Skip to content

Archives

Getting Postfix to use an SSH tunnel for outgoing SMTP

Given all the fuss over blocking dynamic IPs due to spam, I’ve long sent outgoing SMTP via my server (which lives on a static IP). I download my mail from that using fetchmail over an SSH tunnel, and have done for a while. It’s very reliable, and that way it really doesn’t matter where I download from — quite neat. Also means I don’t have to futz with SMTP AUTH, IMAP/SSL, Certifying Authorities, or any of the other hand-configured complex PKI machinery required to use SSL for authentication.

However, I’ve been using plain old SMTP for outgoing traffic, by just poking a hole in the access db for the IP I’m on. A bit messy and generally not-nice.

So I decided to make it sensible and deliver using SMTP-in-an-SSH-tunnel. In the same SSH tunnel, in fact ;) With Postfix, it turned out very easy — here’s how to do it:

Add this option to the SSH commandline in the SSH tunneling script (I’m presuming you have one ;):

-L 8025:127.0.0.1:25

That’ll port-forward port 25 on the remote system to port 8025 on localhost, so that if a connection is made to port 8025 on localhost, it’ll talk to port 25 on the remote host. Std SSH tunneling there.

Now for Postfix — add this to /etc/postfix/main.cf:

default_transport = smtp:localhost:8025

This means that Postfix will always use SMTP to localhost on port 8025 for any non-local deliveries.

Run service postfix reload (cough, Red Hat-ism) and that’s it! A whole lot easier than I was expecting… Postfix rocks.