Allow external SMTP auth for relay

Questions and answers about how to do stuff
Post Reply
AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Allow external SMTP auth for relay

Post by AITCS » 25 Aug 2017 01:07

Pardon my ignorance, but our knowledge only extends far enough to get EFA installed and working perfectly, but not for modifying the configuration very much.
We'd like to achieve the following if possible, and would appreciate any insight as to how we can make it happen.

We would like to allow an external contractor to utilise our EFA as an outbound SMTP server to send mail on our behalf, so need to somehow create a user account in CentOS and allow sending of mail after successful authentication. Reasoning behind it is a bit complex, but boils down to how their accounting software works and sends out notification emails.

Any ideas on how we may be able to achieve this?
Thanks.

User avatar
shawniverson
Posts: 2769
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: Allow external SMTP auth for relay

Post by shawniverson » 27 Aug 2017 00:52

Hi :D

This is definitely doable, but it takes a little bit of work...not built in (yet).

Enabling SUBMISSION (port 587)
viewtopic.php?t=966

Postfix SASL How-to
http://www.postfix.org/SASL_README.html

You have your choice between Dovecot and Cyrus SASL.
Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Allow external SMTP auth for relay

Post by AITCS » 27 Aug 2017 01:13

Many thanks Shawn... we'll test on Monday when back in the office.

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: Allow external SMTP auth for relay

Post by pdwalker » 29 Aug 2017 04:45

Let us know how you got on.

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Allow external SMTP auth for relay

Post by AITCS » 29 Aug 2017 04:57

Got it working... had to use a combination of the posts to get it working, but the contractor can now send using our EFA server as an SMTP server after authentication via TLS on port 587.

Thanks for the links above, and looking forward to any future developments being able to do this natively as hinted above.

ovizii
Posts: 445
Joined: 11 May 2016 08:08

Re: Allow external SMTP auth for relay

Post by ovizii » 30 Aug 2017 06:59

I'm not sure that is the best solution, don't you already have an existing authentication system, i.e. your own mail server i.e. Exchange or postfix + i.e. dovecot where your own users are authenticated? why not create this external account on that same system?

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Allow external SMTP auth for relay

Post by AITCS » 30 Aug 2017 07:32

We don't want to expose Exchange any more than port 443 for our Outlook users.
Having EFA sitting in between provides a good layer of protection between the outside world and Exchange.

ovizii
Posts: 445
Joined: 11 May 2016 08:08

Re: Allow external SMTP auth for relay

Post by ovizii » 30 Aug 2017 08:15

Sure, makes sense if none of your existing users is using Exchange from outside your premises. I was just thinking about avoiding to duplicate an auth mechanism you might already have had in place.

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: Allow external SMTP auth for relay

Post by pdwalker » 06 Nov 2017 04:49

AITCS wrote:
29 Aug 2017 04:57
Got it working... had to use a combination of the posts to get it working, but the contractor can now send using our EFA server as an SMTP server after authentication via TLS on port 587.
Is it possible to detail what you did?

I've now got the need enable this functionality, but I don't have time to try to figure it all out and get it working.

It seems that sasl2 authentication is already partially enabled in EFA, so knowing what the final steps required are would save a lot of time.

Thanks.

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Allow external SMTP auth for relay

Post by AITCS » 06 Nov 2017 06:08

Lucky for you I scribbled down notes as I did this. Hopefully they make sense.
Create a new user account for the external user before starting. These details will be used toward the end of the procedure.
Also, don't forget to open port 587 to EFA.

nano /etc/postfix/master.cf

remove # from line #submission inet n - n - - smtpd

Restart postfix:
service postfix restart

nano /etc/sysconfig/iptables

Add to top of table:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 587 -j ACCEPT

nano /etc/postfix/main.cf
smtpd_sasl_path = smtpd

nano /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN


testsaslauthd -u username -p password
saslpasswd2 -c -u domain.com username
sasldblistusers2

nano /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes

reboot

User avatar
pdwalker
Posts: 1137
Joined: 18 Mar 2015 09:16

Re: Allow external SMTP auth for relay

Post by pdwalker » 06 Nov 2017 10:05

Thank you. It's working now.

AITCS
Posts: 31
Joined: 13 Mar 2017 11:12

Re: Allow external SMTP auth for relay

Post by AITCS » 06 Nov 2017 11:07

Happy to help.
Hopefully it proves helpful to others also.

User avatar
shawniverson
Posts: 2769
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: Allow external SMTP auth for relay

Post by shawniverson » 12 Nov 2017 10:14

Version eFa 4.0.0 RC3 now available in testing repo. Come join us in advancing eFa!

Post Reply