Unless you're a sysadmin you don't generally have to
worry that much about getting email delivered, you just hookup your GUI email
client to your external email account and you're done. But what if your system
tries to deliver mail, for example fromcron? Normally,
this just goes to root or perhaps some designated user on your system, but what
if you'd like it to get delivered to your external email account?
The obvious answer is you setup your
system to forward root's email to your external email account, eg change this
line in /etc/aliases:
root: you
to
root: you@example.com
or you can change root's .forward file to accomplish the same thing.
So, what's the problem? The problem
comes when your IP address (or your ISP's IP address) someday gets blacklisted
and all of a sudden you're not getting any system mail anymore. This problem
can also arise if you have scripts which deliver mail to somebody: at some
point their email server may refuse to talk to your system because it thinks
you're a spammer or something.
In these cases, assuming your email
provider allows you to have SMTP access, one solution is to have your system
deliver email to your email provider and let your email provider deliver it to
the final destination. Your email provider is probably (hopefully) more likely
to stay on top of problems related to their IP addresses and blacklists so your
email has a higher probability of getting delivered (in the case of cron it's
already at its destination).
Getting your system to deliver mail to
an external email account, ie getting your system to relay mail via another
server requires a bit of configuration. Few, if any, email providers allow
their servers to be used as open relays, an open relay being an email relay
that anyone can use. So one of the first things you have to do is tell your
system how to login to your email account so that it can relay email.
Furthermore you may also have to, or want to, configure your system to use
TLS/SSL when it logs in so that your username and password are protected.
In this example, I'll show you how I
set up my system to deliver mail to my fastmailaccount.
I use openSUSE and therefore my system uses postfix to
deliver email. If you use another Linux distro these steps may require
modification, and if you useexim or some
other system for email delivery this won't help at all.
First, if it's not already installed
and running, install the SASL authentication daemonsaslauthd and start it. Next edit the file /etc/postfix/sasl_passwd and add this line to the bottom of the
file:
mail.messagingengine.com USERNAME:PASSWORD
The values in this file determine the
username and password that SASL uses when logging in to a particular server.
Obviously, change these values for your external email account. You should be
able to find the server name on your email provider's web site, although it
usually takes some digging.
Now run postmap to convert the text password file to a
.db file:
postmap sasl_passwd
Next edit the file /etc/postfix/master.cf and uncomment the tlsmgr line:
tlsmgr unix - - n 1000? 1 tlsmgr
Now edit the file /etc/postfix/main.cf and add the following lines to the bottom
of the file:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_sasl_mechanism_filter = PLAIN, LOGIN
smtp_tls_security_level = verify
smtp_tls_mandatory_ciphers = high
smtp_tls_verify_cert_match = nexthop
smtp_sasl_tls_security_options = noanonymous
relayhost = [mail.messagingengine.com]:587
#debug_peer_list = mail.messagingengine.com
These options tell postfix to
use SASL authentication when doing SMTP (ie delivering mail) and they also tell
it to use TLS security when logging in. Therelayhost option tells postfix the
default server to use when relaying email, the :XXX value is the port number to
use (another value you'll have to dig out of your email provider's help pages).
The last option, the commented out one,debug_peer_list allows you tell postfix to
show TLS related debug information on a per server basis. This is often useful
when trying to diagnose TLS connection problems. In this case it turned out to
be useful because postfix did not recognize the CA (certificate
authority) that issued Fastmail's SSL certificate (Entrust). (Actually, I don't
know if postfix recognizes any CA's out of the box.)
After some groping around on the
Entrust site my SSL memory came back to me and I did a search for "root
certificates" and got to a page where I could download a copy of Entrust's root certificate (you may need to start here).
Once you've downloaded the
certificate, save a copy in /etc/postfix and
remove group/other read/write access. Then add the following line to /etc/postfix/main.cf:
smtp_tls_CAfile = /etc/postfix/entrust_ssl_ca.cer
$ /etc/init.d/postfix restart
Now send a test email from the command
line:
$ mail -s test you@example.com <<<test
And hopefully it will arrive in your
external email account.