Script to setup relayhost to avoid spam boxes

miab is great. But having mail land in spam boxes is a pain, and it’s too hard to setup a ‘clean’ ip and keep it clean. I resorted to using a relayhost so someone else can look after the ip (went with amazon ses).

I then wrote this script to automate the process of adjusting postfix/ settings (and dovecot/dovecot.conf so that sieve messages send too).

I put it in /home/user-data/tools (assuming that directory won’t get wiped in an update) then chmod +x

Now I can run it with $ sudo /home/user-data/tools/ myrelayhostPORT relayhostUSER relayhostPWORD

I put a test on the front so that the script won’t run if the relayhost is already set… thinking that might be handy if I want to automatically run the script as a check?

Anyway, here it is for what it’s worth.

# This script will add a relayhost for outgoing emails in MAIB
# the script takes four arguments
#  - relay host url
#  - port
#  - username
#  - password
# eg.  $ sudo /.../ 587 username password
# I was using Ubuntu 22.04, mail-in-a-box version 60  and aws ses as relayhost
# and then I moved back to Ubuntu 18.04 and miab 57 and it works there  too.
# check if arguments url:port username password have all been inclued when calling the sript
if [ $# -ne 4 ]; then
    echo "this script requires four arguments   relayhost.url  port   username   password"
    exit 1
# ok... looks like we've got something to work with, so let's go
# check to see if relay host is ALREADY set? look for existence of 'relayhost=?' ie anything (.*) after the '='
grep -qx 'relayhost = ' /etc/postfix/
 if [ $? -eq 1 ] ; then
#   relayhost IS set... do you really want to change it? 15seconds to answer, otherwise exit
    echo "you've already got a relayhost set"
    TMOUT=15 read -r -p "Do you really want to reload? [y/N] " response
    if [[ "$response" =~ ^(yes|y)$ ]]
#   if YES (you do want to prceed) then delete a few things, ready to do again below
      then  echo 'OK... redoing relayhost setup'
#        removed the relayhost details in postfix
#        clear dovecot
         sed -i '/plugin {/d' /etc/dovecot/dovecot.conf
         sed -i '/sieve_vacation_send_from_recipient = yes/d' /etc/dovecot/dovecot.conf
         sed -i '/} # added/d' /etc/dovecot/dovecot.conf
       else  echo '....Leaving settings as-is'
#   if NO (or timeout) then just exit and don't change anything
# If relayhost is not already set, or if you have chosen to proceed despite the fact it's already set...
# create a password encryption
# but first removed the old one if it's tehre
if test -f "/etc/postfix/sasl_passwd"; then
    rm /etc/postfix/sasl_passwd
if test -f "/etc/postfix/sasl_passwd.db"; then
    rm /etc/postfix/sasl_passwd.db
# then create the new one
touch /etc/postfix/sasl_passwd
# append your arguments to it
echo "[${relayhost}]:${port} ${username}:${password}" >> /etc/postfix/sasl_passwd
# create a hash database
postmap hash:/etc/postfix/sasl_passwd
# set permissions
chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
# append the following to bottom of /etc/postfix/
# this stuff comes from here
postconf -e "relayhost = [${relayhost}]:${port}" \
"smtp_sasl_auth_enable = yes" \
"smtp_sasl_security_options = noanonymous" \
"smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" \
"smtp_use_tls = yes" \
"smtp_tls_security_level = encrypt" \
"smtp_tls_note_starttls_offer = yes"
postconf -e "smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt"
#***** I found that auto-reply/outof-office (ie seive generated) emails did not send with amazon SES unless I added this next bit
# add this to the bottom of dovecot/dovecot.conf, otherwise vacation replies may not work
echo "plugin {" >> /etc/dovecot/dovecot.conf
echo " sieve_vacation_send_from_recipient = yes" >>  /etc/dovecot/dovecot.conf
echo " } # added" >>  /etc/dovecot/dovecot.conf
# restart postfix and dovecot services
systemctl restart dovecot postfix
echo ' all done!'

This is interesting … have you considered adding it to the project by doing a pull request?

I did think about it - but it’s been so long since I did a pull request.

And - I’m not sure a script like this fits with the aim of mailinabox… it’s kind of ‘out of the box’. If something similar were to be included I think it would need to be unbreakable and somehow work with most other relayhosts out there. I have not checked to see what settings are specific to my case?

Anyway… I put it here for now … see if anyone wants to do anything more with it. It works for my setup.

Non-programmer here.
Will this also help against IP blocks from Microsoft etc.?

Actually, not being able to send to Microsoft addresses was what put me over the line to using a relay. Every other provider would accept my emails - but not Microsoft.

All this script does is setup MIAB to use a relay.

There are various relay hosts out there… I signed up for amazon ses and asked to have the restrictions lifted. It costs, but the $ is very low.

There are some providers with a free tier … just google.

Whichever you run with will require some DNS settings etc.

Please don’t!

Free = spammers are attracted like flies on you know what and that puts you back where you started as those IP’s are dirty as well. You really need to use a paid SMTP relay as I have outlined here:

1 Like

Or a VPS provider that doesn’t sponsor YouTube channels :wink:

Hmm, are we both thinking of the same provider? :slight_smile:

1 Like

Probably. But while both of them (although, at the moment, it is mostly one that is heavily advertising it’s services) are blocking port 25 by default, sending spam mails isn’t the only way to get a bad reputation for your IP addresses :wink:

Thanks for the referral.
I just worked out that forwarding is broken with my current relayhost setup because the relayhost smtp provider sees the original ‘from’ address - and rejects the email as coming from an unverified domain.
I guess I need to swap out the ‘from’ address and maybe add ‘reply-to’ for all forwarded (and aliased?) emails.
Bit of a pain… I’m guessing that’s some more postfix fiddle (or is it sieve? or both?)
Any pointers?

Answered my own question.
This change makes aliases, forwarding, and vacation/out of office replies work. Forwarding and alias trigger an spf ‘soft-fail’ but this can be worked around by marking your address as a safe-sender.

sudo nano /etc/postfix/

relayhost =
sender_dependent_relayhost_maps = hash:/etc/postfix/relay_by_sender
smtpd_data_restrictions = check_sender_access pcre:/etc/postfix/sender_access

sudo nano /etc/postfix/relay_by_sender       []:587

(note, I believe you can add other domains in the same format, one per line []:587 []:port
but when I redo the script that started this post… I’ll just use one relay)

sudo postmap hash:/etc/postfix/relay_by_sender

sudo nano /etc/postfix/sender_access

/(.*)/  prepend X-Envelope-From: <$1>

sudo systemctl restart postfix

Hi! Don’t want to be that guy who plugs his own stuff in here, but I’m going to be that guy who plugs his own stuff in here, since I think it could be useful.

I develop a fork of Mail-in-a-Box which provides this very feature in the admin panel, so that you don’t need to fiddle with configurations - however you’ll be required to set up SPF and DKIM for that provider (so that they pass those checks). Any decent relay provider will give you these values to fill in.

Right now it’s set up so that all mail you send goes through the relay, if it is configured.

Yeah, I’ve been using an external relay for several years, and its been great. It also does some very nice inbound spam filtering for me. I’ve just had to set ‘relayhost’ and ‘smtp_fallback_relay’ in my /etc/postfix/… then on the admin for the relay site, I just put in my mail server information and it accepts and routes all mail for me. I’d give out who it is, but I’m pretty sure I’ve got a grandfathered price/deal and it would probably be prohibitively expensive for new users - otherwise, I’d probably go with @davness and his service… (ok, its - but I’m really not sure what package it is on their website if it’s even available. I started with ‘MailAnyone’ service with 10 users, and then it got bought/migrated to Fusemail, then again to, and I’ve just kind of kept the same deal, but I’m not sure if Vipre offers that deal - their site is confusing… It says "Vipre Email Security as the logo in my admin page if its any help). I’ve made a copy of that file, as well as other minor customizations I have, and back those up along with everything else…