Port 25 Blocked!

My new internet provider decided to block port 25 on me. This is the port used for email which I need for when people sign up for the site and for server admin emails. Luckily, I found a way around this and thought I would share what I did. The basic idea is to send email through a gmail account using port 587 and then changing the incoming port to a custom one which will receive email from another service.

The first thing I did was remove and reinstall postfix just to start with a clean installation. Here are the steps taken from the Ubuntu Server Guide

Postfix
Postfix is the default Mail Transfer Agent (MTA) in Ubuntu. It attempts to be fast and easy to administer and secure. It is compatible with the MTA sendmail. This section explains how to install and configure postfix. It also explains how to set it up as an SMTP server using a secure connection (for sending emails securely).

Installation
To install postfix run the following command:
sudo apt-get install postfix

Simply press return when the installation process asks questions, the configuration will be done in greater detail in the next stage.

Basic Configuration
To configure postfix, run the following command:
sudo dpkg-reconfigure postfix

The user interface will be displayed. On each screen, select the following values:

  • Ok
  • Internet Site
  • NONE
  • mail.example.com
  • mail.example.com, localhost.localdomain, localhost
  • No
  • 127.0.0.0/8, 192.168.0/24
  • Yes
  • 0
  • +
  • all
  • Replace mail.example.com with your mail server hostname, and 192.168.0/24 with the actual network and class range of your mail server.

    Now is a good time to decide which mailbox format you want to use. By default Postifx will use mbox for the mailbox format. Rather than editing the configuration file directly, you can use the postconf command to configure all postfix parameters. The configuration parameters will be stored in /etc/postfix/main.cf file. Later if you wish to re-configure a particular parameter, you can either run the command or change it manually in the file.

    To configure the mailbox format for Maildir:
    sudo postconf -e 'home_mailbox = Maildir/'

    This will place new mail in /home/username/Maildir so you will need to configure your Mail Delivery Agent (MDA) to use the same path.

    SMTP Authentication
    SMTP-AUTH allows a client to identify itself through an authentication mechanism (SASL). Transport Layer Security (TLS) should be used to encrypt the authentication process. Once authenticated the SMTP server will allow the client to relay mail.

    1. Configure Postfix for SMTP-AUTH using SASL (Dovecot SASL):
    2. sudo postconf -e 'smtpd_sasl_type = dovecot'
      sudo postconf -e 'smtpd_sasl_path = private/auth-client'
      sudo postconf -e 'smtpd_sasl_local_domain ='
      sudo postconf -e 'smtpd_sasl_security_options = noanonymous'
      sudo postconf -e 'broken_sasl_auth_clients = yes'
      sudo postconf -e 'smtpd_sasl_auth_enable = yes'
      sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
      sudo postconf -e 'inet_interfaces = all'

    3. Next, configure the digital certificate for TLS. When asked questions, follow the instructions and answer appropriately:
    4. openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
      chmod 600 smtpd.key
      openssl req -new -key smtpd.key -out smtpd.csr
      sudo openssl x509 -req -days 365 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
      openssl rsa -in smtpd.key -out smtpd.key.unencrypted
      mv -f smtpd.key.unencrypted smtpd.key
      openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
      sudo mv smtpd.key /etc/ssl/private/
      sudo mv smtpd.crt /etc/ssl/certs/
      sudo mv cakey.pem /etc/ssl/private/
      sudo mv cacert.pem /etc/ssl/certs/

    5. Configure Postfix to provide TLS encryption for both incoming and outgoing mail:
    6. sudo postconf -e 'smtpd_tls_auth_only = no'
      sudo postconf -e 'smtp_use_tls = yes'
      sudo postconf -e 'smtpd_use_tls = yes'
      sudo postconf -e 'smtp_tls_note_starttls_offer = yes'
      sudo postconf -e 'smtpd_tls_key_file = /etc/ssl/private/smtpd.key'
      sudo postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt'
      sudo postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
      sudo postconf -e 'smtpd_tls_loglevel = 1'
      sudo postconf -e 'smtpd_tls_received_header = yes'
      sudo postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
      sudo postconf -e 'tls_random_source = dev:/dev/urandom'
      sudo postconf -e 'myhostname = mail.example.com'

    The postfix initial configuration is complete. Run the following command to restart the postfix daemon:

    sudo /etc/init.d/postfix restart

    Configuring SASL
    Postfix supports two SASL implementations Cyrus SASL and Dovecot SASL. To enable Dovecot SASL the dovecot-common package will need to be installed. From a terminal prompt enter the following:

    sudo apt-get install dovecot-common

    Next you will need to edit /etc/dovecot/dovecot.conf. In the auth default section uncomment the socket listen option and change the following:

    socket listen {
    #master {
    # Master socket provides access to userdb information. It's typically
    # used to give Dovecot's local delivery agent access to userdb so it
    # can find mailbox locations.
    #path = /var/run/dovecot/auth-master
    #mode = 0600
    # Default user/group is the one who started dovecot-auth (root)
    #user =
    #group =
    #}
    client {
    # The client socket is generally safe to export to everyone. Typical use
    # is to export it to your SMTP server so it can do SMTP AUTH lookups
    # using it.
    path = /var/spool/postfix/private/auth-client
    mode = 0660
    user = postfix
    group = postfix
    }
    }

    Once you have Dovecot configured restart it with:

    sudo /etc/init.d/dovecot restart

    Setting up Gmail as relay. Relay Ubuntu setup

    After looking on the internet for awhile I finally found a decent guide on how to setup Gmail SMTP through postifx; however, after following the guide I found that it left parts out or things didn’t work quite the same on a Ubuntu server. This guide is intended to get Gmail’s SMTP set up through postifx on a LTS Ubuntu server quickly and without too much information about other operating systems; although, you could probably adapt the guide to work on other systems.

    Google’s Gmail service requires the protocols TLS and SASL2 to be built into Postfix. Luckily this is already done on the Ubuntu LTS Server.

    In order to communicate with google we need to have Gmail’s certificate authority and we need to generate our own Certificate Authority (CA).

    Step 1: Create a Certificate Authority

    Since we will be creating temporary files and will want to delete them later, Change the directory to your home directory so we don’t forget to delete them later and leave what I call “mouse turds” laying around.
    cd ~

    Create the CA
    /usr/lib/ssl/misc/CA.pl -newca
    CA certificate filename (or enter to create)

    Making CA certificate …
    Generating a 1024 bit RSA private key
    …….++++++
    ……………….++++++
    writing new private key to ‘./demoCA/private/cakey.pem’
    Enter PEM pass phrase: password
    Verifying – Enter PEM pass phrase: password
    —–
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [US]:US
    State or Province Name (full name) [New York]:New York
    Locality Name (eg, city) []:New York
    Organization Name (eg, company) []:Sanborn_Widgets

    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:Mark
    Email Address []:username@gmail.com

    Please enter the following ‘extra’ attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Using configuration from /usr/lib/ssl/openssl.cnf
    Enter pass phrase for ./demoCA/private/cakey.pem:
    Check that the request matches the signature
    Signature ok

    Step 2: Create a Server Certificate

    Since these values have to match with the CA you just created. You may want to keep that output of what you just did to reference it for the next command. You can do this by opening another console or virtual terminal and switch back and forth between them.

    openssl req -new -nodes -subj '/CN=domain.com/O=Sanborn_Widgets/C=US/ST=New York/L=New York/emailAddress=username@gmail.com' -keyout FOO-key.pem -out FOO-req.pem -days 3650

    Step 3: Sign the Certificate

    openssl ca -out FOO-cert.pem -infiles FOO-req.pem
    Using configuration from
    /usr/lib/ssl/openssl.cnf
    Enter pass phrase for ./demoCA/private/cakey.pem:
    Check that the request matches the signature
    Signature ok

    Then press y for anything else it asks.

    Step 4: Copy the certificates to the Postfix folder

    cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
    chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
    chmod 400 /etc/postfix/FOO-key.pem

    Gmail uses the Thawte Premium Server CA. You need to add this to the end of /etc/postfix/cacert.pem

    -----BEGIN CERTIFICATE-----
    MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
    FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
    VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
    biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
    dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
    MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
    MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
    A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
    b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
    cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
    bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
    VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
    ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
    uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
    9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
    hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
    pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
    -----END CERTIFICATE-----

    Alternative Method

    If you do not trust me or don’t feel comfortable copying CA certs from me you can get it from www.thawte.com/roots and download all of the certs from them. The file is called, ‘ThawtePremiumServerCA_b64.txt’.

    The following code would put it in cacert.pem from the ThawtePremiumServerCA_b64.txt

    cat ThawtePremiumServerCA_b64.txt >>cacert.pem

    If you want to understand how this command works I recommend checking out, Getting Familiar with the Linux Command Line.

    Step 5: Add these lines to the bottom of /etc/postfix/main.cf

    Note: When I first added these lines I had a space in front of the first line which would give me errors when trying to run postfix. The only problem was the error was misleading saying there was something wrong with the line above steering me into the wrong direction and I ended up trouble shooting something that wasn’t broke. So make sure you have copied these lines exactly into the bottom of main.cf without and spaces in front of any of the lines.

    ## TLS Settings
    #
    smtp_tls_CAfile = /etc/postfix/cacert.pem
    smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
    smtp_tls_key_file = /etc/postfix/FOO-key.pem
    smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
    smtp_use_tls = yes
    smtpd_tls_CAfile = /etc/postfix/cacert.pem
    smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
    smtpd_tls_key_file = /etc/postfix/FOO-key.pem
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
    smtpd_use_tls = yes
    tls_random_source = dev:/dev/urandom
    #
    ## SASL Settings
    # This is going in to THIS server
    smtpd_sasl_auth_enable = no
    # We need this
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtpd_sasl_local_domain = $myhostname
    smtp_sasl_security_options = noanonymous
    #smtp_sasl_security_options =
    smtp_sasl_tls_security_options = noanonymous
    smtpd_sasl_application_name = smtpd

    Step 7: Create the transport file

    Contents of /etc/postfix/transport

    # This sends mail to Gmail
    gmail.com smtp:[smtp.gmail.com]:587
    #

    Step 8: Create the SASL password

    Replace username/password with your actual username and password.

    contents of sasl_passwd

    [smtp.gmail.com]:587 username@gmail.com:password

    Step 9: Hash the password and transport files

    postmap sasl_passwd
    postmap transport

    Step 10: Restart the postfix server and clean up

    Enter the following command as root to restart postfix:
    /etc/init.d/postfix restart

    Go to your home directory where you made the temporary .pem files in step 1.
    cd ~

    Clean up the mouse turds!
    rm FOO-req.pem FOO-cert.pem FOO-key.pem && rm -r demoCA/

    Change port of postfix here

    1. Edit the file /etc/postfix/master.cf and find the line below. You can comment the line below by adding # in front of the line to disable SMTP port 25.
    smtp inet n - n - - smtpd
    Next, add this line

    25000 inet n - n - - smtpd
    Replace 25000 with your preferred alternate port number.

    2. Restart the Postfix service or the MailScanner service if you have integrated MailScanner into Postfix.
    3. If you have enabled the firewall, you need to configure the firewall to allow traffic on the new port number.
    4. Test Postfix by connecting on the new port number. Use the terminal command telnet localhost [port] instead of telnet localhost smtp to test your new port number.

    Now we need to setup a forward for incoming email to use the new port. I set up a free account on rollernet and am using their mail server in my mx record. The email goes to their server and then it is forwarded to mine using the new port. It has been working for a few days without problems.

    Leave a Reply