To protect against spam, some ISPs block outgoing connections on SMTP (port 25). In order to send mail from such an ISP, the Postfix mail server must be configured as an authenticated client to the ISP's mail server. The set up depends on the ISP. Some allow authentication on port 25 (possibly STARTTLS or SMTPS), some on 465 (SMTPS) and some on port 587 (STARTTLS) and combinations thereof.
Currently standards seem to be in a state of flux. Originally SMTPS on port 465 was proposed as a standard, but it never got ratified. STARTTLS on port 587 took over and became the ratified standard. In 2018 RFC8314 then switched back to recommending port 465. Natively, Postfix, the app behind the SMTP server, supports STARTTLS on ports 25 and 587, but with a bit of additional configuration, can support SMTPS on port 465.
In /etc/postfix/main.cf, add the following to enable Postfix's authenticated mail client:
smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options =
The ISP's mail server, username, and password are kept in a separate file: /etc/postfix/sasl_passwd. The format is:
Anytime you add or change the /etc/postfix/sasl_passwd file, run the following command:
Using the SMTP Mail Server configuration in the web-based configuration tool, add the ISP's mail server. In our example, smtp.broadband.rogers.com is used. To ensure the correct port is used, you then need to edit /etc/postfix/main.cf and change the default port 25 to 587; for example:
relayhost = [smtp.broadband.rogers.com]:587
and restart the SMTP server.
yum -y install stunnel --enablerepo=clearos-centos wget -O /etc/init.d/stunnel https://bugzilla.redhat.com/attachment.cgi?id=325164
Go to /etc/init.d/stunnel and change /var/run/stunnel/stunnel.pid to /var/run/stunnel.pid (twice) and /usr/sbin/stunnel to /usr/bin/stunnel.
Create a file /etc/stunnel/stunnel.conf and put the following in it:
[smtps] accept = 10465 client = yes connect = your_isp's_SMTP_server:465
Then from the command line:
chmod 755 /etc/init.d/stunnel chkconfig stunnel on service stunnel start
Then test it works with:
$ telnet localhost 10465 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 outbound.att.net ESMTP ready $ quit 221 2.0.0 Bye Connection closed by foreign host.
Then moving on to postfix make sure you have the following in your /etc/postfix/main.cf:
smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd relayhost = [127.0.0.1]:10465
Some guides also set “smtp_use_tls = yes” and “smtp_sasl_security_options = noanonymous”. I am not sure why as you are not using these features with stunnel.
Create a file /etc/postfix/sasl_passwd:
Then load the password and reload postfix:
postmap /etc/postfix/sasl_passwd service postfix reload
At this point you can delete the /etc/postfix/sasl_passwd file which contains the plain text password.
You should now be able to relay through your ISP's mail server port 465.