King0770-Notes-Outbound SMTP Authentication Using Port 465: Difference between revisions
No edit summary |
No edit summary |
(No difference)
|
Latest revision as of 16:43, 29 October 2019
If you have the need to authenticate outbound messages through a 3rd party MTA using port 465, this article may be of interest to you.
Typically, sending through a 3rd party MTA server requires updating the zimbraMtaRelayHost
e.g.
zmprov ms mta.example.com zimbraMtaRelayHost outbound.abcdefg.org:465
OR
Using sender_dependent_relayhost_maps = lmdb:/opt/zimbra/conf/bysender
Contents of the /opt/zimbra/conf/bysender file
rick@example.com [outbound.abcdefg.org]:465
Typical settings are...
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /opt/zimbra/conf/cert.crt <<== Cert from the 3rd party MTA
smtp_sasl_security_options = noanonymous
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/opt/zimbra/conf/relay_password
Use zmprov to update the MTA settings...
postconf -e smtp_tls_wrappermode=yes # No Zimbra setting for smtp_tls_wrappermode yet
zmprov ms mta.example.com zimbraMtaSmtpTlsSecurityLevel encrypt
zmprov ms mta.example.com zimbraMtaSmtpTlsCAfile /opt/zimbra/conf/cert.crt
zmprov ms mta.example.com zimbraMtaSmtpSaslSecurityOptions noanonymous
zmprov ms mta.example.com zimbraMtaSmtpSaslAuthEnable yes
zmprov ms mta.example.com zimbraMtaSmtpSaslPasswordMaps lmdb:/opt/zimbra/conf/relay_password
Contents of the /opt/zimbra/conf/relay_password by example
outbound.abcdefg.org rking@outbound.abcdefg.org:tH1smYP@sS0rD
If you are running Amavis on the MTA node, if you have enabled the settings as indicated above, you may see something similiar in the /var/log/zimbra.log.
Oct 25 16:56:18 mta postfix/smtp[26452]: 1991520301E: to=<rking@zimbra.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.29, delays=0.23/0.05/0.01/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)
If you see the handshake failure error, you will need to update the amavis section from zimbra's master.cf.in file.
FROM
smtp-amavis unix - - n - %%zimbraAmavisMaxServers%% smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o smtpd_sasl_auth_enable=no
-o max_use=20
TO
smtp-amavis unix - - n - %%zimbraAmavisMaxServers%% smtp
-o smtp_tls_security_level=none
-o smtp_tls_wrappermode=no
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
From my testing, it appears as though in order to allow amavis to pass the message, would be to use both smtp_tls_security_level & smtp_tls_wrappermode; basically turning them off *just* for amavis.
When you make your changes, make sure you edit the master.cf.in file (not master.cf), and restart services to pick up the changes.
If your 3rd party relay uses port 587, ignore this article.
More articles written by me, https://wiki.zimbra.com/wiki/King0770-Notes