Gentoo Postfix setup for sending email through an authenticated relay.

I spent half a day getting this to work so I could use the PHP mail() function on a Comcast connection. It will probably work with Gmail, etc. Here are my notes.

  1. root /root # emerge --unmerge ssmtp
  2. root /root # USE="sasl ssl" emerge postfix
  3. Edit /etc/postfix/ and locate the 'relayhost' line, add the info below:
    relayhost = []:587

    # These lines are new:
    smtp_use_tls = yes
    smtp_tls_CAfile = /etc/postfix/cacert.pem
    smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
    smtp_tls_key_file = /etc/postfix/FOO-key.pem
    smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/saslpass
    smtpd_sasl_local_domain = $myhostname
    smtp_sasl_security_options = noanonymous
  4. Create your local certificate, required fields in red:
    root /root # /etc/ssl/misc/ -newca
    CA certificate filename (or enter to create)

          Making CA certificate ...
          Generating a 1024 bit RSA private key
          writing new private key to './demoCA/private/cakey.pem'
          Enter PEM pass phrase: password123
          Verifying - Enter PEM pass phrase: password123
          You are about to be asked to enter information that will be incorporated
          into your certificate request.
          What you are about to enter is what is called a Distinguished Name or a DN.
          There are quite a few fields but you can leave some blank
          For some fields there will be a default value,
          If you enter '.', the field will be left blank.
    Country Name (2 letter code) [AU]: US
    State or Province Name (full name) [Some-State]:
    Locality Name (eg, city) []:
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []: MyName
    Email Address []:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Using configuration from /etc/ssl/openssl.cnf
    Enter pass phrase for ./demoCA/private/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number:
                Not Before: Nov 14 20:00:01 2008 GMT
                Not After : Nov 14 20:00:01 2011 GMT
                countryName               = US
                stateOrProvinceName       = Some-State
                organizationName          = Internet Widgits Pty Ltd
                commonName                =
                emailAddress              =
            X509v3 extensions:
                X509v3 Subject Key Identifier:
                X509v3 Authority Key Identifier:
                    DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mydomain/

    X509v3 Basic Constraints:
    Certificate is to be certified until Nov 14 20:00:01 2011 GMT (1095 days)

    Write out database with 1 new entries
    Data Base Updated

    root /root # openssl req -new -nodes -subj '/' -keyout FOO-key.pem -out FOO-req.pem -days 3650

    root /root # openssl ca -out FOO-cert.pem -infiles FOO-req.pem
  5. Copy your cert to the postfix directory:
    root /root # cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
  6. Set proper permissions:
    root /root # chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
    root /root # chmod 400 /etc/postfix/FOO-key.pem
  7. Edit /etc/postfix/saslpass and add the auth information:
    # remotehost user:password
    []:587 mycomcastusername:mycomcastpassword
  8. Create the password database and set permissions:
    root /root # cd /etc/postfix/
    root /etc/postfix # postmap saslpass
    root /etc/postfix # chmod 600 saslpass
    root /etc/postfix # chmod 644 saslpass.db
  9. Reload postfix:
    root /etc/postfix # postfix reload
You should be all done. Happy emailing.