The lack of socks support is an increasingly serious shortcoming of Postfix.
If 2013 taught us anything, it is that the only way to have secure email is to store using full disk encryption on a computer in your physical custody and to send and receive using trusted TLS or better. * Cloud computing is not secure * Hosted Webmail is not secure These new findings are easy for people who rent a co-location cage or have an enterprise-grade Internet connection. Everybody else will need socks to send outbound email and Postfix does not support that. --- I was trying to send using default transport/smtp through a socks5 proxy provided by ssh -D. I experience Postfix does not easily supports this, but I got pretty far: a. Install tsocks package on Ubuntu 13.04 b. Create /usr/lib/postfix/smtp_socks #!/bin/bash export TSOCKS_CONF_FILE=/etc/postfix/ tsocks.conf exec tsocks /usr/lib/postfix/smtp "$@" c. Create /etc/postfix/tsocks.conf server = 127.0.0.1 server_port = 1126 server_type = 5 d. Add to /etc/postfix/master.cf smtp_socks unix - - - - - smtp_socks e. Add to /etc/postfix/main.cf default_transport = smtp_socks f. Set up tunnel and send email to the Internet ssh -D 1126 remoteserver.com It does not work: smtp does not actually create connections but more likely hands that off to some other process. The log displays: postfix/smtp[7848]: connect to aspmx.l.google.com[2a00:1450:4008:c01::1a]:25: Network is unreachable postfix/smtp[7845]: connect to aspmx.l.google.com[74.125.25.27]:25: Connection timed out Of course this works: TSOCKS_CONF_FILE=/etc/postfix/tsocks.conf tsocks telnet aspmx.l.google.com 25 Trying 173.194.79.27... Connected to aspmx.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP g6si6607378pad.169 - gsmtp As opposed to blocked while not using socks5: telnet aspmx.l.google.com 25 Trying 173.194.79.27... ^C How can I make it work? There are great reasons for using a SOCKS5 server: - perhaps your computer has a dynamic ip - perhaps your isp does not allow port 25 connections - perhaps you want an encrypted connection all the way to the recipient's mta, as opposed to have an unencrypted mail queue somewhere on the Internet We do NOT want an intermediate mta or postfix. Looking forward to any suggestions,
