|
Ok, so I went ahead and played around with postfix to see if I could get it to forward the mail the way I wanted. This seems like a really bad idea on a true multi-user system, since I'm pretty sure it would let anybody on my box send mail as me simply by specifying my email address in the smtp envelope.
There's an article on setting up two postfix instances to do smtp forwarding where the assumption is that each account on your box should be magically transformed into a single outgoing smtp account. I was able to glean a lot of info from it, but it wasn't quite what I wanted.
I've got postfix 2.4.5-3ubuntu1. Docs suggest that I would have had less trouble with the TLS configuration in 2.5, but I didn't really feel like recompiling it.
Set up sender-dependent relaying
Create sender_dependent_relayhost, which maps sender addresses to outgoing servers (don't forget postmap).
# cat > /etc/postfix/sender_dependent_relayhost
ryandjohnson@gmail.com [smtp.gmail.com]:25
ryan@innerfence.com [server1.gambitdesign.com]:25
# postmap sender_dependent_relayhost
Require TLS for the relays
Create smtp_tls_policy that requires TLS with valid certs for our relay hosts. In part this is necessary to guarantee that our passwords aren't sent in the clear, since gmail doesn't support anything else.
# cat > /etc/postfix/smtp_tls_policy
[smtp.gmail.com]:25 secure
[server1.gambitdesign.com]:25 secure
# postmap smtp_tls_policy
Set up passwords
Create sasl_password that configures your username/password for each host.
# cat > /etc/postfix/sasl_password
[smtp.gmail.com]:25 ryandjohnson@gmail.com:nopaste
[server1.gambitdesign.com]:25 ryan@innerfence.com:nopaste
# chmod 600 sasl_password
# postmap sasl_password
Fix TLS certificate validation
We need to link in the openssl roots and take the smtp client process out of chroot. This kind of sucks, but I didn't really see any other way to do it.
# ln -s /etc/ssl/certs /etc/postfix/certs
# $EDITOR /etc/postfix/master.cf
-smtp unix - - n - - smtp
+smtp unix - - - - - smtp
Hook it all up in main.cf
# $EDITOR /etc/postfix/main.cf
+
+# Relay according to the sender address
+sender_dependent_relayhost_maps = hash:/etc/postfix/sender_dependent_relayhost
+
+# Turn on TLS for the smtp *client* (for relaying)
+smtp_tls_CApath = /etc/postfix/certs
+smtp_tls_policy_maps = hash:/etc/postfix/smtp_tls_policy
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
+# Use SASL authentication over smtp *client* (for relaying)
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
+# allow plaintext (over TLS)
+smtp_sasl_security_options = noanonymous
+
Fire it up, test it out
# postfix reload
# sendmail -f ryandjohnson@gmail.com -t ryan@innerfence.com
From: ryandjohnson@gmail.com
To: ryan@innerfence.com
Subject: test message
The quick brown fox jumps over the lazy dog.
# tail /var/log/mail.log
Be sure when you're testing it you view all the headers on the mail you receive, to ensure that you get domain key signatures, SPF passes, and all the other modern goodness which is really why you want to do it.
Next steps
Well, now it's time to figure out how to get mutt to do the right thing. I'm pretty sure that account_hook + envelope_from will save the day.
|
![[info]](http://p-stat.livejournal.com/img/userinfo.gif){kind=small}
tekman's journal