Android email and Postfix with authorization

I have been unable to send a company email from my HTC Android. The solution was to install and configure own outgoing mail server instead of using mobile providers servers. Now I can send an email quickly and easily, using whatever Internet connection is available – home, work, friends wireless connection, wireless hotspot or 3G dongle.

Mobile providers usually have multiple outgoing mail servers and it is not always possible to establish the correct server to use without much trial and error. Sending an email in case of roaming or WiFi hotspot connection probably will not be possible and sending will result with error message Unable to send mail. The account setting is incorrect. So, the idea is to install and configure relay mail server accessable from anywhere but with authorization.

Contents
  1. Install Postfix and Dovecot
  2. Dovecot configuration
  3. Postfix configuration
  4. Conclusion

1. Install Postfix and Dovecot
I chose Postfix for MTA (Mail Transport Agent) because of simple configuration. Nevertheless Postfix is a very good modularly designed MTA. Dovecot is an IMAP server for Linux/UNIX-like systems needed for user authorization. Package installation on RedHat Linux family is a simple task using yum or yumex:

# postfix installation
yum install postfix

# Dovecot installation
yum install dovecot

2. Dovecot configuration
Instead of setting separate authentication for Postfix, we can use the authentication in Dovecot and just let Postfix talk to Dovecot. This can be very useful in case of further IMAP installation. After Dovecot installation is finished, open /etc/dovecot.conf configuration file and make it look like:

auth default {	
  mechanisms = plain login
  userdb passwd {
  }
  passdb pam {
  }
  socket listen {
    client {
      path = /var/spool/postfix/private/auth
      mode = 0660
      user = postfix
      group = postfix
    }
  }	
}

And that’s all configuration needed for Dovecot. Just be sure to start Dovecot service after Postfix.

3. Postfix configuration
One of main tips is to configure Postfix to use port 587. Port 587 is for users to send out emails on. Port 25 is for servers to relay messages to one another. I assume that default port 25 will be just fine if PIX Cisco router will have turned off SMTP fixup. Here is what I find about Cisco configuration:

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp <-- here is the problem
inspect icmp

MailGuard is a Cisco protocol that accepts basic SMTP commands on port 25, not the extended ESMTP ones, making it incompatible with SMTP-AUTH (needed for authorization). Default HTC mail client with checked Login required didn't even try to authorize on port 25 and Postfix was reject every attempt of mail relaying:

554 5.7.1 <user@abcd.ef>: Relay access denied

On the other hand, K-9 mail client was trying to communicate with Postfix but then I got the following output in /var/log/maillog file:

postfix: match_string: XXXX ~? CONNECT
postfix: match_string: XXXX ~? GET
postfix: match_string: XXXX ~? POST
postfix: match_list_match: XXXX: no match
postfix: > unknown[1.2.3.4]: 502 5.5.2 Error: command not recognized
postfix: < unknown[1.2.3.4]: QUIT
postfix: > unknown[1.2.3.4]: 221 2.0.0 Bye

Telnet to port 25 with standard ehlo localhost gives me the following output:

[dbunic@linux ~]$ telnet my.mail.host 25
Trying 44.55.66.77...
Connected to my.mail.host.
Escape character is '^]'.
220 *****************
ehlo localhost
500 5.5.1 Command unrecognized: "XXXX localhost"
quit
221 2.0.0 my.mail.host closing connection
Connection closed by foreign host.

It was obvious that something between mail client and Postfix server corrects traffic. The solution is to disable Cisco SMTP fixup or to configure Postfix to use 587. Actually, Postfix will listen on both 25 and 587. Port 25 is needed for sending emails from localhost so it can be blocked with firewall (making it inaccessible from the outside world). Enabling port 587 in Postfix is very simple, it is only needed to uncomment one line in /etc/postfix/master.cf file:

submission inet n       -       n       -       -       smtpd

Restart Postfix and from this moment it should listen on port 587. Next is needed to configure and add few lines in /etc/postfix/main.cf file:

# network interface (receive mail on all network interfaces)
inet_interfaces = all

# relayhost parameter specifies the default host to send mail
relayhost = [11.22.33.44]

# enable SMTP auth
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_security_options = noanonymous

And finally here is postconf -n output (this will print parameter settings explicitly specified in main.cf file).

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.3.3/README_FILES
relay_domains = $mydestination
relayhost = [11.22.33.44]
sample_directory = /usr/share/doc/postfix-2.3.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
unknown_local_recipient_reject_code = 550

Now telnet to my.mail.host:587 looks correct:

[dbunic@linux ~]$ telnet my.mail.host 587
Trying 44.55.66.77...
Connected to my.mail.host.
Escape character is '^]'.
220 my.mail.host ESMTP Postfix
ehlo localhost
250-my.mail.host
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.

4. Conclusion
If you followed the steps, your Android should be able to send an email no matter of internet connection type. Enter server address, set port 587, choose "None" for security type and click on "Login required". User name and password are the same as user on the server (created with useradd command). Don't forget to open only port 587 in firewall and to set Dovecot and Postfix services to run in levels 3 and 5 (they should start up after server reboot). More or less this is all I experienced during Postfix configuration. Hope some parts of this post will be useful and if I make any mistake fill free to comment.

2 thoughts on “Android email and Postfix with authorization”

  1. @Andrea – This post describes email problems on Android smartphones and how to configure mail server to accept and relay emails with authorization. If your problem is related to the post topic, please send more details. Thank you.

Leave a Comment