SMTP Relay via a Smarthost

Overview

Laptops are portable and end up being connected to various networks from day to day. You might connect it at the office, at home, at a friend's house, at conferences, at random coffee houses.... For most configuration settings, you can rely on DHCP, but an exception is mail relaying.

Because SMTP doesn't do anything about spam, many sites do not accept mail that is relayed from untrusted networks. Untrusted networks include those of a lot of ISP's such as Comcast and BellSouth, which is irritating. Untrusted networks include those of random coffee houses, which---let's be honest---is unavoidable. For practical purposes, you can't use direct SMTP if you log into a large variety of networks.

The strategy I use is to have a relay out on a host that is considered to be on a trusted network by the major spam lists. The relay server requires authentication from the client, so that the client can safely connect to the relay server no matter what kind of network connection is available. The relay server can then send mail to its ultimate destination using direct SMTP as normal. Since its network is not on the spam lists, the email goes through reliably.

As an extra complication, I set the laptop-to-relay connection to avoid the standard ports 25 and 465. Many local networks, including BellSouth/DSL, block connections to standard ports completely. It's evil, it's aggravating, it's understandable, there has to be a better way, etc., but again, that's how things are, and so that's what a practical configuration has to deal with. It turns out that exim can handle non-standard ports.

There are alternative approaches you may also want to consider:

  • Use a web-based email program. If you use Hotmail or Yahoo or Gmail, then you can process your email anywhere that you have a WWW connection. You lose the ability to process email offline, however, as well as losing a lot of ability to read and to process your email using your own software.
  • Use the relay provided by your ISP. I'm sure some ISP's let you relay through their SMTP servers if you use SMTP authentication. The main reasons I don't do this are (a) I don't always have a current ISP subscription, and (b) I do happen to use networks where port 25 is blocked, and so I still can't send from those networks to any server running on port 25 as usual.

Exim Configuration Files

Exim on Debian is configured in a confusing way. You can install it to use "split" or "unsplit" configuration files, and in either case, the configuration files you see are not the ones that exim itself sees. I use the unsplit version, and I edit /etc/exim4/exim4.conf.template. If you want to change between split and unsplit configurations, use dpkg-reconfigure exim4-config. Whenever you change a configuration setting, use /etc/init.d/exim4 restart.

As an aside, this situation strikes me as more complicated than is helpful. I found myself wishing there was a way to create and use a single /etc/exim/exim4.conf, but did not dig up how to do so.

Configuring the Relay Server

First the relay server needs to be set up. As you go along, you will want a way to test how the server is working. I found this short page helpful:

Testing SMTP AUTH connections
The suggestion on that page regarding the -starttls option of openssl did not work for me, but after some Googling, I found a proposed patch for openssl that appears to fix the problem. So, by the time you read this, even that might work.

Start by installing the exim4 package and configuring it to work as normal on an always-connected Internet host.

Run /usr/share/doc/exim4-base/examples/exim-gencert and answer all of its question. This will create a TLS certification that is needed to use SSL connections.

Turn on plain-text authentication by uncommenting the plain_server section of the exim configuration file. I also changed the server_condition line to have a hardcoded username and password instead of reading it from a file. The result looks like this (with USERNAME and PASSWORD substituted with the name and password I chose): 

plain_server:
  driver = plaintext
  public_name = PLAIN
#  server_condition = "${if crypteq{$3}{${extract{1}{:}{${lookup{$2}lsearch{CONF
DIR/passwd}{$value}{*:*}}}}}{1}{0}}"
  server_condition = \
    ${if and {{eq{$2}{USERNAME}}{eq{$3}{PASSWORD}}}{yes}{no}}
  server_set_id = $2
  server_prompts = :

You also need to set up a couple of other things. Put the following settings near the top of your exim4.conf.template: 

MAIN_TLS_ENABLE=1
daemon_smtp_ports=smtp : 26

That should be it. Your exim server on the relay machine should now:

  1. Accept authentication using your chosen USERNAME and PASSWORD.
  2. Listen on port 26 in addition to 25.
  3. Accept SSL/TLS connections via the STARTTLS directive.

Configuring the Client

Next, set up the client to send all outgoing mail via the relay host. Install exim4 and set it to use your relay server as a smarthost. Edit /etc/exim4/passwd.client and put in your username and password, something like: 

### CONFDIR/passwd.client
#
# Format:
#targetmailserver.example:login:password
#
# default entry:
### *:bar:foo
*:USERNAME:PASSWORD

Finally, hack your exim4.conf.template to use port 26 instead of 25. Find the section for remote_smtp_smarthost and add port = 26 to it. In my file it looks like this: 

remote_smtp_smarthost:
  debug_print = "T: remote_smtp_smarthost for $local_part@$domain"
  driver = smtp
  hosts_try_auth = ${if exists {CONFDIR/passwd.client}{DCsmarthost}{}}
  tls_tempfail_tryclear = false
  DEBCONFheaders_rewriteDEBCONF
  DEBCONFreturn_pathDEBCONF
  port = 26

That should be it. Now mail sent locally will get relayed via port 26 on your relay host.