use postfix over ssh

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

use postfix over ssh

Ranjan Maitra
Hi,

I am not sure that this has a(n easy) solution or is even possible, but I thought that I would find out from experts because it has been difficult to search for the answer.

I have postfix running on both my home and office machines. I am able to send e-mail from my office machine (that uses my employer's mailhub, etc), but not from my home machine when using my office e-mail address as the sender's address. However, I am able to connect via ssh+vpn with 2FA to my office machine. My question is: can I set my home machine's postfix up such that I can send e-mail through the ssh tunnel to my office machine (sorry for my non-technical description). How do I do this, if possible?

Many thanks again for your time in reading this, and thanks in advance for any suggestions!

Best wishes,
Ranjan

Reply | Threaded
Open this post in threaded view
|

Re: use postfix over ssh

Jaroslaw Rafa
Dnia 10.10.2020 o godz. 16:04:30 Ranjan Maitra pisze:
>
> I have postfix running on both my home and office machines. I am able to
> send e-mail from my office machine (that uses my employer's mailhub, etc),
> but not from my home machine when using my office e-mail address as the
> sender's address.  However, I am able to connect via ssh+vpn with 2FA to
> my office machine.  My question is: can I set my home machine's postfix up
> such that I can send e-mail through the ssh tunnel to my office machine
> (sorry for my non-technical description).  How do I do this, if possible?

When you are connected via VPN to your corporate network, it should already
be possible to use your employer's mailhub, since your home machine is
already "inside" the corporate network - no need to setup an additional SSH
tunnel to your office machine. That's at least my experience on how the
corporate VPNs work.

You only need to configure Postfix so that it sends mail via your
employer's mailhub if the sender address is your office address. That would
be sender_dependent_transport_maps, I think? Certainly other people on this
list can advice on the configuration part better than me.
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: use postfix over ssh

Ranjan Maitra
On Sat, 10 Oct 2020 23:36:28 +0200 Jaroslaw Rafa <[hidden email]> wrote:

> Dnia 10.10.2020 o godz. 16:04:30 Ranjan Maitra pisze:
> >
> > I have postfix running on both my home and office machines. I am able to
> > send e-mail from my office machine (that uses my employer's mailhub, etc),
> > but not from my home machine when using my office e-mail address as the
> > sender's address.  However, I am able to connect via ssh+vpn with 2FA to
> > my office machine.  My question is: can I set my home machine's postfix up
> > such that I can send e-mail through the ssh tunnel to my office machine
> > (sorry for my non-technical description).  How do I do this, if possible?
>
> When you are connected via VPN to your corporate network, it should already
> be possible to use your employer's mailhub, since your home machine is
> already "inside" the corporate network - no need to setup an additional SSH
> tunnel to your office machine. That's at least my experience on how the
> corporate VPNs work.
>
> You only need to configure Postfix so that it sends mail via your
> employer's mailhub if the sender address is your office address. That would
> be sender_dependent_transport_maps, I think? Certainly other people on this
> list can advice on the configuration part better than me.
> --

Thanks very much! Yes, it would be very helpful to have this configured if it can be made to work.

Best wishes,
Ranjan
Reply | Threaded
Open this post in threaded view
|

Re: use postfix over ssh

Viktor Dukhovni
In reply to this post by Ranjan Maitra
On Sat, Oct 10, 2020 at 04:04:30PM -0500, Ranjan Maitra wrote:

> I have postfix running on both my home and office machines. I am able
> to send e-mail from my office machine (that uses my employer's
> mailhub, etc), but not from my home machine when using my office
> e-mail address as the sender's address. However, I am able to connect
> via ssh+vpn with 2FA to my office machine. My question is: can I set
> my home machine's postfix up such that I can send e-mail through the
> ssh tunnel to my office machine (sorry for my non-technical
> description). How do I do this, if possible?

Your question is not sufficiently detailed/precise for an answer to
be possible.  You need to provide more details about the SSH VPN.

    - Does it allow port forwarding?  Or just terminal and perhaps
      X11 sessions?
    - What ports if any can you forward?
    - Any other relevant details...

Also:

    - Do you ever send email to office recipients from your non-office
      email address?  How do you want these to be routed?

    - If you do use your office address as a sender address, but a
      message is not deliverable, how should the bounce be routed?

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: use postfix over ssh

Ranjan Maitra
Hi Viktor,

Thanks for your response!

On Sat, 10 Oct 2020 19:31:09 -0400 Viktor Dukhovni <[hidden email]> wrote:

> On Sat, Oct 10, 2020 at 04:04:30PM -0500, Ranjan Maitra wrote:
>
> > I have postfix running on both my home and office machines. I am able
> > to send e-mail from my office machine (that uses my employer's
> > mailhub, etc), but not from my home machine when using my office
> > e-mail address as the sender's address. However, I am able to connect
> > via ssh+vpn with 2FA to my office machine. My question is: can I set
> > my home machine's postfix up such that I can send e-mail through the
> > ssh tunnel to my office machine (sorry for my non-technical
> > description). How do I do this, if possible?
>
> Your question is not sufficiently detailed/precise for an answer to
> be possible.  You need to provide more details about the SSH VPN.

I am not sure I know all the answers to your questions, so some suggestions on how to figure these out would be very helpful (I am on Fedora 32 linux).

>     - Does it allow port forwarding?  Or just terminal and perhaps
>       X11 sessions?

I believe that is allows at least some port forwarding, but I do not know what all it does. My ssh is to a non-standard port, however.

>     - What ports if any can you forward?
>     - Any other relevant details...

How do I figure this out?

cat /etc/services | grep ssh

ssh             22/tcp                          # The Secure Shell (SSH) Protocol
ssh             22/udp                          # The Secure Shell (SSH) Protocol
x11-ssh-offset  6010/tcp                        # SSH X11 forwarding offset
ssh             22/sctp                 # SSH
sshell          614/tcp                 # SSLshell
sshell          614/udp                 #       SSLshell
netconf-ssh     830/tcp                 # NETCONF over SSH
netconf-ssh     830/udp                 # NETCONF over SSH
sdo-ssh         3897/tcp                # Simple Distributed Objects over SSH
sdo-ssh         3897/udp                # Simple Distributed Objects over SSH
netconf-ch-ssh  4334/tcp                # NETCONF Call Home (SSH)
snmpssh         5161/tcp                # SNMP over SSH Transport Model
snmpssh-trap    5162/tcp                # SNMP Notification over SSH Transport Model
tl1-ssh         6252/tcp                # TL1 over SSH
tl1-ssh         6252/udp                # TL1 over SSH
ssh-mgmt        17235/tcp               # SSH Tectia Manager
ssh-mgmt        17235/udp               # SSH Tectia Manager


> Also:
>
>     - Do you ever send email to office recipients from your non-office
>       email address?  How do you want these to be routed?

I use postfix only for my office e-mail address so I do not believe this to be an issue.

>
>     - If you do use your office address as a sender address, but a
>       message is not deliverable, how should the bounce be routed?

I don't know if this is the answer, but I guess that the bounce should be routed back to my office e-mail address?

I am happy to provide more information.

Many thanks again and best wishes,
Ranjan

>
> --
>     Viktor.
>
--
Important Notice: This mailbox is ignored: e-mails are set to be deleted on receipt. Please respond to the mailing list if appropriate. For those needing to send personal or professional e-mail, please use appropriate addresses.

Reply | Threaded
Open this post in threaded view
|

Re: use postfix over ssh

Ranjan Maitra
My apologies: were there any suggestions regarding what i should do?

Thanks,
Ranjan

On Sat, 10 Oct 2020 20:07:33 -0500 Ranjan Maitra <[hidden email]> wrote:

> Hi Viktor,
>
> Thanks for your response!
>
> On Sat, 10 Oct 2020 19:31:09 -0400 Viktor Dukhovni <[hidden email]> wrote:
>
> > On Sat, Oct 10, 2020 at 04:04:30PM -0500, Ranjan Maitra wrote:
> >
> > > I have postfix running on both my home and office machines. I am able
> > > to send e-mail from my office machine (that uses my employer's
> > > mailhub, etc), but not from my home machine when using my office
> > > e-mail address as the sender's address. However, I am able to connect
> > > via ssh+vpn with 2FA to my office machine. My question is: can I set
> > > my home machine's postfix up such that I can send e-mail through the
> > > ssh tunnel to my office machine (sorry for my non-technical
> > > description). How do I do this, if possible?
> >
> > Your question is not sufficiently detailed/precise for an answer to
> > be possible.  You need to provide more details about the SSH VPN.
>
> I am not sure I know all the answers to your questions, so some suggestions on how to figure these out would be very helpful (I am on Fedora 32 linux).
>
> >     - Does it allow port forwarding?  Or just terminal and perhaps
> >       X11 sessions?
>
> I believe that is allows at least some port forwarding, but I do not know what all it does. My ssh is to a non-standard port, however.
>
> >     - What ports if any can you forward?
> >     - Any other relevant details...
>
> How do I figure this out?
>
> cat /etc/services | grep ssh
>
> ssh             22/tcp                          # The Secure Shell (SSH) Protocol
> ssh             22/udp                          # The Secure Shell (SSH) Protocol
> x11-ssh-offset  6010/tcp                        # SSH X11 forwarding offset
> ssh             22/sctp                 # SSH
> sshell          614/tcp                 # SSLshell
> sshell          614/udp                 #       SSLshell
> netconf-ssh     830/tcp                 # NETCONF over SSH
> netconf-ssh     830/udp                 # NETCONF over SSH
> sdo-ssh         3897/tcp                # Simple Distributed Objects over SSH
> sdo-ssh         3897/udp                # Simple Distributed Objects over SSH
> netconf-ch-ssh  4334/tcp                # NETCONF Call Home (SSH)
> snmpssh         5161/tcp                # SNMP over SSH Transport Model
> snmpssh-trap    5162/tcp                # SNMP Notification over SSH Transport Model
> tl1-ssh         6252/tcp                # TL1 over SSH
> tl1-ssh         6252/udp                # TL1 over SSH
> ssh-mgmt        17235/tcp               # SSH Tectia Manager
> ssh-mgmt        17235/udp               # SSH Tectia Manager
>
>
> > Also:
> >
> >     - Do you ever send email to office recipients from your non-office
> >       email address?  How do you want these to be routed?
>
> I use postfix only for my office e-mail address so I do not believe this to be an issue.
>
> >
> >     - If you do use your office address as a sender address, but a
> >       message is not deliverable, how should the bounce be routed?
>
> I don't know if this is the answer, but I guess that the bounce should be routed back to my office e-mail address?
>
> I am happy to provide more information.
>
> Many thanks again and best wishes,
> Ranjan
>
> >
> > --
> >     Viktor.
> >
> --
> Important Notice: This mailbox is ignored: e-mails are set to be deleted on receipt. Please respond to the mailing list if appropriate. For those needing to send personal or professional e-mail, please use appropriate addresses.
>
--
Important Notice: This mailbox is ignored: e-mails are set to be deleted on receipt. Please respond to the mailing list if appropriate. For those needing to send personal or professional e-mail, please use appropriate addresses.

Reply | Threaded
Open this post in threaded view
|

Re: use postfix over ssh

Viktor Dukhovni
On Mon, Oct 12, 2020 at 08:09:45PM -0500, Ranjan Maitra wrote:

> My apologies: were there any suggestions regarding what i should do?

Find out more about the VPN.  Nobody on this list can do that.  Does it
support port forwarding (learn that means), and will it allow forwarding
of the internal SMTP server's IP:port to your client machine.  Your
IT staff should be able to help you with that.

> > > Your question is not sufficiently detailed/precise for an answer to
> > > be possible.  You need to provide more details about the SSH VPN.
> >
> > I am not sure I know all the answers to your questions, so some suggestions on how to figure these out would be very helpful (I am on Fedora 32 linux).
> >
> > >     - Does it allow port forwarding?  Or just terminal and perhaps
> > >       X11 sessions?
> >
> > I believe that is allows at least some port forwarding, but I do not know what all it does. My ssh is to a non-standard port, however.
> >
> > >     - What ports if any can you forward?
> > >     - Any other relevant details...
> >
> > How do I figure this out?
> >
> > cat /etc/services | grep ssh

This is not relevant.

> > > Also:
> > >
> > >     - Do you ever send email to office recipients from your non-office
> > >       email address?  How do you want these to be routed?
> >
> > I use postfix only for my office e-mail address so I do not believe this to be an issue.
> >
> > >
> > >     - If you do use your office address as a sender address, but a
> > >       message is not deliverable, how should the bounce be routed?
> >
> > I don't know if this is the answer, but I guess that the bounce should be routed back to my office e-mail address?

In that case all you need to do is set relayhost to the
forwarded SSH port:

    relayhost = [127.0.0.1]:<portnumber>

but that requires your SSH VPN to support port forwarding from the
remote network to your machine, which it may restrict for security
reasons.  You'd then need to run "ssh" with the relevant port
forwarded:

    localport=12345 # Forwarded SMTP service
    relayhost=smtp.example.com
    login=yourloginname
    sshvpnport=22 # Perhaps different in your case
    ssh -Nn -o "ExitOnForwardFailure yes" -l $login -p $vpnport \
        -L"$localport:$relayhost:25" sshvpn.example.com

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: use postfix over ssh

Ranjan Maitra
On Mon, 12 Oct 2020 21:19:38 -0400 Viktor Dukhovni <[hidden email]> wrote:

> On Mon, Oct 12, 2020 at 08:09:45PM -0500, Ranjan Maitra wrote:
>
> > My apologies: were there any suggestions regarding what i should do?
>
> Find out more about the VPN.  Nobody on this list can do that.  Does it
> support port forwarding (learn that means), and will it allow forwarding
> of the internal SMTP server's IP:port to your client machine.

Thank you very much, the SMTP port of the host is the standard 25. Is there a commandline way to quickly find out if the port is allowed to be forwarded? Otherwise, of course, I will wait for my IT staff to respond.

> In that case all you need to do is set relayhost to the
> forwarded SSH port:
>
>     relayhost = [127.0.0.1]:<portnumber>
>
> but that requires your SSH VPN to support port forwarding from the
> remote network to your machine, which it may restrict for security
> reasons.  You'd then need to run "ssh" with the relevant port
> forwarded:
>
>     localport=12345 # Forwarded SMTP service
>     relayhost=smtp.example.com
>     login=yourloginname
>     sshvpnport=22 # Perhaps different in your case
>     ssh -Nn -o "ExitOnForwardFailure yes" -l $login -p $vpnport \
>         -L"$localport:$relayhost:25" sshvpn.example.com
>
> --

I know my ssh port. The localport, I guess, is for my home machine. Where do I get it from? Also, where do I put the above?

I appreciate that I have not provided the most complete information for you to help, and so I thank you for making the time and the effort.

Many thanks again, and best wishes,
Ranjan