setting up a relay port for postfix smtp on CentOS 7
You can't expect other people to have an SMTP server listening on any port other than port 25. If your ISP is blocking outbound port 25, you can set up your postfix system to relay mail through the ISP, such as in this example for Comcast.
Honestly, though, if you're running your own mail service on an ISP that is blocking outbound port 25, you might want to consider switching service to a business internet provider that doesn't block port 25, or move your mail to a hosting provider that allows SMTP.
EDIT:
I better understand what you're asking now. You want your SMTP server to both receive mail AND be an SMTP submission host. You'll need to add a second service to /etc/postfix/master.cf
and set up SASL authentication. The Dovecot Wiki has example configuration for this process.
Related videos on Youtube
RabT
Updated on September 18, 2022Comments
-
RabT almost 2 years
A CentOS 7 server has postfix, dovecot, and mailx installed. I am able to make an IMAP connection to the server from my remote Thunderbird client running on my local devbox. But I am not able to send email through the server from my local Thunderbird installed on my devbox. After much research, I have identified that the reason is that my devbox ISP is blocking port 25. So I want to change the outgoing mail port to 465. This involves change in the server firewalld and postfix, in addition to change in the devbox Thunderbird.
This question is different than similar questions on the stackexchange network because I am asking how to do this in CentOS 7, which has firewalld complicating things.
The problem with simply changing the SMTP port is that other mail servers use port 25 to send email to each other. If I change the smtp port to 465, no one will be able to send email to my server. How do I change postfix, firewalld, and Thunderbird, so that my outbound email goes through port 465, while port 25 remains open to receive from other mail servers?
I need specific syntax for specific config files. I already know the answer involves setting up a relay host. But how to set that up in CentOS 7?
Here is what I have done so far:
1.) I added the line
465 inet n - - - - smtpd
to/etc/postfix/master.cf
:# ========================================= # service type private unpriv chroot wakeup maxproc command + args # (yes) (yes) (yes) (never) (100) # ==================================================================== smtp inet n - n - - smtpd 465 inet n - - - - smtpd
2.) I then changed the SMTP port number in firewalld to 465 by making
/usr/lib/firewalld/services/smtp.xml
read as follows :<?xml version="1.0" encoding="utf-8"?> <service> <short>Mail (SMTP)</short> <description>This option allows incoming SMTP mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail, enable this option. You $ <port protocol="tcp" port="465"/> </service>
3.) Still on the server, I typed
systemctl stop postfix
thensystemctl start postfix
thensystemctl status postfix
, and all went well. Then I typedfirewall-cmd --reload
without problems.4.) Next, I changed the outgoing smtp port in my devbox's Thunderbird to 465.
5.) On the server, I then followed @derobert's advice and typed
tcpdump -n -i any tcp port 465
and tried to send an email through the server using my devbox Thunderbird, and the following was printed out on the server:tcpdump -n -i any tcp port 465 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 18:07:36.276193 IP my.SERVER.ip.addr.urd > my.DEVBOX.ip.addr.37589: Flags [S.], seq 3232257854, ack 2935370285, win 14480, options [mss 1460,sackOK,TS val 979486294 ecr 14200749,nop,wscale 7], length 0 18:07:36.361712 IP my.DEVBOX.ip.addr.37589 > my.SERVER.ip.addr.urd: Flags [.], ack 1, win 115, options [nop,nop,TS val 14200832 ecr 979486294], length 0 18:07:36.362152 IP my.SERVER.ip.addr.urd > my.DEVBOX.ip.addr.37589: Flags [P.], seq 1:43, ack 1, win 114, options [nop,nop,TS val 979486380 ecr 14200832], length 42 18:07:36.366824 IP my.DEVBOX.ip.addr.37589 > my.SERVER.ip.addr.urd: Flags [P.], seq 1:186, ack 1, win 115, options [nop,nop,TS val 14200832 ecr 979486294], length 185 18:07:36.366865 IP my.SERVER.ip.addr.urd > my.DEVBOX.ip.addr.37589: Flags [.], ack 186, win 122, options [nop,nop,TS val 979486385 ecr 14200832], length 0 18:07:36.454916 IP my.DEVBOX.ip.addr.37589 > my.SERVER.ip.addr.urd: Flags [.], ack 43, win 115, options [nop,nop,TS val 14200920 ecr 979486380], length 0 18:07:36.454961 IP my.SERVER.ip.addr.urd > my.DEVBOX.ip.addr.37589: Flags [P.], seq 43:195, ack 186, win 122, options [nop,nop,TS val 979486473 ecr 14200920], length 152 18:07:36.539237 IP my.DEVBOX.ip.addr.37589 > my.SERVER.ip.addr.urd: Flags [.], ack 195, win 123, options [nop,nop,TS val 14201009 ecr 979486473], length 0 18:09:20.466757 IP my.DEVBOX.ip.addr.37589 > my.SERVER.ip.addr.urd: Flags [F.], seq 186, ack 195, win 123, options [nop,nop,TS val 14304941 ecr 979486473], length 0 18:09:20.467113 IP my.SERVER.ip.addr.urd > my.DEVBOX.ip.addr.37589: Flags [F.], seq 195, ack 187, win 122, options [nop,nop,TS val 979590485 ecr 14304941], length 0 18:09:20.550693 IP my.DEVBOX.ip.addr.37589 > my.SERVER.ip.addr.urd: Flags [.], ack 196, win 123, options [nop,nop,TS val 14305025 ecr 979590485], length 0 ^C 11 packets captured 12 packets received by filter 0 packets dropped by kernel
6.) Similarly, also based on @derobert's advice, on the devbox I typed
nc my.server.ip.addr 465 < /dev/null
and the terminal printed220 mydomain.com ESMTP Postfix
in reply.The outgoing server (SMTP) settings in Thunderbird are:
Description: <Not Specified> Server Name: mydomain.com Port: 465 User Name: me Authentication Method: Normal Password Connection Security: SSL/TLS
But the Thunderbird connection still times out, and the email is not sent. What else do I need to do?
NOTE: When I change
/usr/lib/firewalld/services/smtp.xml
again to indicate port 25, and leave everything else the same from the other 5 steps above, I regain the ability to receive email from the server but am not able to send email through the server.
EDIT:
@jsbillings suggested that I define the submissions port in master.cf. To move things forward, I typed
postconf -M
in the terminal to print out the relevant contents of master.cf. I am still not able to send email, but here are the results after changes I have been making today in the course of working on this:smtp inet n - n - - smtpd 587 inet n - - - - smtpd submission inet n - - - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_local_domain=$myhostname -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_login_maps=hash:/etc/postfix/virtual -o smtpd_sender_restrictions=reject_sender_login_mismatch -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error retry unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache
-
garethTheRed over 9 yearsI don't have recent experience of setting up mail servers, so am not in a position to comment or advice. However, if your devbox's ISP blocks port 25 why not run a VPN from the devbox to the CentOS server.
openvpn
would be a reasonable choice ;-) -
RabT over 9 years@garethTheRed Thank you. I have thought of VPN-based solutions, but the reason I am still exploring email approaches is that many of the senders might remain outside the VPN. If I isolate the question down to the firewalld part only, and make it generic, is there a more easily attainable answer to the firewalld part? Here is the link: unix.stackexchange.com/questions/187973/…
-
derobert over 9 yearswiki.mozilla.org/MailNews:Logging should help figure out why Thunderbird is timing out
-
derobert over 9 yearsAlso, you're running clear-text (as opposed to SSL) on 465; that may be confusing Thunderbird.
-
RabT over 9 years@derobert How can you tell I am running cleartext? The other email accounts in my Thunderbird all use 465 to connect to a mail server successfully, tho I do not have access to the config of that other server. Also, I tried the logging instructions with
export NSPR_LOG_MODULES=smtp:5
and withexport NSPR_LOG_FILE=/tmp/smtp.log
, but yetnano /tmp/smtp.log
resulted in an empty file even after I tried to send an email through Thunderbird with the same connection error. And even after I shut down Thunderbird. I hesitate to start asking a lot of questions about that because you've helped a lot -
derobert over 9 years@CodeMed well, when you did the netcat (nc) you got a cleartext welcome banner. If the port were running SSL/TLS, you'd not have. Note that you can also use STARTTLS which starts the encryption only after the welcome banner, but that's not the traditional way of doing things on 465.
-
RabT over 9 years@derobert I just posted the Thunderbird SMTP settings at the end of my OP. I tried changing everything to port 587, including Thunderbird, smtp.xml, and master.cf, but still got the connection timeout. When I tried specifying STARTTLS in Thunderbird for port 465, the email send attempt gave an error stating that it was unable to establish a secure connection because the server does not advertise STARTTLS. I hesitate to start messing with things without understanding, or to post a bunch of logs that are not requested. Did I try the things you intended?
-
derobert over 9 years@CodeMed what if you try "connection security" of "none". SSL/TLS isn't going to work because your server is set to none (as shown by the clear-text welcome message and lack of starttls support).
-
RabT over 9 years@derobert As a test, I set connection security to none and tried to send a test email to a valid account. A different, new error resulted.
An error occurred while sending mail. The mail server responded: 4.7.1 <[email protected]>: Relay access denied. Please check the message recipient [email protected] and try again.
Please note that [email protected] is quite definitely a valid working address. I use it every day. Does this help narrow the problem? -
derobert over 9 years@CodeMed yes, it's a valid address, but not one local to your mail server. And you haven't authenticated, etc. with the mail server, so it won't allow you to relay through it. I'm going to have to suggest, though, that you learn about how to set up mail servers NOT on the Internet. Do it on a private network. There are too many jerks on the Internet who will abuse your server if you (accidentally) let them.
-
RabT over 9 years@derobert Thank you for the words of caution. I always put any cut-and-paste content into a text editor first and do a find-replace to anonymize my.ip.addr and mydomain.com. I try to put potentially sensitive content in file sharing links even after that screen. But my devbox is the only computer connected to this internet connection, so I do not know how I could mimic a network with it as you suggest. Are there other precautions I might take?
-
derobert over 9 years@CodeMed those are reasonable precautions but ultimately it's hard to hide on IPv4: there are few enough IP addresses that the jerks can (and do) just try them all. For experimenting not on the internet, how about running some virtual machines?
-
-
RabT over 9 yearsThe server host does not block port 25, only the devbox isp does. What is more, all the other email accounts in my devbox's thunderbird installation default to port 465 or port 587 for outbound smtp. This is a widespread situation with solutions that must be well developed by now. I think it must have to do with firewalld being configured to allow two ports for smtp (25 and 465 or 587) and the postfix config files allowing different ports for inbound and outbound smtp as well. This question is about explicit steps for setting that up. Are you willing to answer the question at that level?
-
RabT over 9 yearsAlso, it is not just the isp of the devbox. I can open port 25 on the isp's modem firewall. But then I would have to set up a server to act as gatekeeper. Right now, I just have a notebook with dual-boot CentOS/Windows connected to the ISP modem. The work of setting up security for the dual boot machine would be greater than the work of answering this question, and I would still have to answer this question for users who need to connect using other networks.
-
jsbillings over 9 yearsOh! I see. You want to set up an SMTP submission port (typically 587) on your mail server. You will need to open the 'submission' port on the firewall and add the SMTP submission service with SASL authentication.
-
RabT over 9 yearsPlease see the EDIT I just added at the end of my OP containing revised contents of master.cf. What else should I change? Also, what syntax should I use for firewalld? For testing, I assigned ports 25, 465, and 587 to the smtp service in the public zone by modifying smtp.xml using the syntax shown in this other question I posted this morning. Here is the link: unix.stackexchange.com/questions/187973/…
-
jsbillings over 9 yearsAre you able to authenticate and send mail through the submission (587) port from the mail host? I'm trying to determine if it's the firewall or the postfix setup.
-
RabT over 9 yearsI don't know. How would I test that?
-
jsbillings over 9 yearsEither run a mail client on the server (like
mutt
) or forward the port with ssh and use your Thunderbird client. -
RabT over 9 yearsmutt is installed on the server. what syntax should i type to do what you propose?
-
RabT over 9 yearsI posted that as a separate question because the answer is not intuitive to me and I don't want us to stray from the primary issue. I will reply here again after I get an answer to the other posting. If curious, the link is: unix.stackexchange.com/questions/188227/…