25 25
Trying 192.168.10.25…
Connected to 192.168.10.25 (192.168.10.25).
Escape character is ‘^]’.
220 rc-016.localdomain ESMTP Postfix

Configuring mail server on Desktop to use this as relay server

Now you need to install postfix in the server.
#yum install postfix*
#chkconfig postfix on
#vi /etc/postfix/main.cf
uncomment the line and the relay server IP
relayhost = 192.168.0.25
#service postfix restart

Sending a test email to verify it’s working,

[root@rc-016 ~]# echo ” SMTP relay mail” | mail -s “Relay mail from new office LAB” liju@serveridol.com
check the open relay server’s “/var/log/maillog” to check whether it can communicate with the mails coming from Desktops.

My php mails are moving to spam box in Gmail

One of my client has spam issue with his server. Initial it was the problem with the sever IP reputation.

Possible reasons are,

1. Neighborhood ip on the same network was listed in the RBL black list. I have contacted hosting company to do the needful to solve the issue. They inform me that their ‘abuse team will take care of that.
2. All the major SMTP vendors are black listed our ips since it has been in the black list. Thus all the mails from my server moves directly to spam box. So that I need to contact the each vendors and fill out an online submission reg. this.

1. Yahoo
http://help.yahoo.com/l/us/yahoo/mail/postmaster/defer.html

2. For Hotmail/MSN
https://support.msn.com/eform.aspx?productKey=edfsmsbl&ct=eformts&wa=wsignin1.0&st=1&wfxredirect=1

After 3-5 days later, all my yahoo and hotmails are reached the proper place. But Gmail still having issues and my Googling would not help me to find a solution.

For further research I found that whenever I sent email from the web mail interface, it’s correctly reaching INBOX but not programmaticaly. I suspect issue is with the function we used to send mail or the parameter mentioned and developers are tried many ways, even spent a day. Evening I’m starting some research and googling to find a way to send a mail. Actually I do not know anything about php.

I have double checked the parameter used and ensure that mails are properly formatted. Again I got the mail in spam box.

After 2 or more testing, I got a mail in Gmail inbox, the way to hope.

The reason is that I thinking is,
WHM/Cpanel wouldn’t allow to impersonate the emails without been used any authentication or not permit to email from the non-existent email id on the same domain.

Suppose, I have an email id “matt@mydomain” and I need to send email from the non-existent id of ‘support@mydomain.com’. That mail definitely move to spam box in Gmail. I have enabled DKIM’ on the server at the same time.

The following piece of code helped me to send an authenticated mail.

<?php
require_once "Mail.php";

$from = "Mathew ";
$to = "Gmail user ";
$subject = "Welcome!";
$body = "User ,\n\nYou have recently registered US";

$host = "mail.domain.com";
$username = "matt@domain.com";
$password = "pass";

$headers = array ('From' => $from,
'To' => $to,
'Subject' => $subject);
$smtp = Mail::factory('smtp',
array ('host' => $host,
'auth' => true,
'username' => $username,
'password' => $password));

$mail = $smtp->send($to, $headers, $body);

if (PEAR::isError($mail)) {
echo("

" . $mail->getMessage() . "

");
} else {
echo("

Message successfully sent!

");
}
?>


Now All is Well

The following link will e helpful for checking spam possibility,

1. Checking the ip is being blacklisted.
a. http://www.dnsbl.info/dnsbl-database-check.php
b. http://www.mxtoolbox.com/blacklists.aspx

2. Checking the RDNS ( Reverse DNS lookup)
a. From linux #host
[root@host.sportu.com] test >> host 209.85.225.18
18.225.85.209.in-addr.arpa domain name pointer iy-in-f18.1e100.net.
Check the ip is returning a dns entry to that ip

3. Checking SPF and DKIM ( domain keys)
a. http://www.mxtoolbox.com/spf.aspx
b. http://www.kitterman.com/spf/validate.html

4. Is our server an Open relay
a. http://verify.abuse.net/cgi-bin/relaytest
b. www.checkor.com/
c.www.mailradar.com/openrelay/

How to check open relay

[root@web-test1 ~]# telnet mydomain.com 25
Trying 63.165.1.57...
Connected to mydomain.com (63.15.1.7).
Escape character is '^]'.
220 host.mydomain.com ESMTP Postfix
ehlo localhost
250-host.mydomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: tom@test.com
250 2.1.0 Ok
rcpt to: liju@office.com
554 5.7.1 : Relay access denied

It's shows our server is safe

Postfix – SMTP Relay server using gmail.

Requirements.
I need to get nagios alerts which is used to monitor LAN to my officail email. I had configured external mail server as relay. But the hosting company blocked the traffic from my network later.

Solution
Configure postfix as relay mail server which is using Google smtp.
1. Install Postfix ( yum install postfix) .You must check if the version of postfix you are using is “cyrus” enabled.
[root@web-test1 ~]# postconf -A
cyrus
2. Copy in a working OpenSSL config file (/etc/ssl/openssl.cnf)
[root@web-test1 ~]# locate openssl.cnf
/etc/pki/dovecot/dovecot-openssl.cnf
/etc/pki/tls/openssl.cnf
3. make a backup of /etc/phi/tls/openssl.conf and open the file empty the content
How to empty a file
#vi /etc/phi/tls/openssl.conf then press Escape paste :1,$d then press i for edit mode then paste the content below,
#vi /etc/phi/tls/openssl.conf

# OpenSSL configuration file. ( /etc/ssl/openssl.cnf )
# Calomel.org at https://calomel.org
#
# Establish working directory.
dir= .
[ ca ]
default_ca= CA_default

[ CA_default ]
serial= $dir/serial
database= $dir/index.txt
new_certs_dir= $dir/newcerts
certificate= $dir/cacert.pem
private_key= $dir/private/cakey.pem
default_days= 3650
default_md= md5
preserve= no
email_in_dn= no
nameopt= default_ca
certopt= default_ca
policy= policy_match

[ policy_match ]
countryName= match
stateOrProvinceName= match
organizationName= match
organizationalUnitName= optional
commonName= supplied
emailAddress= optional

[ req ]
default_bits= 1024# Size of keys
default_keyfile= key.pem# name of generated keys
default_md= md5# message digest algorithm
string_mask= nombstr# permitted characters
distinguished_name= req_distinguished_name
req_extensions= v3_req

[ req_distinguished_name ]
# Variable name Prompt string
0.organizationName= Organization Name (company)
organizationalUnitName= Organizational Unit Name (department, division)
emailAddress= Email Address
emailAddress_max= 40
localityName= Locality Name (city, district)
stateOrProvinceName= State or Province Name (full name)
countryName= Country Name (2 letter code)
countryName_min= 2
countryName_max= 2
commonName= Common Name (hostname, IP, or your name)
commonName_max= 64

# Default values for the above, for consistency and less typing.
# Variable name Value
0.organizationName_default= Example
localityName_default= SomeCity
stateOrProvinceName_default= HI
countryName_default= US
commonName_default= example.org

[ v3_ca ]
basicConstraints= CA:TRUE
subjectKeyIdentifier= hash
authorityKeyIdentifier= keyid:always,issuer:always

[ v3_req ]
basicConstraints= CA:FALSE
subjectKeyIdentifier= hash

4. Create a temporary folder for generating ssl certificates
#mkdir /tmp/ssl
#cd /tmp/ssl
#mkdir newcerts private
#echo ’01′ > serial
#touch index.txt
5. Creating ssl certificate files.
#openssl req -new -x509 -keyout private/cakey.pem -out cacert.pem
It will ask something about you.
Create a Public Certificate
#openssl req -new -nodes -subj ‘/CN=Organization Name/O=Example/C=IN/ST=Mycity/emailAddress=admin@doman.com’ -keyout example_gmail-key.pem -out example_gmail-req.pem

Pls note that both information should be same on giving commands.
6. Sign your Certificate.
#openssl ca -out example_gmail-cert.pem -infiles example_gmail-req.pem
7. Copy the Certificates into the Postfix directory and set permissions.
#cp cacert.pem example_gmail-key.pem example_gmail-cert.pem /etc/postfix/
#chmod 644 /etc/postfix/cacert.pem /etc/postfix/example_gmail-cert.pem
#chmod 400 /etc/postfix/example_gmail-key.pem
8. Download the root certificates from http://www.thawte.com/roots/
# wget https://www.verisign.com/support/thawte-roots.zip
9. # cat Thawte\ Roots/Thawte\ Personal\ Root\ Certificates/Thawte\ Personal\ Premium\ CA/Thawte\ Personal\ Premium\ CA.txt >> /etc/postfix/cacert.pem
10. Open postfix configuration file and add/modify the line.
for me i used to add the lines at the end of the file.

### GMAIL Relay Host and Smtp-Auth options
relayhost = [smtp.gmail.com]:587
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/example_gmail-cert.pem
smtp_tls_key_file = /etc/postfix/example_gmail-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/example_gmail-cert.pem
smtpd_tls_key_file = /etc/postfix/example_gmail-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
smtpd_sasl_auth_enable = no
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd

10. Make a Postfix SASL2 username and password file.

#cat ” [smtp.gmail.com]:587 mygmailid@gmail.com:mygmailpassd” >
/etc/postfix/sasl_passwd
#postmap /etc/postfix/sasl_passwd

It’s the time to check the configuration.
#service postfix restart
# echo ” This is my posftfix mail ” | mail -s ” postfix relay server testing ” myemailid@mydomain.com
then check the postfix server logs to see what is happening ..
#tail -f /var/log/maillog

Hopefully you will get a mail shortly

This is help me very much to touble to get LAN nagios alerts at office time. i’m really thankful a thread on https://calomel.org regarding this.