Configuring an SMTP Relay


I've discovered that our new scanner doesn't support any sort of encryption for email transmission...

smtp relay

I've discovered that our new scanner doesn't support any sort of encryption for email transmission, so not only will authenticating with something like the fastmail smtp server not work (because it won't allow plain text passwords) but you wouldn't want to anyway because security.

So the best solution will be to configure a relay on our file server so that at least the unencrypted transmission is happening in our LAN.

handy howto here on debian wiki. This discussed gmail, but sparkpost smtp transmission api will work too.

Exim is a mail transfer agent (MTA?) the thing that transfers mail.

I have had some drama configuring this but I might have forgotten about the minutia. Basically I followed the howto above.

dpkg-reconfigure exim4-config

  • select "mail sent by smarthost; received via SMTP or fetchmail"
  • System Mail Name: office.wheatcrofts.com.au. This needs to be configured as a sending domain in sparkpost.
  • "IP-addresses to listen on for incoming SMTP connections": {machine ip}, if you used 127.0.0.1 then other devices (like our scanner) wouldn't be able to connect.
  • "Other destinations for which mail is accepted": empty
  • "Machines to relay mail for": empty
  • "IP or host name of outgoing smarthost": smtp.sparkpostmail.com::587
  • "hide local hostname": yes (although I don't think it matters)
  • "visible domain": system mail name from above (if hide local chosen above)
  • "Keep number of DNS-queries minimal (Dial-on-Demand)?": no
  • "Delivery method for local mail": whatever
  • "Split configuration into small files?": whatever
  • "root & postmaster mail recipient": whatever

next..

nano /etc/exim4/passwd.client

and add ..

smtp.sparkpostmail.com:SMTP_Injection:{apikeyhere}

configure auth

if you chose to split things into small files then you'll have /etc/exim4/conf.d/auth/ which contains 30_exim4-config_examples which has some useful information.

This configuration suits my needs but obviously unsuitable for multiple users et cetera.

so ..

nano /etc/exim4/conf.d/auth/40_documents

and add something like:

plain_server:
    driver = plaintext
    public_name = PLAIN
    server_condition = "${if and {{eq{$auth2}{documents}}{eq{$auth3}{mysecret}}}}"
    server_set_id = $auth2
    server_prompts = :
    server_advertise_condition = true

obviously this is just plugging in a plaintext auth driver, the magic happens in the server_condition value, so the login & pass I've specified is documents:mysecret

useful commands

see logs:

tail  /var/log/exim4/mainlog

see queue / spool:

exim -bp

see log for frozen message.. this is pretty useful because in the case of sparkpost it will show you the API error.

exim -Mvl id

swaks probes your smtp server:

apt-get install swaks libnet-ssleay-perl
swaks -s 192.168.0.100 -a -au documents -ap 'mysecret' -q AUTH

Will generate output like so:

=== Trying 192.168.0.100:25...
=== Connected to 192.168.0.100.
<-  220 hmoffice ESMTP Exim 4.84_2 Sat, 11 Mar 2017 19:36:38 +0800
 -> EHLO hmoffice.levi.wht.cr
<-  250-hmoffice Hello hmoffice.levi.wht.cr [192.168.0.100]
<-  250-SIZE 52428800
<-  250-8BITMIME
<-  250-PIPELINING
<-  250-AUTH PLAIN
<-  250 HELP
 -> AUTH PLAIN AGxldqwefXlzZWNyZXQ=
<-  235 Authentication succeeded
 -> QUIT
<-  221 hmoffice closing connection
=== Connection closed with remote host.

send email from cli:

mail -s "test 3" levi@wherever.com < /dev/null