setting up a relay port for postfix smtp on CentOS 7

centos email postfix smtp firewalld

8,126

You can't expect other people to have an SMTP server listening on any port other than port 25. If your ISP is blocking outbound port 25, you can set up your postfix system to relay mail through the ISP, such as in this example for Comcast.

Honestly, though, if you're running your own mail service on an ISP that is blocking outbound port 25, you might want to consider switching service to a business internet provider that doesn't block port 25, or move your mail to a hosting provider that allows SMTP.

EDIT:

I better understand what you're asking now. You want your SMTP server to both receive mail AND be an SMTP submission host. You'll need to add a second service to /etc/postfix/master.cf and set up SASL authentication. The Dovecot Wiki has example configuration for this process.

8,126

RabT

Updated on September 18, 2022

Comments

RabT almost 2 years
A CentOS 7 server has postfix, dovecot, and mailx installed. I am able to make an IMAP connection to the server from my remote Thunderbird client running on my local devbox. But I am not able to send email through the server from my local Thunderbird installed on my devbox. After much research, I have identified that the reason is that my devbox ISP is blocking port 25. So I want to change the outgoing mail port to 465. This involves change in the server firewalld and postfix, in addition to change in the devbox Thunderbird.

This question is different than similar questions on the stackexchange network because I am asking how to do this in CentOS 7, which has firewalld complicating things.

The problem with simply changing the SMTP port is that other mail servers use port 25 to send email to each other. If I change the smtp port to 465, no one will be able to send email to my server. How do I change postfix, firewalld, and Thunderbird, so that my outbound email goes through port 465, while port 25 remains open to receive from other mail servers?

I need specific syntax for specific config files. I already know the answer involves setting up a relay host. But how to set that up in CentOS 7?

Here is what I have done so far:

1.) I added the line 465 inet n - - - - smtpd to /etc/postfix/master.cf:
```
   # =========================================  
   # service type  private unpriv  chroot  wakeup  maxproc command + args
   #               (yes)   (yes)   (yes)   (never) (100)  
   # ====================================================================  
    smtp      inet  n   -   n   -   -   smtpd  
    465   inet  n   -   -   -   -   smtpd  
```
2.) I then changed the SMTP port number in firewalld to 465 by making /usr/lib/firewalld/services/smtp.xml read as follows :
```
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Mail (SMTP)</short>
  <description>This option allows incoming SMTP mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail, enable this option. You $
  <port protocol="tcp" port="465"/>
</service>
```
3.) Still on the server, I typed systemctl stop postfix then systemctl start postfix then systemctl status postfix, and all went well. Then I typed firewall-cmd --reload without problems.

4.) Next, I changed the outgoing smtp port in my devbox's Thunderbird to 465.

5.) On the server, I then followed @derobert's advice and typed tcpdump -n -i any tcp port 465 and tried to send an email through the server using my devbox Thunderbird, and the following was printed out on the server:
```
tcpdump -n -i any tcp port 465
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
18:07:36.276193 IP my.SERVER.ip.addr.urd > my.DEVBOX.ip.addr.37589: Flags [S.], seq 3232257854, ack 2935370285, win 14480, options [mss 1460,sackOK,TS val 979486294 ecr 14200749,nop,wscale 7], length 0
18:07:36.361712 IP my.DEVBOX.ip.addr.37589 > my.SERVER.ip.addr.urd: Flags [.], ack 1, win 115, options [nop,nop,TS val 14200832 ecr 979486294], length 0
18:07:36.362152 IP my.SERVER.ip.addr.urd > my.DEVBOX.ip.addr.37589: Flags [P.], seq 1:43, ack 1, win 114, options [nop,nop,TS val 979486380 ecr 14200832], length 42
18:07:36.366824 IP my.DEVBOX.ip.addr.37589 > my.SERVER.ip.addr.urd: Flags [P.], seq 1:186, ack 1, win 115, options [nop,nop,TS val 14200832 ecr 979486294], length 185
18:07:36.366865 IP my.SERVER.ip.addr.urd > my.DEVBOX.ip.addr.37589: Flags [.], ack 186, win 122, options [nop,nop,TS val 979486385 ecr 14200832], length 0
18:07:36.454916 IP my.DEVBOX.ip.addr.37589 > my.SERVER.ip.addr.urd: Flags [.], ack 43, win 115, options [nop,nop,TS val 14200920 ecr 979486380], length 0
18:07:36.454961 IP my.SERVER.ip.addr.urd > my.DEVBOX.ip.addr.37589: Flags [P.], seq 43:195, ack 186, win 122, options [nop,nop,TS val 979486473 ecr 14200920], length 152
18:07:36.539237 IP my.DEVBOX.ip.addr.37589 > my.SERVER.ip.addr.urd: Flags [.], ack 195, win 123, options [nop,nop,TS val 14201009 ecr 979486473], length 0
18:09:20.466757 IP my.DEVBOX.ip.addr.37589 > my.SERVER.ip.addr.urd: Flags [F.], seq 186, ack 195, win 123, options [nop,nop,TS val 14304941 ecr 979486473], length 0
18:09:20.467113 IP my.SERVER.ip.addr.urd > my.DEVBOX.ip.addr.37589: Flags [F.], seq 195, ack 187, win 122, options [nop,nop,TS val 979590485 ecr 14304941], length 0
18:09:20.550693 IP my.DEVBOX.ip.addr.37589 > my.SERVER.ip.addr.urd: Flags [.], ack 196, win 123, options [nop,nop,TS val 14305025 ecr 979590485], length 0
^C
11 packets captured
12 packets received by filter
0 packets dropped by kernel  
```
6.) Similarly, also based on @derobert's advice, on the devbox I typed nc my.server.ip.addr 465 < /dev/null and the terminal printed 220 mydomain.com ESMTP Postfix in reply.

The outgoing server (SMTP) settings in Thunderbird are:
```
Description:           <Not Specified>  
Server Name:           mydomain.com  
Port:                  465
User Name:             me
Authentication Method: Normal Password
Connection Security:   SSL/TLS  
```
But the Thunderbird connection still times out, and the email is not sent. What else do I need to do?

NOTE: When I change /usr/lib/firewalld/services/smtp.xml again to indicate port 25, and leave everything else the same from the other 5 steps above, I regain the ability to receive email from the server but am not able to send email through the server.

EDIT:

@jsbillings suggested that I define the submissions port in master.cf. To move things forward, I typed postconf -M in the terminal to print out the relevant contents of master.cf. I am still not able to send email, but here are the results after changes I have been making today in the course of working on this:
```
smtp       inet  n       -       n       -       -       smtpd
587        inet  n       -       -       -       -       smtpd
submission inet  n       -       -       -       -       smtpd 
-o   smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes 
-o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth 
-o smtpd_sasl_security_options=noanonymous 
-o smtpd_sasl_local_domain=$myhostname 
-o smtpd_client_restrictions=permit_sasl_authenticated,reject 
-o smtpd_sender_login_maps=hash:/etc/postfix/virtual 
-o smtpd_sender_restrictions=reject_sender_login_mismatch 
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
pickup     unix  n       -       n       60      1       pickup
cleanup    unix  n       -       n       -       0       cleanup
qmgr       unix  n       -       n       300     1       qmgr
tlsmgr     unix  -       -       n       1000?   1       tlsmgr
rewrite    unix  -       -       n       -       -       trivial-rewrite
bounce     unix  -       -       n       -       0       bounce
defer      unix  -       -       n       -       0       bounce
trace      unix  -       -       n       -       0       bounce
verify     unix  -       -       n       -       1       verify
flush      unix  n       -       n       1000?   0       flush
proxymap   unix  -       -       n       -       -       proxymap
proxywrite unix  -       -       n       -       1       proxymap
smtp       unix  -       -       n       -       -       smtp
relay      unix  -       -       n       -       -       smtp
showq      unix  n       -       n       -       -       showq
error      unix  -       -       n       -       -       error
retry      unix  -       -       n       -       -       error
discard    unix  -       -       n       -       -       discard
local      unix  -       n       n       -       -       local
virtual    unix  -       n       n       -       -       virtual
lmtp       unix  -       -       n       -       -       lmtp
anvil      unix  -       -       n       -       1       anvil
scache     unix  -       -       n       -       1       scache
```
- garethTheRed over 9 years
  
  I don't have recent experience of setting up mail servers, so am not in a position to comment or advice. However, if your devbox's ISP blocks port 25 why not run a VPN from the devbox to the CentOS server. openvpn would be a reasonable choice ;-)
- RabT over 9 years
  
  @garethTheRed Thank you. I have thought of VPN-based solutions, but the reason I am still exploring email approaches is that many of the senders might remain outside the VPN. If I isolate the question down to the firewalld part only, and make it generic, is there a more easily attainable answer to the firewalld part? Here is the link: unix.stackexchange.com/questions/187973/…
- derobert over 9 years
  
  wiki.mozilla.org/MailNews:Logging should help figure out why Thunderbird is timing out
- derobert over 9 years
  
  Also, you're running clear-text (as opposed to SSL) on 465; that may be confusing Thunderbird.
- RabT over 9 years
  
  @derobert How can you tell I am running cleartext? The other email accounts in my Thunderbird all use 465 to connect to a mail server successfully, tho I do not have access to the config of that other server. Also, I tried the logging instructions with export NSPR_LOG_MODULES=smtp:5 and with export NSPR_LOG_FILE=/tmp/smtp.log, but yet nano /tmp/smtp.log resulted in an empty file even after I tried to send an email through Thunderbird with the same connection error. And even after I shut down Thunderbird. I hesitate to start asking a lot of questions about that because you've helped a lot
- derobert over 9 years
  
  @CodeMed well, when you did the netcat (nc) you got a cleartext welcome banner. If the port were running SSL/TLS, you'd not have. Note that you can also use STARTTLS which starts the encryption only after the welcome banner, but that's not the traditional way of doing things on 465.
- RabT over 9 years
  
  @derobert I just posted the Thunderbird SMTP settings at the end of my OP. I tried changing everything to port 587, including Thunderbird, smtp.xml, and master.cf, but still got the connection timeout. When I tried specifying STARTTLS in Thunderbird for port 465, the email send attempt gave an error stating that it was unable to establish a secure connection because the server does not advertise STARTTLS. I hesitate to start messing with things without understanding, or to post a bunch of logs that are not requested. Did I try the things you intended?
- derobert over 9 years
  
  @CodeMed what if you try "connection security" of "none". SSL/TLS isn't going to work because your server is set to none (as shown by the clear-text welcome message and lack of starttls support).
- RabT over 9 years
  
  @derobert As a test, I set connection security to none and tried to send a test email to a valid account. A different, new error resulted. An error occurred while sending mail. The mail server responded: 4.7.1 <[email protected]>: Relay access denied. Please check the message recipient [email protected] and try again. Please note that [email protected] is quite definitely a valid working address. I use it every day. Does this help narrow the problem?
- derobert over 9 years
  
  @CodeMed yes, it's a valid address, but not one local to your mail server. And you haven't authenticated, etc. with the mail server, so it won't allow you to relay through it. I'm going to have to suggest, though, that you learn about how to set up mail servers NOT on the Internet. Do it on a private network. There are too many jerks on the Internet who will abuse your server if you (accidentally) let them.
- RabT over 9 years
  
  @derobert Thank you for the words of caution. I always put any cut-and-paste content into a text editor first and do a find-replace to anonymize my.ip.addr and mydomain.com. I try to put potentially sensitive content in file sharing links even after that screen. But my devbox is the only computer connected to this internet connection, so I do not know how I could mimic a network with it as you suggest. Are there other precautions I might take?
- derobert over 9 years
  
  @CodeMed those are reasonable precautions but ultimately it's hard to hide on IPv4: there are few enough IP addresses that the jerks can (and do) just try them all. For experimenting not on the internet, how about running some virtual machines?
RabT over 9 years

The server host does not block port 25, only the devbox isp does. What is more, all the other email accounts in my devbox's thunderbird installation default to port 465 or port 587 for outbound smtp. This is a widespread situation with solutions that must be well developed by now. I think it must have to do with firewalld being configured to allow two ports for smtp (25 and 465 or 587) and the postfix config files allowing different ports for inbound and outbound smtp as well. This question is about explicit steps for setting that up. Are you willing to answer the question at that level?
RabT over 9 years

Also, it is not just the isp of the devbox. I can open port 25 on the isp's modem firewall. But then I would have to set up a server to act as gatekeeper. Right now, I just have a notebook with dual-boot CentOS/Windows connected to the ISP modem. The work of setting up security for the dual boot machine would be greater than the work of answering this question, and I would still have to answer this question for users who need to connect using other networks.
jsbillings over 9 years

Oh! I see. You want to set up an SMTP submission port (typically 587) on your mail server. You will need to open the 'submission' port on the firewall and add the SMTP submission service with SASL authentication.
RabT over 9 years

Please see the EDIT I just added at the end of my OP containing revised contents of master.cf. What else should I change? Also, what syntax should I use for firewalld? For testing, I assigned ports 25, 465, and 587 to the smtp service in the public zone by modifying smtp.xml using the syntax shown in this other question I posted this morning. Here is the link: unix.stackexchange.com/questions/187973/…
jsbillings over 9 years

Are you able to authenticate and send mail through the submission (587) port from the mail host? I'm trying to determine if it's the firewall or the postfix setup.
RabT over 9 years

I don't know. How would I test that?
jsbillings over 9 years

Either run a mail client on the server (like mutt) or forward the port with ssh and use your Thunderbird client.
RabT over 9 years

mutt is installed on the server. what syntax should i type to do what you propose?
RabT over 9 years

I posted that as a separate question because the answer is not intuitive to me and I don't want us to stray from the primary issue. I will reply here again after I get an answer to the other posting. If curious, the link is: unix.stackexchange.com/questions/188227/…