Tuesday, March 10, 2020

Postfix Office365 SMTP Relay on Ubuntu 18.04

Here's some instruction on how to install Postfix on Ubuntu 18.04 LTS to configure it to use Office 365 as a SMTP relay that should work for you.
Install POST FIX
apt-get install postfix mailutils sasl2-bin
During the installation you'll be asked 2 questions, use the default settings
“General type of mail configurationselect “Internet Site”
“System mail name” to use your FQDN (likely will be already populated)
Create the file sasl_password in /etc/postfix 
nano /etc/postfix/sasl_password
Put in the following, change Office365USERNAME@DOMAIN:PASSWORD to reflect your email credentials and domain

Don't worry, although you see the password in clear text, its only temporary were going to encrypt them shortly and delete this file.
[smtp.office365.com]:587 Office365USERNAME@DOMAIN:PASSWORD
So might look something like 
[smtp.office365.com]:587 John.Smith@company.net:password
Now lets encrypt the password
postmap hash:/etc/postfix/sasl_password
This command creates a hash version of sasl_password called "sasl_password.db".
With Office 365 only send mail with FROM field in email header will be accepted, so now we configure postfix to modify the from field for all the outgoing mail.
Create a file called sender_canonical in /etc/postfix.
nano /etc/postfix/sender_canonical
Here you can add the next line.
Put in the following, change Office365USERNAME@DOMAIN:PASSWORD to reflect your email credentials and domain.
/.+/ Office365USERNAME@DOMAIN:PASSWORD
Create the hash version.
postmap hash:/etc/postfix/sender_canonical
For security purposes let’s make sure the owner of the files created above is the root user and the permissions are 644.
chown root:root /etc/postfix/sasl_password 
chown root:root /etc/postfix/sasl_password.db  
chown root:root /etc/postfix/sender_canonical 
chown root:root /etc/postfix/sender_canonical.db  
chmod 644 /etc/postfix/sasl_password 
chmod 644 /etc/postfix/sasl_password.db  
chmod 644 /etc/postfix/sender_canonical 
chmod 644 /etc/postfix/sender_canonical.db
Set TLS to transmit mail.
cp /etc/ssl/certs/thawte_Primary_Root_CA.pem /etc/postfix/cacert.pem
Edit /etc/postfix/main.cf and add/modify the following lines to our main.cf
nano /etc/postfix/main.cf
Update these lines to the existing config and add the missing ones to the bottom
relayhost = [smtp.office365.com]:587 
smtp_sasl_auth_enable = yes  
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password  
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
sender_canonical_maps = regexp:/etc/postfix/sender_canonical  
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes
inet_protocols = ipv4 
Restart Posfix.
service postfix restart
Test it out

Create the a file /etc/postfix/testmail.txt
nano /etc/postfix/testmail.txt
Put this in the file, then save and exit the editor
subject: 365test
Hello this is a test message
Now use this command to send your email.  Just replace the email address below with one that you want to receive your message.

sendmail -v someone@company.com < /etc/postfix/testmail.txt
Shouldn't take very long for the test email to go out, but you can look at the progress of your server with this command:
tail - f /var/log/mail.log
You'll see something like this with a successful email
Jan 10 13:28:35 pulse postfix/cleanup[31290]: warning: /etc/postfix/main.cf, line 51: overriding earlier entry: inet_protocols=all
Jan 23 13:28:35 pulse postfix/pickup[31230]: 803E5600973: uid=1000 from=<UBUNUTUSERNAME>
Jan 23 13:28:35 pulse postfix/trivial-rewrite[31291]: warning: /etc/postfix/main.cf, line 51: overriding earlier entry: inet_protocols=all
Jan 23 13:28:35 pulse postfix/cleanup[31290]: 803E5600973: message-id=<202003101335.803E5600973@FQDN>
Jan 23 13:28:35 pulse postfix/qmgr[31231]: 803E5600973: from=<first.last@company.net>, size=300, nrcpt=1 (queue active)
Jan 23 13:28:35 pulse postfix/smtp[31292]: warning: /etc/postfix/main.cf, line 51: overriding earlier entry: inet_protocols=all
Jan 23 13:28:45 pulse postfix/bounce[31293]: warning: /etc/postfix/main.cf, line 51: overriding earlier entry: inet_protocols=all
Jan 23 13:28:45 pulse postfix/smtp[31292]: 803E5600973: to=<someone@company.com>, relay=smtp.office365.com[40.100.140.114]:587, delay=9.7, )
Jan 23 13:28:45 pulse postfix/cleanup[31290]: 38628600976: message-id=<20200318628600976@FQDN>
Jan 23 13:28:45 pulse postfix/qmgr[31231]: 38628600976: from=<first.last@company.net>, size=2095, nrcpt=1 (queue active)
Jan 23 13:28:45 pulse postfix/bounce[31293]: 803E5600973: sender delivery status notification: 3862860
Jan 23 13:28:45 pulse postfix/qmgr[31231]: 803E5600973: removed
Jan 23 13:28:53 pulse postfix/smtp[31292]: 38628600976: to=<someone@company.com>, relay=smtp.office365.com[40.100.140.114]:587, delay=8.2, )
Jan 23 13:28:53 pulse postfix/qmgr[31231]: 38628600976: removed
Assuming that all has gone well, you can delete the original unencrypted password file
rm /etc/postfix/sasl_password

No comments:

Post a Comment