Forcing the from address when postfix relays over smtp
I'm trying to get email reports from our AWS EC2 instances. We're using Exchange Online (part of Microsoft Online Services). I've setup a user account specifically for SMTP relaying, and I've setup Postfix to meet all the requirements to relay messages through this server. However, Exchange Online's SMTP server will reject messages unless the From address exactly matches the authentication address (the error message is 550 5.7.1 Client does not have permissions to send as this sender
).
With careful configuration, I can setup my services to send as this user. But I'm not a huge fan of being careful - I'd rather have postfix force the issue. Is there a way to do this?
This is how to really do it in postfix.
This config changes sender addresses from both local originated, and relayed SMTP mail traffic:
/etc/postfix/main.cf:
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
smtp_header_checks = regexp:/etc/postfix/header_check
Rewrite envelope address from email originating from the server itself
/etc/postfix/sender_canonical_maps:
/.+/ [email protected]
Rewrite from address in SMTP relayed e-mail
/etc/postfix/header_check:
/From:.*/ REPLACE From: [email protected]
Thats very useful if you're for instance using a local relay smtp server which is used by all your multifunctionals and several applications.
If you use Office 365 SMTP server, any mail with a different sender address than the email from the authenticated user itself will simply be denied. The above config prevents this.
The optional generic table specifies an address mapping that applies when mail is delivered (sent) from server.
This is the opposite of canonical mapping, which applies when mail is received by server.
(Note: both FROM and TO addresses are matched for replacement for any of generic and canonical tables.)
Using canonical table when mail is received by server is already explained is other answers.
You can rewrite FROM addresses when mail is sent from server using smtp_generic_maps
.
According to postfix documentation :
/etc/postfix/main.cf:
smtp_generic_maps = hash:/etc/postfix/generic
/etc/postfix/generic:
[email protected] [email protected]
@localdomain.local [email protected]
Then do:
sudo postmap /etc/postfix/generic
sudo /etc/init.d/postfix reload
References:
- http://www.postfix.org/ADDRESS_REWRITING_README.html#generic
- http://www.cyberciti.biz/tips/howto-postfix-masquerade-change-email-mail-address.html
Update: On the advice of an IT friend, I'm running postfix on all my servers, rather than making one cloud mail server. Here's my solution so far:
/etc/postfix/main.cf
# output of hostname -f - mail from local users appears to come from here
myhostname = domU-01-02-03-04-05-06.compute-1.internal
# Local delivery - include all 127.0.0.1 aliases from /etc/hosts
mydestination = $myhostname, $mydomain, rest_of_entries_from_hosts
# Needed for address translation to work
myorigin = $mydomain
# Talking to MS Online
# :submission = port 587
relayhost = [smtp.mail.microsoftonline.com]:submission
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = # Yes, leave empty
smtp_tls_security_level = encrypt
smtp_generic_maps = hash:/etc/postfix/generic
# Enable if you need debugging, but it does leak credentials to the log
#debug_peer_level = 2
#debug_peer_list = smtp.mail.microsoftonline.com
# Only listen on the local interfaces (not the public)
inet_interfaces = localhost
# I left out a bunch of CentOS defaults. postconf -n is your friend.
# These are included
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
/etc/postfix/sasl_passwd
# Run postmap /etc/postfix/sasl_passwd after editing
# Also, chown root:root; chmod 600
smtp.mail.microsoftonline.com [email protected]:YourP@ssw0rd
/etc/postfix/generic
# Run postmap /etc/postfix/generic
# I've seen local mail come from either source
# output of dnsdomainname
@compute-1.internal [email protected]
# output of hostname -f
@domU-01-02-03-04-05-06.compute-1.internal [email protected]
/etc/aliases
# Run newaliases after changing
# Lot of stuff here. Mostly, just make sure the graph points to root, such as
mailer-daemon: postmaster
postmaster: root
# And the important part - your email or distribution group
root: [email protected]
/etc/passwd
# Sometimes it helps to expand the name, so email comes from 'root at aws host 5'
# rather than just 'root'
# Was
#root:x:0:0:root:/root:/bin/bash
# Is
root:x:0:0:root on aws host 5:/root:/bin/bash
Things I'm happy about:
- A lot of mail gets sent to root, and the one line in
alias
directs who gets it. - All mail from local users is translated to coming from
[email protected]
, so it gets through the MS Online SMTP server. - postfix has much better documentation than sendmail.
Things I'm not happy about:
- Custom changes are required for each host, and several steps. I wrote a bash script to help.
- The
passwd
name trick doesn't always work, and it can be difficult to figure out what server a mail is coming from. - Every mail sent puts three warnings in the log:
-
warning: smtp.mail.microsoftonline.com[65.55.171.153] offered null AUTH mechanism list
(SMTP server sends a nullAUTH
list beforeSTARTTLS
, butAUTH LOGIN
after). -
certificate verification failed for smtp.mail.microsoftonline.com: num=20:unable to get local issuer certificate
(There are some config options around certs, but I'm not sure if mail delivery breaks when the cert is renewed) -
certificate verification failed for smtp.mail.microsoftonline.com: num=27:certificate not trusted
(Same as #2)
-
Thanks to the serverfault community for sharing strong opinions on mail servers.
You can use smtpd_sender_login_maps to specify a list of maps: sender address - user.
Example:
smtpd_sender_login_maps =
hash:/etc/postfix/login-map
/etc/postfix/login-map:
mail1@domain userlogin
mail2@domain userlogin, [email protected]
It does work for sending, it should work for relaying the same way.