TLS for spesific relayhost on postfix

python postfix amazon-ses content-filter

i want to implement advance content filtering in postfix using python. I have figured it out the implementation from http://www.postfix.org/FILTER_README.html. but there is another problem, after the filtering from python script i need to relay to amazon ses that need to use TLS. The problem is that if i config postfix using TLS, the postfix-python script will error and if i am not using TLS the postfix-Amazon SES will error. Have any idea to fix this problem?

The error from amazon SES :

Sep 29 07:09:41 mail postfix/qmgr[1935]: 4AC65C533B2: from=<[email protected]>, size=663, nrcpt=1 (queue active)
Sep 29 07:09:41 mail postfix/error[2229]: 4AC65C533B2: to=<[email protected]>, relay=none, delay=8999, delays=8999/0.01/0/0.01, dsn=4.0.0, status=deferred (delivery temporarily suspended: SASL authentication failed; server email-smtp.us-west-2.amazonaws.com[34.211.81.29] said: 530 Must issue a STARTTLS command first)

Main.cf configuration:

queue_directory = /var/spool/postfix
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
myhostname = xmail.xample.id
mydomain = xmail.xample.id
myorigin = $mydomain
inet_protocols = all
mydestination = $myhostname, localhost.$mydomain, localhost, mydomain
mynetworks_style = host
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
         PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
         ddd $daemon_directory/$process_name $process_id & sleep 5

sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.10.1/samples
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
relayhost = [email-smtp.us-west-2.amazonaws.com]:587
smtpd_sasl_local_domain = $myhostname
#smtp_use_tls = yes
#smtp_tls_security_level = encrypt
#smtp_tls_note_starttls_offer = yes
content_filter = scan:localhost:10025
receive_override_options = no_address_mappings

Master.cf: 

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       n       -       -       smtpd

#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

scan unix - - n - 10 smtp
        -o smtp_send_xforward_command=yes
        -o disable_mime_output_conversion=yes

localhost:10026 inet n - n - 10 smtpd
        -o content_filter=
        -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
        -o smtpd_authorized_xforward_hosts=127.0.0.0/8

After some searching on google i find a way. even though not as intended for some specific relay host. Its using config in postfix so the postfix not required to using ssl. The configuration is in main.cf using this following line :

    smtp_tls_security_level = may

As I see it, there are three steps to make postfix work as an SES relay:

1. Get a good certificate

Of course, the way to do this is with Let's Encrypt. Their guide is good. Because this is an email server and not a web server, you'll probably want to do DNS verification and create a standalone certificate.

2. Set up postfix with good security settings

Now that you have the certificate, you can configure it nicely. The best guide for this remains the Mozilla SSL Configuration Generator. Because this server will only be a relay for connecting to AWS, you can use the high security modern settings.

3. Set up for SASL authentication (whatever that is)

Honestly, I don't know what SASL is, but it works, and AWS has a nice guide for it. Following this guide is what fixed the errors above for me (I had already done the first two steps).

Once you have the above working, you should have a nice relay from your local machine to AWS SES that has good security, auto-updating certs, etc.

Related

chrony does not log anything on my ec2 instance
remote desktop access colocated windows server?
Multiple Remote Desktop Connection in Windows Server 2003?
Hybrid Exchange - 3 step deprovisioning necessary when using archive
Can I use "Windows Server Backup function" or "wbadmin" to backup MariaDB?
Is Alpine Linux a bad choice for a server?
NGINX Custom Error page for 504 timeout not working
Corosync-Pacemaker no split brain
How to install mysql workbench on linux debian 10 (Google Pixelbook) [closed]
Practical Zend_ACL + Zend_Auth implementation and best practices
shutil.rmtree() clarification
Parsing XML with Ruby