SMTPS

Assume we have a mail server/smarthost running Postfix. We also have Debian boxes with exim4 that want to send mail through our smarthost, perhaps administrative alerts. In some settings, it’s a problem to send out to port 25 (smtp).

Port 587 is explicitly for authenticated clients to securely submit mail to the Mail Submission Agent.

On the smarthost, in /etc/postfix/master.cf:

submission inet n       -       -       -       -       smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject

And in /etc/postfix/sasl/smtpd.conf specify only the following mechanisms:

mech_list: PLAIN LOGIN

And make sure the port is open:

~ $  cat /etc/iptables/rules.v4 | grep 587
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT

On our sending Debian boxes, make sure exim4 is installed and configured, and that the hostname is set correctly:

~ $  hostname -f
~ $  sudo apt-get install exim4
~ $  sudo dpkg-reconfigure exim4-config

• “mail sent by smarthost; no local mail”
• System mail name “localhost” (This is important)
• Listen on “127.0.0.1 ; ::1”
• Other destinations for which mail is accepted “” (blank)
• IP address or host name of the outgoing smarthost “mail.example.com::587”

Follow the example to supply an appropriate server, login name, and password:

~ $  sudo cat /etc/exim4/passwd.client
# password file used when the local exim is authenticating to a remote
# host as a client.
#
# see exim4_passwd_client(5) for more documentation
#
# Example:
### target.mail.server.example:login:password

The user as which exim runs (i.e. “Debian-exim”) must be able to read this file.

Add to /etc/aliases:

root: alert@example.com

and run:

~ #  newaliases

Test like:

~ $  openssl s_client -quiet -starttls smtp -connect mail.example.com:587

Also:

~ $  exim -bp
~ $  exim -qff

Links

• https://wiki.debian.org/GmailAndExim4
• https://www.vultr.com/docs/setup-exim-to-send-email-using-gmail-in-debian