Difference between revisions of "King0770-Notes-Outbound SMTP Authentication Using Port 465"

 
Line 26: Line 26:
 
smtp_tls_wrappermode = yes
 
smtp_tls_wrappermode = yes
 
smtp_tls_security_level = encrypt
 
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /opt/zimbra/conf/cert.crt
+
smtp_tls_CAfile = /opt/zimbra/conf/cert.crt       <<== Cert from the 3rd party MTA
 
smtp_sasl_security_options = noanonymous
 
smtp_sasl_security_options = noanonymous
 
smtp_sasl_auth_enable = yes
 
smtp_sasl_auth_enable = yes

Latest revision as of 16:43, 29 October 2019

If you have the need to authenticate outbound messages through a 3rd party MTA using port 465, this article may be of interest to you.

Typically, sending through a 3rd party MTA server requires updating the zimbraMtaRelayHost

e.g.

zmprov ms mta.example.com zimbraMtaRelayHost outbound.abcdefg.org:465

OR

Using sender_dependent_relayhost_maps = lmdb:/opt/zimbra/conf/bysender

Contents of the /opt/zimbra/conf/bysender file

rick@example.com		[outbound.abcdefg.org]:465


Typical settings are...

smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /opt/zimbra/conf/cert.crt       <<== Cert from the 3rd party MTA
smtp_sasl_security_options = noanonymous
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/opt/zimbra/conf/relay_password

Use zmprov to update the MTA settings...

postconf -e smtp_tls_wrappermode=yes   # No Zimbra setting for smtp_tls_wrappermode yet
zmprov ms mta.example.com zimbraMtaSmtpTlsSecurityLevel encrypt
zmprov ms mta.example.com zimbraMtaSmtpTlsCAfile /opt/zimbra/conf/cert.crt
zmprov ms mta.example.com zimbraMtaSmtpSaslSecurityOptions noanonymous
zmprov ms mta.example.com zimbraMtaSmtpSaslAuthEnable yes
zmprov ms mta.example.com zimbraMtaSmtpSaslPasswordMaps lmdb:/opt/zimbra/conf/relay_password

Contents of the /opt/zimbra/conf/relay_password by example
outbound.abcdefg.org rking@outbound.abcdefg.org:tH1smYP@sS0rD

If you are running Amavis on the MTA node, if you have enabled the settings as indicated above, you may see something similiar in the /var/log/zimbra.log.

Oct 25 16:56:18 mta postfix/smtp[26452]: 1991520301E: to=<rking@zimbra.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.29, delays=0.23/0.05/0.01/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

If you see the handshake failure error, you will need to update the amavis section from zimbra's master.cf.in file.

FROM

smtp-amavis unix -      -       n       -       %%zimbraAmavisMaxServers%%  smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o smtpd_sasl_auth_enable=no
        -o max_use=20

TO

smtp-amavis unix -      -       n       -       %%zimbraAmavisMaxServers%%   smtp
    -o smtp_tls_security_level=none
    -o smtp_tls_wrappermode=no
    -o smtp_data_done_timeout=1200 
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

From my testing, it appears as though in order to allow amavis to pass the message, would be to use both smtp_tls_security_level & smtp_tls_wrappermode; basically turning them off *just* for amavis.

When you make your changes, make sure you edit the master.cf.in file (not master.cf), and restart services to pick up the changes.


If your 3rd party relay uses port 587, ignore this article.



More articles written by me, https://wiki.zimbra.com/wiki/King0770-Notes

Jump to: navigation, search