Difference between revisions of "Outgoing SMTP Authentication"

(Setting a relay host)
(Explain more in the troubleshooting section - change to just remove noplaintext.)
Line 34: Line 34:
 
== Troubleshooting ==
 
== Troubleshooting ==
  
After sending a test message, check the [[Log Files]] for the error
+
After sending a test message, check the [[Log Files]] for the error:
   SASL authentication failure: No worthy mechs found
+
   (Authentication failed: cannot SASL authenticate to server ...: no mechanism available)
  
The fix for this is:
+
You can fix this problem by tweaking the auth mechanisms that postfix is willing to use.  First check what auth mechanism postfix is configured to use - by default, you will see:
  postconf -e smtp_sasl_security_options=
 
  
''Nothing after the =''
+
  $ postconf smtp_sasl_security_options
 +
  smtp_sasl_security_options = noplaintext, noanonymous
  
Restart postfix:
+
Since noplaintext is present, postfix will refuse to use a mechanism that sends passwords in the clear.  If your upstream relay host only supports PLAIN or LOGIN mechanisms (both of which send password in the clear), you have to remove noplaintext from smtp_sasl_security_options:
   postfix reload
+
 
 +
  $ postconf -e smtp_sasl_security_options=noanonymous
 +
   $ postfix reload
 +
 
 +
If you are concerned about password-in-the-clear and your upstream relay host offers TLS, you might be interested in this [http://www.postfix.org/postconf.5.html#smtp_use_tls smtp_use_tls] variable.
 +
 
 +
See also [http://www.postfix.org/SASL_README.html#debugging].

Revision as of 03:52, 31 March 2006

Overview

When you need to route all outgoing mail through your ISP's MTA, and that MTA requires that you authenticate, certain settings in postfix are required.

For this example, we will use mailrelay.example.com as the outgoing relay The authentication user will be username The password will be password

Setting a relay host

Set the relay host in the admin console, MTA tab to point to your ISPs outgoing mail server. Your ISP can tell you the proper value for this. You may have to set the port, as well.

Enabling smtp authentication

Run all these commands as the zimbra user

Create a text file mapping which name/password should be used for each given outbound destination:

 echo mailrelay.example.com username:password > /opt/zimbra/conf/relay_password

Create a postfix lookup table

 postmap /opt/zimbra/conf/relay_password

Test that the map is okay

 postmap -q mailrelay.example.com /opt/zimbra/conf/relay_password

This should return username:password if done right

Make postfix use the above

postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password

Restart postfix:

 postfix reload

Troubleshooting

After sending a test message, check the Log Files for the error:

 (Authentication failed: cannot SASL authenticate to server ...: no mechanism available)

You can fix this problem by tweaking the auth mechanisms that postfix is willing to use. First check what auth mechanism postfix is configured to use - by default, you will see:

 $ postconf smtp_sasl_security_options
 smtp_sasl_security_options = noplaintext, noanonymous

Since noplaintext is present, postfix will refuse to use a mechanism that sends passwords in the clear. If your upstream relay host only supports PLAIN or LOGIN mechanisms (both of which send password in the clear), you have to remove noplaintext from smtp_sasl_security_options:

 $ postconf -e smtp_sasl_security_options=noanonymous
 $ postfix reload

If you are concerned about password-in-the-clear and your upstream relay host offers TLS, you might be interested in this smtp_use_tls variable.

See also [1].

Jump to: navigation, search