Loading ...
Sorry, an error occurred while loading the content.

howto setup outgoing port to 587 ?

Expand Messages
  • sean darcy
    I ve have an asterisk voip server that receives faxes and converts them to pdf. What I then want to do is email the pdf s to my two mailboxes - one on
    Message 1 of 19 , Dec 21, 2008
    • 0 Attachment
      I've have an asterisk voip server that receives faxes and converts them
      to pdf. What I then want to do is email the pdf's to my two mailboxes -
      one on 1and1.com, the other on gmail.

      My ISP, ATT blocks port 25. I think if I just send the email to port 587
      ( which is how I've configured Thunderbird ) this should work.

      I'm using Fedora 9, which come with sendmail as the default MTA. I've
      spent a lot of time avoiding learning how to use or configure an MTA.
      Looking at the sendmail docs, it's clear postfix is a _lot_ easier to
      configure. So, I'm switching.

      But I still haven't figured out how to just set the outgoing port to 587.

      Any help appreciated.

      sean
    • J.P. Trosclair
      ... You can look at using transport_maps in main.cf, here s an example: /etc/postfix/main.cf: transport_maps = hash:/etc/postfix/transports
      Message 2 of 19 , Dec 22, 2008
      • 0 Attachment
        sean darcy wrote:
        > I've have an asterisk voip server that receives faxes and converts them
        > to pdf. What I then want to do is email the pdf's to my two mailboxes -
        > one on 1and1.com, the other on gmail.
        >
        > My ISP, ATT blocks port 25. I think if I just send the email to port 587
        > ( which is how I've configured Thunderbird ) this should work.
        >
        > I'm using Fedora 9, which come with sendmail as the default MTA. I've
        > spent a lot of time avoiding learning how to use or configure an MTA.
        > Looking at the sendmail docs, it's clear postfix is a _lot_ easier to
        > configure. So, I'm switching.
        >
        > But I still haven't figured out how to just set the outgoing port to 587.
        >
        > Any help appreciated.
        >
        > sean

        You can look at using transport_maps in main.cf, here's an example:

        /etc/postfix/main.cf:
        transport_maps = hash:/etc/postfix/transports

        /etc/postfix/transports:
        gmail.com smtp:[smtp.gmail.com]:587
        1and1.com smtp:[smtp.1and1.com]:587

        After you make these changes you'll need to postmap the transports file
        and reload postfix's configuration.

        J.P.
      • Victor Duchovni
        ... On 587, you will also need SASL authentication. This is a submission service. -- Viktor. Disclaimer: off-list followups get on-list replies or get
        Message 3 of 19 , Dec 22, 2008
        • 0 Attachment
          On Sun, Dec 21, 2008 at 07:02:17PM -0500, sean darcy wrote:

          > I've have an asterisk voip server that receives faxes and converts them
          > to pdf. What I then want to do is email the pdf's to my two mailboxes -
          > one on 1and1.com, the other on gmail.
          >
          > My ISP, ATT blocks port 25. I think if I just send the email to port 587
          > ( which is how I've configured Thunderbird ) this should work.

          On 587, you will also need SASL authentication. This is a "submission"
          service.

          --
          Viktor.

          Disclaimer: off-list followups get on-list replies or get ignored.
          Please do not ignore the "Reply-To" header.

          To unsubscribe from the postfix-users list, visit
          http://www.postfix.org/lists.html or click the link below:
          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

          If my response solves your problem, the best way to thank me is to not
          send an "it worked, thanks" follow-up. If you must respond, please put
          "It worked, thanks" in the "Subject" so I can delete these quickly.
        • sean darcy
          On Mon, Dec 22, 2008 at 11:29 AM, Victor Duchovni ... Thanks for all the fast responses. I really appreciate the help. ... postmap the transports file ? as in
          Message 4 of 19 , Dec 22, 2008
          • 0 Attachment
            On Mon, Dec 22, 2008 at 11:29 AM, Victor Duchovni
            <Victor.Duchovni@...> wrote:
            > On Sun, Dec 21, 2008 at 07:02:17PM -0500, sean darcy wrote:
            >
            >> I've have an asterisk voip server that receives faxes and converts them
            >> to pdf. What I then want to do is email the pdf's to my two mailboxes -
            >> one on 1and1.com, the other on gmail.
            >>
            >> My ISP, ATT blocks port 25. I think if I just send the email to port 587
            >> ( which is how I've configured Thunderbird ) this should work.
            >
            >
            Thanks for all the fast responses. I really appreciate the help.

            >
            >After you make these changes you'll need to postmap the transports file

            "postmap the transports file"?

            as in
            postmap /etc/postfix/transports ??

            > and reload postfix's configuration.


            service postfix restart ??

            >On 587, you will also need SASL authentication. This is a "submission"
            >service.

            IOW, if any email server gets email over port 25, it accepts it. OTOH,
            if it gets it over port 587 ( or port 465 ? )
            it will require authentication ( always SASL? ) before it accepts it.
            Do I have this right?

            How do I set up postfix to provide SASL authentication?


            sean
          • J.P. Trosclair
            ... Yes ... Sure, or postfix reload , unless stated otherwise. ... Check this link out: http://www.postfix.org/SASL_README.html#client_sasl Also might want to
            Message 5 of 19 , Dec 22, 2008
            • 0 Attachment
              sean darcy wrote:
              >
              > "postmap the transports file"?
              >
              > as in
              > postmap /etc/postfix/transports ??

              Yes

              >
              >> and reload postfix's configuration.
              >
              >
              > service postfix restart ??

              Sure, or 'postfix reload', unless stated otherwise.

              >
              > How do I set up postfix to provide SASL authentication?
              >

              Check this link out:
              http://www.postfix.org/SASL_README.html#client_sasl

              Also might want to have a look at the transport man(ual) page.

              J.P.
            • Asif Iqbal
              ... easy. Just make sure you have it configured main.cf like something similar to this relayhost = [smtp.gmail.com]:submission smtp_sasl_auth_enable = yes
              Message 6 of 19 , Dec 22, 2008
              • 0 Attachment
                On Sun, Dec 21, 2008 at 7:02 PM, sean darcy <seandarcy2@...> wrote:
                > I've have an asterisk voip server that receives faxes and converts them to
                > pdf. What I then want to do is email the pdf's to my two mailboxes - one on
                > 1and1.com, the other on gmail.
                >
                > My ISP, ATT blocks port 25. I think if I just send the email to port 587 (
                > which is how I've configured Thunderbird ) this should work.
                >
                > I'm using Fedora 9, which come with sendmail as the default MTA. I've spent
                > a lot of time avoiding learning how to use or configure an MTA. Looking at
                > the sendmail docs, it's clear postfix is a _lot_ easier to configure. So,
                > I'm switching.
                >
                > But I still haven't figured out how to just set the outgoing port to 587.

                easy.

                Just make sure you have it configured main.cf like something similar to this

                relayhost = [smtp.gmail.com]:submission
                smtp_sasl_auth_enable = yes
                smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
                smtp_sasl_security_options = noanonymous
                smtp_sasl_type = cyrus
                smtp_tls_security_level = encrypt
                smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
                smtp_use_tls = yes

                And your sasl_passwd like this

                [smtp.gmail.com]:submission gmailusername:gmailpassword

                Then run `postmap /etc/postfix/sasl_passwd' followed by restarting postfix

                That's it


                >
                > Any help appreciated.
                >
                > sean
                >
                >



                --
                Asif Iqbal
                PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
              • Victor Duchovni
                ... This is obsolete. Set: smtp_tls_security_level = encrypt or better (given suitable CAfile or CApath): smtp_tls_security_level = secure -- Viktor.
                Message 7 of 19 , Dec 22, 2008
                • 0 Attachment
                  On Mon, Dec 22, 2008 at 12:08:20PM -0500, Asif Iqbal wrote:

                  > smtp_use_tls = yes
                  >

                  This is obsolete. Set:

                  smtp_tls_security_level = encrypt

                  or better (given suitable CAfile or CApath):

                  smtp_tls_security_level = secure

                  --
                  Viktor.

                  Disclaimer: off-list followups get on-list replies or get ignored.
                  Please do not ignore the "Reply-To" header.

                  To unsubscribe from the postfix-users list, visit
                  http://www.postfix.org/lists.html or click the link below:
                  <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                  If my response solves your problem, the best way to thank me is to not
                  send an "it worked, thanks" follow-up. If you must respond, please put
                  "It worked, thanks" in the "Subject" so I can delete these quickly.
                • sean darcy
                  ... So where would you get the certificate to authenticate to google or 1and1? sean
                  Message 8 of 19 , Dec 25, 2008
                  • 0 Attachment
                    Victor Duchovni wrote:
                    > On Mon, Dec 22, 2008 at 12:08:20PM -0500, Asif Iqbal wrote:
                    >
                    >> smtp_use_tls = yes
                    >>
                    >
                    > This is obsolete. Set:
                    >
                    > smtp_tls_security_level = encrypt
                    >
                    > or better (given suitable CAfile or CApath):
                    >
                    > smtp_tls_security_level = secure
                    >

                    So where would you get the certificate to authenticate to google or 1and1?

                    sean
                  • Sahil Tandon
                    ... The smtp (client), as opposed to the smtpd (server), does not need a certificate to authenticate to google. -- Sahil Tandon
                    Message 9 of 19 , Dec 26, 2008
                    • 0 Attachment
                      sean darcy wrote:

                      > Victor Duchovni wrote:
                      >> On Mon, Dec 22, 2008 at 12:08:20PM -0500, Asif Iqbal wrote:
                      >>
                      >>> smtp_use_tls = yes
                      >>>
                      >>
                      >> This is obsolete. Set:
                      >>
                      >> smtp_tls_security_level = encrypt
                      >>
                      >> or better (given suitable CAfile or CApath):
                      >>
                      >> smtp_tls_security_level = secure
                      >>
                      >
                      > So where would you get the certificate to authenticate to google or
                      > 1and1.

                      The smtp (client), as opposed to the smtpd (server), does not need a
                      certificate to authenticate to google.

                      --
                      Sahil Tandon <sahil@...>
                    • sean darcy
                      ... Well, my smtp client seems to need it: Dec 26 09:41:26 asterisk postfix/pickup[8353]: F3867460F2: uid=0 from= Dec 26 09:41:27 asterisk
                      Message 10 of 19 , Dec 26, 2008
                      • 0 Attachment
                        Sahil Tandon wrote:
                        > sean darcy wrote:
                        >
                        >> Victor Duchovni wrote:
                        >>> On Mon, Dec 22, 2008 at 12:08:20PM -0500, Asif Iqbal wrote:
                        >>>
                        >>>> smtp_use_tls = yes
                        >>>>
                        >>> This is obsolete. Set:
                        >>>
                        >>> smtp_tls_security_level = encrypt
                        >>>
                        >>> or better (given suitable CAfile or CApath):
                        >>>
                        >>> smtp_tls_security_level = secure
                        >>>
                        >> So where would you get the certificate to authenticate to google or
                        >> 1and1.
                        >
                        > The smtp (client), as opposed to the smtpd (server), does not need a
                        > certificate to authenticate to google.
                        >

                        Well, my smtp client seems to need it:

                        Dec 26 09:41:26 asterisk postfix/pickup[8353]: F3867460F2: uid=0 from=<root>
                        Dec 26 09:41:27 asterisk postfix/cleanup[8371]: F3867460F2:
                        message-id=<20081226144126.F3867460F2@...>
                        Dec 26 09:41:27 asterisk postfix/qmgr[8352]: F3867460F2:
                        from=<root@...>, size=41086, nrcpt=1 (queue active)
                        Dec 26 09:41:27 asterisk postfix/smtp[8376]: certificate verification
                        failed for smtp.gmail.com[209.85.133.111]:587: untrusted issuer
                        /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting
                        cc/OU=Certification Services Division/CN=Thawte Premium Server
                        CA/emailAddress=premium-server@...


                        But I found that Fedoda 9 installs a ca-bundle as part of openssl.

                        So this is what worked for me. I didn't change anything in
                        /etc/postfix/main.cf except to add this at the very end:

                        ## all this to setup sending over gmail:
                        relayhost = [smtp.gmail.com]:submission
                        smtp_sasl_auth_enable = yes
                        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
                        smtp_sasl_security_options = noanonymous
                        smtp_sasl_type = cyrus
                        smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
                        ## if you're using certificates
                        smtp_tls_CAfile=/etc/pki/tls/certs/ca-bundle.crt
                        smtp_tls_security_level = secure
                        ## if you're not
                        # smtp_tls_security_level = encrypt


                        and I created file sasl_paswd:

                        cat sasl_passwd
                        [smtp.gmail.com]:submission username:password

                        and it works like a charm.

                        Thanks for all the help. Greatly appreciated.

                        sean
                      • Victor Duchovni
                        ... Irrelevant, an SMTP client that wants to verify Google s augthenticity needs the root CA certificate of the CA that signed Google s cert. Yes the client
                        Message 11 of 19 , Dec 26, 2008
                        • 0 Attachment
                          On Fri, Dec 26, 2008 at 08:25:12AM -0500, Sahil Tandon wrote:

                          > sean darcy wrote:
                          >
                          > > Victor Duchovni wrote:
                          > >> On Mon, Dec 22, 2008 at 12:08:20PM -0500, Asif Iqbal wrote:
                          > >>
                          > >>> smtp_use_tls = yes
                          > >>>
                          > >>
                          > >> This is obsolete. Set:
                          > >>
                          > >> smtp_tls_security_level = encrypt
                          > >>
                          > >> or better (given suitable CAfile or CApath):
                          > >>
                          > >> smtp_tls_security_level = secure
                          > >>
                          > >
                          > > So where would you get the certificate to authenticate to google or
                          > > 1and1.
                          >
                          > The smtp (client), as opposed to the smtpd (server), does not need a
                          > certificate to authenticate to google.

                          Irrelevant, an SMTP client that wants to verify Google's augthenticity
                          needs the root CA certificate of the CA that signed Google's cert.

                          Yes the client does not need its own private keys and associated certs,
                          but that is not the point.

                          Verisign makes their certs available for download from

                          https://www.verisign.com/support/roots.html

                          --
                          Viktor.

                          Disclaimer: off-list followups get on-list replies or get ignored.
                          Please do not ignore the "Reply-To" header.

                          To unsubscribe from the postfix-users list, visit
                          http://www.postfix.org/lists.html or click the link below:
                          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                          If my response solves your problem, the best way to thank me is to not
                          send an "it worked, thanks" follow-up. If you must respond, please put
                          "It worked, thanks" in the "Subject" so I can delete these quickly.
                        • Sahil Tandon
                          ... Agreed. My point is that a cert is *not* needed to authenticate to Google s submission service. If, and only if, the client wants to verify authenticity
                          Message 12 of 19 , Dec 26, 2008
                          • 0 Attachment
                            Victor Duchovni wrote:

                            > On Fri, Dec 26, 2008 at 08:25:12AM -0500, Sahil Tandon wrote:
                            >
                            > > sean darcy wrote:
                            > >
                            > > > Victor Duchovni wrote:
                            > > >> On Mon, Dec 22, 2008 at 12:08:20PM -0500, Asif Iqbal wrote:
                            > > >>
                            > > >>> smtp_use_tls = yes
                            > > >>>
                            > > >>
                            > > >> This is obsolete. Set:
                            > > >>
                            > > >> smtp_tls_security_level = encrypt
                            > > >>
                            > > >> or better (given suitable CAfile or CApath):
                            > > >>
                            > > >> smtp_tls_security_level = secure
                            > > >>
                            > > >
                            > > > So where would you get the certificate to authenticate to google or
                            > > > 1and1.
                            > >
                            > > The smtp (client), as opposed to the smtpd (server), does not need a
                            > > certificate to authenticate to google.
                            >
                            > Irrelevant, an SMTP client that wants to verify Google's augthenticity
                            > needs the root CA certificate of the CA that signed Google's cert.

                            Agreed. My point is that a cert is *not* needed to authenticate to
                            Google's submission service. If, and only if, the client wants to
                            verify authenticity is the signing root's cert required.

                            > Yes the client does not need its own private keys and associated certs,
                            > but that is not the point.

                            It is not the point and thus was not alleged.

                            [...]

                            --
                            Sahil Tandon <sahil@...>
                          • mouss
                            ... it s not required. but if you don t verify the cert, then you trust DNS. so a DNS attack (poisoning, ...) would make him send passwords to the wrong
                            Message 13 of 19 , Dec 26, 2008
                            • 0 Attachment
                              Sahil Tandon a écrit :
                              > Victor Duchovni wrote:
                              >
                              >> On Fri, Dec 26, 2008 at 08:25:12AM -0500, Sahil Tandon wrote:
                              >>
                              >>> sean darcy wrote:
                              >>>
                              >>>> Victor Duchovni wrote:
                              >>>>> On Mon, Dec 22, 2008 at 12:08:20PM -0500, Asif Iqbal wrote:
                              >>>>>
                              >>>>>> smtp_use_tls = yes
                              >>>>>>
                              >>>>> This is obsolete. Set:
                              >>>>>
                              >>>>> smtp_tls_security_level = encrypt
                              >>>>>
                              >>>>> or better (given suitable CAfile or CApath):
                              >>>>>
                              >>>>> smtp_tls_security_level = secure
                              >>>>>
                              >>>> So where would you get the certificate to authenticate to google or
                              >>>> 1and1.
                              >>> The smtp (client), as opposed to the smtpd (server), does not need a
                              >>> certificate to authenticate to google.
                              >> Irrelevant, an SMTP client that wants to verify Google's augthenticity
                              >> needs the root CA certificate of the CA that signed Google's cert.
                              >
                              > Agreed. My point is that a cert is *not* needed to authenticate to
                              > Google's submission service. If, and only if, the client wants to
                              > verify authenticity is the signing root's cert required.
                              >

                              it's not required. but if you don't verify the cert, then you trust DNS.
                              so a DNS attack (poisoning, ...) would make him send passwords to the
                              wrong server.


                              >> Yes the client does not need its own private keys and associated certs,
                              >> but that is not the point.
                              >
                              > It is not the point and thus was not alleged.
                              >
                              > [...]
                              >
                            • Jan P. Kessler
                              ... If you use encryption you implicitly assume that there might be someone between you and the target system. Unfortunately that someone may also
                              Message 14 of 19 , Dec 26, 2008
                              • 0 Attachment
                                mouss schrieb:
                                > it's not required. but if you don't verify the cert, then you trust DNS.
                                > so a DNS attack (poisoning, ...) would make him send passwords to the
                                > wrong server.
                                >
                                <dramatic>

                                If you use encryption you implicitly assume that there might be someone
                                between you and the target system. Unfortunately that 'someone' may also
                                perform MITM attacks in that position. The only possibility to get
                                around this is to verify the identity of the target.

                                So keep in mind that you should

                                1. always try to verify your target's identity
                                or
                                2. not use encryption because it wastes cpucycles for nothing

                                </dramatic>
                              • mouss
                                ... you may still want to encrypt a channel to avoid sniffing by local machines. sniffing traffic is a lot easier than (active) MITM attacks. so no,
                                Message 15 of 19 , Dec 26, 2008
                                • 0 Attachment
                                  Jan P. Kessler a écrit :
                                  > mouss schrieb:
                                  >> it's not required. but if you don't verify the cert, then you trust DNS.
                                  >> so a DNS attack (poisoning, ...) would make him send passwords to the
                                  >> wrong server.
                                  >>
                                  > <dramatic>
                                  >
                                  > If you use encryption you implicitly assume that there might be someone
                                  > between you and the target system. Unfortunately that 'someone' may also
                                  > perform MITM attacks in that position. The only possibility to get
                                  > around this is to verify the identity of the target.
                                  >
                                  > So keep in mind that you should
                                  >
                                  > 1. always try to verify your target's identity
                                  > or
                                  > 2. not use encryption because it wastes cpucycles for nothing
                                  >
                                  > </dramatic>

                                  you may still want to encrypt a channel to avoid sniffing by "local"
                                  machines. sniffing traffic is a lot easier than (active) MITM attacks.
                                  so no, encryption without verification is not a waste.

                                  (I'm not saying verification is useless. I'm saying there may be cases
                                  where verification may be problematic while encryption is still
                                  desirable).
                                • Vidar Salberg Normann
                                  ... Does this mean you can t make postfix treat traffic on port 587 exactly like normal SMTP traffic on port 25, while also accepting SASL and/or AUTH LOGIN if
                                  Message 16 of 19 , Dec 27, 2008
                                  • 0 Attachment
                                    >> My ISP, ATT blocks port 25. I think if I just send the email to port 587
                                    >> ( which is how I've configured Thunderbird ) this should work.
                                    >
                                    > On 587, you will also need SASL authentication. This is a "submission"
                                    > service.

                                    Does this mean you can't make postfix treat traffic on port 587 exactly like
                                    normal SMTP traffic on port 25, while also accepting SASL and/or AUTH
                                    LOGIN if used?


                                    Regards.
                                  • Erwan David
                                    Le Fri 26/12/2008, mouss disait ... But if you want to verify the cert the standard way of trusting any CA just because it appears in the default lists for
                                    Message 17 of 19 , Dec 27, 2008
                                    • 0 Attachment
                                      Le Fri 26/12/2008, mouss disait
                                      >
                                      > it's not required. but if you don't verify the cert, then you trust DNS.
                                      > so a DNS attack (poisoning, ...) would make him send passwords to the
                                      > wrong server.

                                      But if you want to verify the cert the standard way of trusting any CA just
                                      because it appears in the default lists for OSes is also wrong. Those CAs have
                                      done nopthing to build this trust. The only way would be to get the
                                      certificate directly from google, and not by electronic mean...

                                      The validation part of SSL works if SSL is correctly used, but NOT in the standard modus of operation.

                                      --
                                      Erwan
                                    • mouss
                                      ... you can do what you want _your_ postfix. 587 is just a number. it just happens to be the recommended submission port and the recommendation is to use SASL
                                      Message 18 of 19 , Dec 27, 2008
                                      • 0 Attachment
                                        Vidar Salberg Normann a écrit :
                                        >>> My ISP, ATT blocks port 25. I think if I just send the email to port 587
                                        >>> ( which is how I've configured Thunderbird ) this should work.
                                        >> On 587, you will also need SASL authentication. This is a "submission"
                                        >> service.
                                        >
                                        > Does this mean you can't make postfix treat traffic on port 587 exactly like
                                        > normal SMTP traffic on port 25, while also accepting SASL and/or AUTH
                                        > LOGIN if used?
                                        >

                                        you can do what you want _your_ postfix. 587 is just a number. it just
                                        happens to be the recommended submission port and the recommendation is
                                        to use SASL for submission.
                                      • Wietse Venema
                                        ... The only difference between 25 and 587 is in the Postfix master.cf file. Wietse
                                        Message 19 of 19 , Dec 27, 2008
                                        • 0 Attachment
                                          Vidar Salberg Normann:
                                          > Does this mean you can't make postfix treat traffic on port 587 exactly like
                                          > normal SMTP traffic on port 25, while also accepting SASL and/or AUTH
                                          > LOGIN if used?

                                          The only difference between 25 and 587 is in the Postfix master.cf file.

                                          Wietse
                                        Your message has been successfully submitted and would be delivered to recipients shortly.