I was having trouble getting clients to authenticate to one of my servers (running Mac OSX 10.4.11 Server) so they could use it for SMTP. This was much needed, especially for those who’s ISPs blocked port 25, and for those who travel. There were dozens of suggestions out there, some helpful, some not.
After reading, breaking and fixing mail, and trying all the suggestions in posts I could find, this is what did it to get it to work. Now clients can configure their email programs to use my SMTP server, port 587, using authentication. It’s easy as 1, 2, 3.
1) In /etc/postfix/master.cf uncomment the line:
submission inet n - n - - smtpd
This will allow SMTP over port 587, the "submission" port.
In /etc/postfix/main.cf modify the line:
smtpd_client_restrictions =
and make sure “permit_sasl_authenticated” is in there. It should look something like this:
smtpd_client_restrictions = permit_sasl_authenticated permit_mynetworks reject_rbl_client zen.spamhaus.org permit
This line is modified by Server Admin’s “Use these junk mail rejection servers (real-time blacklist):” field so keep an eye on it if you change something in Server Admin.
3) sudo postfix reload
Obviously port 587 should be opened in the firewall, and at least one authentication method should be selected in Server Admin. I recommend selecting only one secure method to require authentication of that type (eg. CRAM-MD5 or Kerberos.)
Apple’s documentation is not so thorough (no need for them to rewrite comprehensive documentation of open source software.) But you can find more detailed explanations at http://www.postfix.org. Postfix configuration parameters http://www.postfix.org/postconf.5.html.
WARNING: Keep in mind that this adds an increased security risk, as does opening any additional port or adding any additional service. I'm assuming you know what you're doing and know how to avoid setting your server up as an open relay.
As soon as the spam people find out about your port 587 being open they will most likely (and relentlessly) try to gain authentication and, at the very least, increase traffic to your network. If your server is used to relay spam you could end up on a blacklist, have a bunch of people mad at you, or even be sued. Vulnerable mail relays are bad. You can test for an open relay here: http://www.abuse.net/relay.html
No comments:
Post a Comment