SMTP Authentication to ISP

To protect against spam, some ISPs block outgoing connections on SMTP (port 25). In order to send mail from such an ISP, the Postfix mail server must be configured as an authenticated client to the ISP's mail server. The set up depends on the ISP. Some allow authentication on port 25 (possibly STARTTLS or SMTPS), some on 465 (SMTPS) and some on port 587 (STARTTLS) and combinations thereof.

Currently standards seem to be in a state of flux. Originally SMTPS on port 465 was proposed as a standard, but it never got ratified. STARTTLS on port 587 took over and became the ratified standard. In 2018 RFC8314 then switched back to recommending port 465. Natively, Postfix, the app behind the SMTP server, supports STARTTLS on ports 25 and 587, but with a bit of additional configuration, can support SMTPS on port 465.

STARTTLS on port 587 (and occasionally 25)

Add User Authentication Support to Mail Server Configuration

In /etc/postfix/, add the following to enable Postfix's authenticated mail client:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =

Add Username and Password Settings

The ISP's mail server, username, and password are kept in a separate file: /etc/postfix/sasl_passwd. The format is:

[hostname]:587 username:password

For example:

If you are using port 25 for autentication, you can omit the :587 or change it to :25

Anytime you add or change the /etc/postfix/sasl_passwd file, run the following command:

postmap /etc/postfix/sasl_passwd

Add Outbound Relay Host

Using the SMTP Mail Server configuration in the web-based configuration tool, add the ISP's mail server. In our example, is used. To ensure the correct port is used, you then need to edit /etc/postfix/ and change the default port 25 to 587; for example:

relayhost = []:587

and restart the SMTP server.

If you leave off the :587, postfix will default to port 25. I believe GMail will accept this, but it also allows the more conventional 587.
The [] around the ISP's FQDN stops the DNS system looking up the MX record which could be the waste of a DNS lookup or return the wrong answer. If you leave them off, leave them off in all entries.

SMTPS (SMTP with SSL/TLS) on port 465

Install and configure stunnel

yum -y install stunnel --enablerepo=clearos-centos
wget -O /etc/init.d/stunnel

Go to /etc/init.d/stunnel and change /var/run/stunnel/ to /var/run/ (twice) and /usr/sbin/stunnel to /usr/bin/stunnel.

The init script will work but at some point should be converted to a systemd unit file.

Create a file /etc/stunnel/stunnel.conf and put the following in it:

accept  = 10465
client = yes
connect = your_isp's_SMTP_server:465

Then from the command line:

chmod 755 /etc/init.d/stunnel
chkconfig stunnel on
service stunnel start

Then test it works with:

$ telnet localhost 10465
Connected to localhost.localdomain (
Escape character is '^]'.
220 ESMTP ready
$ quit
221 2.0.0 Bye
Connection closed by foreign host.

Configure Postfix

Then moving on to postfix make sure you have the following in your /etc/postfix/

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
relayhost = []:10465

Some guides also set “smtp_use_tls = yes” and “smtp_sasl_security_options = noanonymous”. I am not sure why as you are not using these features with stunnel.

Create a file /etc/postfix/sasl_passwd:

[]:10465     your_ISP's_email_address:your_email_password

Then load the password and reload postfix:

postmap /etc/postfix/sasl_passwd
service postfix reload

At this point you can delete the /etc/postfix/sasl_passwd file which contains the plain text password.

You should now be able to relay through your ISP's mail server port 465.


content/en_us/kb_howtos_smtp_authentication_to_isp.txt · Last modified: 2020/03/30 07:14 by