From 1e2f9039efe14072dd95b050f80f73847c4363cb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= <anarcat@debian.org>
Date: Wed, 8 Dec 2021 20:50:19 -0500
Subject: [PATCH] this is how i configured my postfix MTA to deliver through
 tpo

---
 howto/submission.md | 71 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)

diff --git a/howto/submission.md b/howto/submission.md
index 66a17388..b06a8252 100644
--- a/howto/submission.md
+++ b/howto/submission.md
@@ -119,6 +119,77 @@ This is how dgoulet configured his client:
     user dgoulet
     passwordeval pass mail/dgoulet@torproject.org
 
+### Postfix client configuration
+
+If you run Postfix as your local Mail Transport Agent (MTA), you'll
+need to do something special to route your emails through the
+submission server.
+
+First, set the following configuration in `main.cf`, by running the
+following commands:
+
+    postconf -e smtp_sasl_auth_enable=yes
+    postconf -e smtp_sasl_password_maps=hash:/etc/postfix/sasl/passwd
+    postconf -e smtp_sasl_security_options=
+    postconf -e relayhost=submission.torproject.org:587
+    postconf -e smtp_tls_security_level=encrypt
+    postfix reload
+
+The `/etc/postfix/sasl/passwd` file holds `hostname user:pass`
+configurations, one per line:
+
+    touch /etc/postfix/sasl/passwd
+    chown root:root /etc/postfix/sasl/passwd && chmod 600 /etc/postfix/sasl/passwd
+    echo "submission.torproject.org user:pass" >> /etc/postfix/sasl/passwd
+
+Then rehash that map:
+
+    postmap /etc/postfix/sasl/passwd
+
+Note that this method stores your plain text password on disk. Make
+sure permissions on the file are limited and that you use full disk
+encryption.
+
+`may` can be used as a `security_level` if we are going to send mail
+to other hosts which may not support security, but make sure that
+mails are encrypted when talking to the `relayhost`, for example
+through a `smtp_tls_policy_maps`.
+
+If you want to use Tor's submission server *only* for mail sent from a
+`@torproject.org` address, you'll need an [extra step](http://www.postfix.org/SASL_README.html#client_sasl_sender). This should
+be in `main.cf`:
+
+    postconf -e smtp_sender_dependent_authentication=yes
+    postconf -e sender_dependent_relayhost_maps=hash:/etc/postfix/sender_relay
+
+Then in the `/etc/postfix/sender_relay` file:
+
+    # Per-sender provider; see also /etc/postfix/sasl_passwd.
+    anarcat@torproject.org               [submission.torproject.org]
+
+Then rehash that map as well:
+
+    postmap /etc/postfix/sender_relay
+
+Make sure you do *not* change the `relahost` (above), or reset it to
+its previous value. If you have changed your [`default_transport`](http://www.postfix.org/postconf.5.html#default_transport),
+you'll also need a [`sender_dependent_default_transport_maps`](http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps) as
+well:
+
+    postconf -e sender_dependent_transport_maps=hash:/etc/postfix/sender_transport
+
+With `/etc/postfix/sender_transport` looking like:
+
+    anarcat@torproject.org               smtp:
+
+For debugging, you can make SMTP client sessions verbose in Postfix:
+
+    smtp      unix  -       -       -       -       -       smtp -v
+
+`smtp_sasl_mechanism_filter` is also very handy for debugging. For
+example, you can try to force the authentication mechanism to
+`cram-md5` this way.
+
 ## Pager playbook
 
 No pager playbook has been built yet. See the [Monitoring and
-- 
GitLab