Allow external SMTP auth for relay

[AITCS]

Pardon my ignorance, but our knowledge only extends far enough to get EFA installed and working perfectly, but not for modifying the configuration very much.
We'd like to achieve the following if possible, and would appreciate any insight as to how we can make it happen.

We would like to allow an external contractor to utilise our EFA as an outbound SMTP server to send mail on our behalf, so need to somehow create a user account in CentOS and allow sending of mail after successful authentication. Reasoning behind it is a bit complex, but boils down to how their accounting software works and sends out notification emails.

Any ideas on how we may be able to achieve this?
Thanks.

[shawniverson]

Hi

This is definitely doable, but it takes a little bit of work...not built in (yet).

Enabling SUBMISSION (port 587)
viewtopic.php?t=966

Postfix SASL How-to
http://www.postfix.org/SASL_README.html

You have your choice between Dovecot and Cyrus SASL.

[AITCS]

Many thanks Shawn... we'll test on Monday when back in the office.

[pdwalker]

Let us know how you got on.

[AITCS]

Got it working... had to use a combination of the posts to get it working, but the contractor can now send using our EFA server as an SMTP server after authentication via TLS on port 587.

Thanks for the links above, and looking forward to any future developments being able to do this natively as hinted above.

[ovizii]

I'm not sure that is the best solution, don't you already have an existing authentication system, i.e. your own mail server i.e. Exchange or postfix + i.e. dovecot where your own users are authenticated? why not create this external account on that same system?

[AITCS]

We don't want to expose Exchange any more than port 443 for our Outlook users.
Having EFA sitting in between provides a good layer of protection between the outside world and Exchange.

[ovizii]

Sure, makes sense if none of your existing users is using Exchange from outside your premises. I was just thinking about avoiding to duplicate an auth mechanism you might already have had in place.

[pdwalker]

Got it working... had to use a combination of the posts to get it working, but the contractor can now send using our EFA server as an SMTP server after authentication via TLS on port 587.

Is it possible to detail what you did?

I've now got the need enable this functionality, but I don't have time to try to figure it all out and get it working.

It seems that sasl2 authentication is already partially enabled in EFA, so knowing what the final steps required are would save a lot of time.

Thanks.

[AITCS]

Lucky for you I scribbled down notes as I did this. Hopefully they make sense.
Create a new user account for the external user before starting. These details will be used toward the end of the procedure.
Also, don't forget to open port 587 to EFA.

nano /etc/postfix/master.cf

remove # from line #submission inet n - n - - smtpd

Restart postfix:
service postfix restart

nano /etc/sysconfig/iptables

Add to top of table:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 587 -j ACCEPT

nano /etc/postfix/main.cf
smtpd_sasl_path = smtpd

nano /etc/sasl2/smtpd.conf
pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

testsaslauthd -u username -p password
saslpasswd2 -c -u domain.com username
sasldblistusers2

nano /etc/postfix/main.cf
smtpd_sasl_auth_enable = yes

reboot

[pdwalker]

Thank you. It's working now.

[AITCS]

Happy to help.
Hopefully it proves helpful to others also.

[shawniverson]

https://github.com/E-F-A/v4/issues/27