Debian – Postfix smarthost, allow relay by dynamic IP


I have several servers (web, mysql, java) that have postfix installed which are set up to relay to a smarthost postfix server.

DYNAMIC IP                              STATIC IP            INTERNET
[PHP -> sendmail -> 25:postfix:2525] -> [2525:postfix:25] -> [25:external]

The problem is the first servers have dynamic ip addresses, so i cant simply add their ip addresses to mynetworks setting in the of the middle postfix server.

I think the solution is SASL, but i cant figure out how to set a username:password on the first and have it authenticated on the second.

This is what I have on the relay

apt-get install postfix libsasl2-modules

cat > /etc/postfix/ << 'EOF'
myhostname = a-eu1-test-http
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost = [smarthost]:2525
mynetworks = [::ffff:]/104 [::1]/128
mydestination = a-eu1-test-http, localhost
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only

smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no

smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/relay_password
smtp_sasl_security_options = noanonymous

This is what I have on the smarthost, but i dont know how to define the sasl users:

apt-get install postfix libsasl2-modules

cat > /etc/postfix/ << 'EOF'
myorigin = /etc/mailname
myhostname = smarthost
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
relayhost =
mynetworks = [::ffff:]/104 [::1]/128
mydestination = smarthost, localhost
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

smtpd_banner = $myhostname ESMTP $mail_name
biff = no
append_dot_mydomain = no
readme_directory = no

smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname

smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Best Answer

You basically miss the authentication backend

On the relay:

apt-get install postfix libsasl2-2 libsasl2-modules sasl2-bin

adduser postfix sasl

mkdir /etc/postfix/sasl
cat > /etc/postfix/sasl/smtpd.conf << EOF
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

cat > /etc/default/saslauthd << EOF
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

saslpasswd2 -c -u `postconf -h myhostname` relay-user

service saslauthd start

On the client:

cat > /etc/postfix/relay_passwords << EOF
your-relay:2525  relay-user:password
postmap /etc/postfix/relay_passwords
Related Topic