On Mon, Apr 21, 2008, Jeff Waugh wrote: > Well, how about using multiple parameters in the postfix relayhost setting? > > relayhost = > [usual.server.on.normal.port]:25 > [usual.server.on.submission.port]:587 > [fascist.university.server]:25 > > Then set up multiple entries in /etc/postfix/sasl_passwd like so: > > usual.server.on.normal.port p4ssw0rd > fascist.university.server p4ssw0rd
In case anyone finds this useful, what I actually had to do: First, the relevant fascist server does not support the modern STARTTLS way of doing secure SMTP, they use the old wrapper mode on port 465 which Postfix DOESN'T support in client mode. (Before anyone mails, no, they don't support STARTTLS on port 587 either, that seems to be wrapper mode too.) In order to get Postfix to do this, I used stunnel to forward a local port per http://www.postfix.org/SASL_README.html#client_sasl and http://www.postfix.org/TLS_README.html#client_smtps stunnel is an absolute pain in the neck on Ubuntu: it refuses to log errors in any meaningful way and will often claim to start without actually having done so. To debug it, I suggest running it on the command line "sudo stunnel4 /etc/stunnel/stunnel.conf" so you can see what it really thinks it is doing. In addition, don't forget to set ENABLED=1 in /etc/default/stunnel4 so that the init scripts will at least try and work. This is what my /etc/stunnel/stunnel.conf ended up looking like: """ #; very simple config from http://archives.neohapsis.com/archives/postfix/2007-03/1350.html pid = /var/run/stunnel.pid key = /etc/stunnel/stunnel.pem [smtp-tls-wrapper] accept = 11125 client = yes connect = fascist.university.server:465 """ I generated /etc/stunnel/stunnel.pem with "openssl req -new -x509 -days 3650 -nodes -out stunnel.pem -keyout stunnel.pem" per http://ubuntuforums.org/showthread.php?t=679779 According to most guides to Postfix and stunnel around, the key shouldn't be required, but I didn't get stunnel to work without it. Then in /etc/postfix/main.cf: """ relayhost = [127.0.0.1]:11125 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd smtp_sasl_security_options = """ The last line is required because the server in question ALSO isn't strict enough in terms of password transmission for our good friend Postfix, so I needed to turn off the security checking. You can tell from the Postfix logs, you will get messages like "warning: SASL authentication failure: No worthy mechs found" Finally, make sure that /etc/postfix/sasl/passwd has the relay host and not the fascist.university.server:465 value: """ [127.0.0.1]:11125 USERNAME:PASSWORD """ -Mary -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
