smtp relay add on?

[georgelza]

Hi all

I have a old app, and there is no way to update it, but it is critical to me... it needs to send me emails of activity... smtp via port 25. is there by any chance a email relay app i can install that can act as a smtp port 25 relay?

G

 

[Patrick M. Hausen]

You can create a jail and activate the included Sendmail or install postfix or any other MTA of your choice.

 

[georgelza]

thanks... I have my dns with cloudflare so can create a MX record to make it look more legit when the other side does a reverse lookup on me to make sure I'm not a smaller...
am a bit stuck still have my jails failing/crashing (have 3 jails, running with 32GB RAM) which makes this as a jail not that secure.
hmmm

G

 

[rvassar]

If you can set your own rDNS PTR, it sounds like you have your own network address block. You'll need to make sure there's no port 25 filtering, and no blanket RBL listing by your network provider. You will also likely need a DKIM key in DNS to talk to other mail servers. Any hint of an open SMTP relay will get you listed, so you'll need to protect it carefully. Don't let me discourage you. I do have it working, but I have 20+ years in email servers, my own vanity server and a private VPN.

On the VM's. I recently upgraded to 32Gb, and have been adding infrastructure VM's to my NAS. The trick seems to be keeping things small, and simple. The minimal amount of RAM, and keep the vCPU/cores/threads counts down.

 

[georgelza]

i don't have a ip block, only a single static.
I run DNS via CloudFlare so can create multiple records there that then forward/direct to my internal services.
Although I'm not "rushing" to set up an entire email server, main use case is maybe a server on the internal network that will accept emails via port 25 and then send out to target... or relay to smtp.gmail.com, although it looks like getting pregnant as a male might be easier than getting that working... ;)

G

 

[rvassar]

i don't have a ip block, only a single static.
I run DNS via CloudFlare so can create multiple records there that then forward/direct to my internal services.
Although I'm not "rushing" to set up an entire email server, main use case is maybe a server on the internal network that will accept emails via port 25 and then send out to target... or relay to smtp.gmail.com, although it looks like getting pregnant as a male might be easier than getting that working... ;)

G

You make it sound like you're pushing internal network information to a public DNS server. BIND will happily allow you to present an A-record for your internal home Wiki/phpmyadmin portal, etc... But... This has the potential to bleed information to potential attackers, open you to spear-phishing attacks, etc... I run full split-horizon DNS. There's the "MyDomain.COM" zone you can see from the world, and a completely separate "MyDomain.COM" running inside my house with a different zone map. It duplicates & extends the public zone, but has dozens of entries that simply do not exist publicly. (And it makes IPv6 a whole configuration topic on it's own...)

 

[georgelza]

I have multiple internal systems, that need to send email out, i'm happy that they all send as the same from address.
I have a single public static ip <as provided by my ISP> and then run a 172.16.0.0 inside.
G

 

[rvassar]

I have multiple internal systems, that need to send email out, i'm happy that they all send as the same from address.
I have a single public static ip <as provided by my ISP> and then run a 172.16.0.0 inside.
G

You are unlikely to get Gmail to accept any email from your single public IP address.

Another question that needs to be asked... Who needs to receive these emails? You or third parties?

If it's just you & your cell phone when you're out and about... You're likely better off spinning up a local VM with a isolated SMTP server and a Dovecot instance, and add a port forward on your firewall exposing only the SSL/TLS IMAP port 993, and publish an A/CNAME record for the single public IP address. Solve the SSL cert problem by your method of choice. This will allow your cell phone to connect to the IMAP daemon outside your home and receive emails. You won't be able to send anything from that account, but you can receive alerts, etc... from your internal systems for almost anywhere in the world using any IMAP email client. There will be little redundancy of course, and you'll have to guard that service for security holes. Additionally, many IMAP clients allow copying from one IMAP account folder to another, so you can build filters to prune your Gmail account and store things on your personal NAS, etc... But understand, SMTP email & DNS are joined at the hip. There may be DNS requirements I'm glossing over.

 

[georgelza]

me, wife and at times a 3rd address, all gmail, at this time.
happy to use another smtp relay, so far trying to get sendgrid configured, but they don't seem to be very stable, on their new account creation.

the email don't need to come from a gmail address, so thinking i can spin up a mail server that can simply act as a sender, does not need to receive email, aka no pop or imap services.

G

 

[rvassar]

so thinking i can spin up a mail server that can simply act as a sender, does not need to receive email, aka no pop or imap services.

G

You'll find your ISP blocking port 25, forcing you to use SMTP "submission" on port 587, where you will need to solve the authentication problem. If port 25 isn't blocked by your ISP, Gmail is going to simply assume you're a UCE / Spam operation and drop your submissions.

 

[Patrick M. Hausen]

It's not difficult to setup a local postfix accepting mail on port 25 unauthenticated and relaying to an ISP mail server on port 587 with authentication. So dumb devices can send and you don't need to teach every single one authentication. Neither do you need a static IP address or any inbound open port.

That's what I meant when suggesting a jail with an MTA.

While I personally prefer Sendmail, in the case of FreeBSD that would mean you need recompiled Sendmail with SASL for outbound auth, so pkg install postfix is way simpler.

 

[georgelza]

This is pretty much what I'd like to do.

thinking was to run postfix on a RPi on internal network, have the other dumb devices send email locally via port 25... with postfix repackaging the mail and pushing it onto 587 on gmail.

well thats the thinking, execution is not going to well

G

It's not difficult to setup a local postfix accepting mail on port 25 unauthenticated and relaying to an ISP mail server on port 587 with authentication. So dumb devices can send and you don't need to teach every single one authentication. Neither do you need a static IP address or any inbound open port.

 

[georgelza]

ye, they and everyone is blocking for 25, but thats not my problem. my problem atm seems to be postfix doing this repackaging and authentication.

You'll find your ISP blocking port 25, forcing you to use SMTP "submission" on port 587, where you will need to solve the authentication problem. If port 25 isn't blocked by your ISP, Gmail is going to simply assume you're a UCE / Spam operation and drop your submissions.

 

[Patrick M. Hausen]

What's your problem with your three jails? Jails are the most robust virtualisation/container technology I know. I never had one "crash" ever. So what are the symptoms of the crashes you mention? I can help you through the postfix setup process.

Edit: mailhog as a relay might suit you even better. It's also available as a FreeBSD package. But we do need a working jail for any of those.

 

[rvassar]

Gmail has turned off simple auth in favor of OAuth2.

 

[Patrick M. Hausen]

Gmail has turned off simple auth in favor of OAuth2.

I'm not using gmail but this looks like PLAIN is still supported:

Code:

$ openssl s_client -host smtp.gmail.com -port 465
[...]
220 smtp.gmail.com ESMTP qk10-20020a170906d9ca00b006fed93bf71fsm5476449ejb.18 - gsmtp
EHLO localhost
250-smtp.gmail.com at your service, [2003:a:d59:3800:b51a:2b87:38ba:c84d]
250-SIZE 35882577
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8

 

[georgelza]

they simply die... had a thread here before, trying to get it fixed, at the time people all said it's due to not enough RAM, so I increased from 16GB to 32GB... ended with same problem.

at the moment the services I run on the jails, I can handle the "dying" but for this service I can't so doing this on a jail while they're not stable is not a option.

if you willing to help, can we look at setting up something tomorrow, about the same time, or earlier and see what we can get done.

G

What's your problem with your three jails? Jails are the most robust virtualisation/container technology I know. I never had one "crash" ever. So what are the symptoms of the crashes you mention? I can help you through the postfix setup process.

Edit: mailhog as a relay might suit you even better. It's also available as a FreeBSD package. But we do need a working jail for any of those.

 

[Patrick M. Hausen]

Jails don't die. They are just a bunch of regular user processes, so individual processes inside the jail may die because of a memory shortage but not an entire jail.

Try dmesg | tail and tail /var/log/messages on the NAS host just after a jail "died". And of course iocage list.

 

[georgelza]

the jail, or ok, maybe the processes all seem to die during the night, i had Unifi controller dying and Plex dying nightly around 1-5am.

for plex i ended putting a scheduled restart in place to make sure it gets restarted.

as for on or just after, don't know about the exact, i normally just figured it out during the next day.

G

 

[rvassar]

I'm not using gmail but this looks like PLAIN is still supported:

Code:

$ openssl s_client -host smtp.gmail.com -port 465
[...]
220 smtp.gmail.com ESMTP qk10-20020a170906d9ca00b006fed93bf71fsm5476449ejb.18 - gsmtp
EHLO localhost
250-smtp.gmail.com at your service, [2003:a:d59:3800:b51a:2b87:38ba:c84d]
250-SIZE 35882577
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8

That's port 465... Implicit TLS, not STARTTLS. See RFC 8314 sec 3.3 & 7.3 (disclaimer: I used to work with one of the author's). Using port 465 was actually deprecated for years, and support is now considered transitory, so you can expect Google to cut it off someday as well. But yes, you might get that working. However, it may not last very long. Consider, OAuth2 enforcement for IMAP has only been in place for a few weeks.