Outgoing SMTP Authentication: Difference between revisions

m (a hash: was missing in the postfix lookup table creation)
 
(57 intermediate revisions by 21 users not shown)
Line 1: Line 1:
{{BC|Community Sandbox}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=Outgoing SMTP Authentication=
{{KB|{{Unsupported}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
{{WIP}}
== Overview ==
== Overview ==


When you need to route all outgoing mail through your ISP's MTA, and that MTA requires that you authenticate, certain settings in postfix are required.
When you need to route all outgoing mail through your ISP's MTA, and that MTA requires that you authenticate, certain settings in postfix are required.


For this example, we will use ''mailrelay.example.com'' as the outgoing relay
For this example, we will use  
The authentication user will be ''username''
* ''mailrelay.example.com'' as the outgoing relay,
The password will be ''password''
* ''#'' as the port number (often 25 or 587),
''username'' as the authentication user,
* ''password'' as the password.


The outbound destination should be the canonical address.  postfix will resolve CNAMEs to canonical addresses and then use that to lookup the username and password .
The outbound destination should be the canonical address.  postfix will resolve CNAMEs to canonical addresses and then use that to lookup the username and password .
Godaddy example:
<pre>
<pre>
Godaddy example:
smtpout.secureserver.net is really smtp.starfieldtech.com, so make sure you enter smtp.starfieldtech.com
smtpout.secureserver.net is really smtp.starfieldtech.com, so make sure you enter smtp.starfieldtech.com


Line 21: Line 30:
</pre>
</pre>


== Setting a [[relay host]] ==


Set the [[relay host]] in the [[admin console]], [[MTA]] tab to point to your ISPs outgoing mail server.  Your ISP can tell you the proper value for this.  You may have to set the port, as well.
''Run all commands as the [[zimbra user]]''


== Enabling smtp authentication ==
== Setting a relay host ==


''Run all these commands as the [[zimbra user]]''
see also [http://wiki.zimbra.com/wiki/Sending_mail_through_an_external_relay Sending mail through an external relay]
 
Set the relay host in the admin console, [[MTA]] tab to point to your ISPs outgoing mail server.  Your ISP can tell you the proper value for this. 
 
You may have to set the port, as well. From the command line:
 
zmprov ms server.domain.com zimbraMtaRelayHost mailrelay.example.com
 
== Enabling SMTP authentication ==
 
* For more info on SASLauthd, please see the following:
** [[Authentication/saslauthd.conf.in|ZCS saslauthd.conf.in sample]]


Create a text file mapping which name/password should be used for each given outbound destination:
Create a text file mapping which name/password should be used for each given outbound destination:
  echo mailrelay.example.com ''username:password'' > /opt/zimbra/conf/relay_password


Create a postfix lookup table
echo mailrelay.example.com ''username:password'' > /opt/zimbra/conf/relay_password
  postmap hash:/opt/zimbra/conf/relay_password
 
Create a postfix lookup table:


Test that the map is okay
postmap /opt/zimbra/conf/relay_password
  postmap -q mailrelay.example.com /opt/zimbra/conf/relay_password


This should return ''username:password'' if done right
To test that the lookup table is correct, the following should return ''username:password'':
 
postmap -q mailrelay.example.com /opt/zimbra/conf/relay_password
 
Configure postfix to use the new password map:


Make postfix use the above
  postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password
  postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password
On 8.0:
zmlocalconfig -e postfix_smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password
On 8.5 and later:
zmprov ms <server> zimbraMtaSmtpSaslPasswordMaps lmdb:/opt/zimbra/conf/relay_password
Configure postfix to use SSL authentication:
  postconf -e smtp_sasl_auth_enable=yes
  postconf -e smtp_sasl_auth_enable=yes
On 8.0:
zmlocalconfig -e postfix_smtp_sasl_auth_enable=yes
On 8.5 and later:
zmprov ms <server> zimbraMtaSmtpSaslAuthEnable yes
Configure postfix to use the outgoing servername rather than the canonical server name:


  postconf -e smtp_cname_overrides_servername=no
  postconf -e smtp_cname_overrides_servername=no
  This last one might be MORE THEN VERY IMPORTANT if you want it to work and
  On 8.0:
not to loose 3 days searching the internet and trying every possible configurations
zmlocalconfig -e postfix_smtp_cname_overrides_servername=no
you can find as I did!. We may say it's not the best secure way to do it but you can
On 8.5 and later:
improve security with smtp_tls_per_site once it works and once you know that the
zmprov ms <server> zimbraMtaSmtpCnameOverridesServername no
authentication works. If you apply smtp_tls_per_site settings then
 
smtp_cname_overrides_servername may become obsolete.
''smtp_cname_overrides_servername=no'' is used because many smtp servers forward the connection different server than the one set in the smtp_sasl_password_maps file.  


The purpose of using smtp_cname_overrides_servername=no is because many smtp servers use load balancing or other technology witch cause your machine to send or forward the outgoing emails to a server having a different name then the one set in the smtp_sasl_password_maps file. Example of the problem :
Example of the problem :


/opt/zimbra/conf/relay_password :
/opt/zimbra/conf/relay_password :
smtp.gmail.com blabla@gmail.com:password


but postfix connect to gmail-smtp.l.google.com
smtp.gmail.com username@gmail.com:password
 
but postfix connects to gmail-smtp.l.google.com
 
Postfix will not send the authentication info contained in smtp_sasl_password_maps file because it as no entry for the server gmail-smtp.l.google.com but has one for smtp.gmail.com


What happens is that postfix will not send the authentication info contained in smtp_sasl_password_maps file because it as no entry for the server gmail-smtp.l.google.com but has one for smtp.gmail.com
If you apply smtp_tls_per_site settings then smtp_cname_overrides_servername may become obsolete.


Using directly gmail-smtp.l.google.com everywhere COULD resolve the problem too but may cause two others problems. First, the server gmail-smtp.l.google.com may not accept direct connections. Second, the day it goes down you are screwed! Using the server CNAME entry or whatever it can be as smtp.gmail.com in this exemple is a much better way to make it works.
Restart postfix:


Finally if youre using a Zimbra package (some readers may land here looking for POSTFIX config) and if you have been searching the internet or are about to do so for troubleshooting youre installation, DON'T use the brakets [] for the server name definition as we can see in many places. Exp.:[smtp.gmail.com]
Pre 8.0:
postfix reload
8.0 and later:
no need to reload, updates will be automatic within 2 minutes


By the way if you intent to use smtp.gmail.com make it works on the port 587. Port 25 gave me timeout as well did port 465. Exp.: relayhost=smtp.gmail.com:587
== Enable TLS ==


Good luck!
As Zimbra user:
- Frederik Bacon -


postconf -e smtp_tls_security_level=may
On 8.0:
zmlocalconfig -e postfix_smtp_tls_security_level=may
On 8.5 and later:
zmprov ms <server> zimbraMtaSmtpTlsSecurityLevel may


Restart postfix:
Pre 8.0:
  postfix reload
postfix reload
On 8.0 and later:
reload is not necessary, it will automatically update within 2 minutes.


== Troubleshooting ==
== Troubleshooting ==


After sending a test message, check the [[Log Files]] for the error:
After sending a test message, check the [[Log Files]] for the error:
  (Authentication failed: cannot SASL authenticate to server ...: no mechanism available)
(Authentication failed: cannot SASL authenticate to server ...: no mechanism available)


You can fix this problem by tweaking the auth mechanisms that postfix is willing to use.  First check what auth mechanism postfix is configured to use - by default, you will see:
You can fix this problem by tweaking the auth mechanisms that postfix is willing to use.  First check what auth mechanism postfix is configured to use - by default, you will see:


  $ postconf smtp_sasl_security_options
postconf smtp_sasl_security_options
  smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_security_options = noplaintext, noanonymous
 
Since noplaintext is present, postfix will refuse to use a mechanism that sends passwords in the clear.  If your upstream relay host only supports PLAIN or LOGIN mechanisms (both of which send password in the clear), you have to remove noplaintext from smtp_sasl_security_options.
 
To see if you upstream relay expects passwords in clear, enable higher level logging by setting the following flags and reloading postfix. (Replace mailrelay.example.com with your relay name). This should increase what's logged for the smtp auth transaction. For more information read ''man 5 postconf''.


Since noplaintext is present, postfix will refuse to use a mechanism that sends passwords in the clearIf your upstream relay host only supports PLAIN or LOGIN mechanisms (both of which send password in the clear), you have to remove noplaintext from smtp_sasl_security_options:
postconf -e debug_peer_list=mailrelay.example.com
postconf -e debug_peer_level=3
postfix reload
 
The log file /var/log/zimbra.log will contain something like the following:
 
Aug  3 17:50:19 mailserver_name postfix/smtp[7273]: smtp_sasl_authenticate: mailrelay.example.com[000.000.000.000]:25:
  SASL mechanisms PLAIN LOGIN
 
To remove the noplaintext option, do the following:
 
postconf -e smtp_sasl_security_options=noanonymous
On 8.0:
zmlocalconfig -e postfix_smtp_sasl_security_options=noanonymous
On 8.5 and later:
zmprov ms <server> zimbraMtaSmtpSaslSecurityOptions noanonymous
 
Pre 8.0:
postfix reload


  $ postconf -e smtp_sasl_security_options=noanonymous
  $ postfix reload


If you are concerned about password-in-the-clear and your upstream relay host offers TLS, you might be interested in this [http://www.postfix.org/postconf.5.html#smtp_use_tls smtp_use_tls] variable.
If you are concerned about password-in-the-clear and your upstream relay host offers TLS, you might be interested in this [http://www.postfix.org/postconf.5.html#smtp_use_tls smtp_use_tls] variable.
Line 93: Line 159:
See also [http://www.postfix.org/SASL_README.html#debugging].
See also [http://www.postfix.org/SASL_README.html#debugging].


[[Category:MTA]]
Don't use brackets [] around the server name definition as seen in many places. Exp.:[smtp.gmail.com]
[[Category:Troubleshooting]]
 
== DynDNS configuration w/non standard ports ==
 
Having configured Zimba before, recofigured for personal email w/Ubuntu 10.04 (previously installed on an OpenSuse 11 server w/modifications made to get Zimbra to install)
 
http://www.dyndns.com/support/kb/mail_servers_and_mailhop_outbound.html#postfix
 
The above link resolved issues, not using lemming commands and using the actual config files.
 
== AT&T Yahoo DSL Specific ==
 
If outgoing mail is not being delivered and /var/log/mail.log shows:
 
(lost connection with smtp.att.yahoo.com while receiving the initial server greeting)
 
Some ISP's SMTP servers do not implement TLS properly on port 465 (AT&T Yahoo DSL in particular); mail clients handle this when making an SSL connection, however Postfix loses the server connection in this case. Port 587, the standard secondary SSL SMTP port, does work properly with TLS.
 
The proper commands for AT&T DSL customers in the above setup are:
 
Change:
 
zmprov ms server.domain.com zimbraMtaRelayHost external.relay.com:#
 
To:
 
zmprov ms server.domain.com zimbraMtaRelayHost smtp.att.yahoo.com:587
 
And add:
 
postconf -e smtp_sasl_mechanism_filter=plain,login
postconf -e smtp_sasl_security_options=noanonymous
postconf -e smtp_tls_security_level=may
On 8.0:
zmlocalconfig -e postfix_smtp_sasl_mechanism_filter=plain,login
zmlocalconfig -e postfix_smtp_sasl_security_options=noanonymous
zmlocalconfig -e postfix_smtp_tls_security_level=may
 
With those changes the connection works properly. Source [http://ubuntuforums.org/archive/index.php/t-487843.html]
 
Beware, new wrinkle if using Yahoo!/AT&T DSL's outgoing SMTP. You MUST login to your Yahoo! webmail account once a year or the account is disabled. They take their sweet time reenabling it (as I'm finding out today) and your outgoing mail is bounced in the meantime.
 
== Persistence across Zimbra restarts ==
Changes made in 8.0+ will persist across restarts and upgrades. Also see the settings in [[#Enabling SMTP authentication]]
 
 
{{Article Footer|ZCS 6.0.10|2/7/2013}}
 
[[Category:Troubleshooting Authentication]]
[[Category:Troubleshooting MTA]]
[[Category:ZCS 8.0]]
[[Category:ZCS 7.0]]
[[Category:ZCS 6.0]]

Latest revision as of 04:52, 19 June 2018

Outgoing SMTP Authentication

   KB 1335        Last updated on 2018-06-19  




0.00
(0 votes)

Overview

When you need to route all outgoing mail through your ISP's MTA, and that MTA requires that you authenticate, certain settings in postfix are required.

For this example, we will use

  • mailrelay.example.com as the outgoing relay,
  • # as the port number (often 25 or 587),
  • username as the authentication user,
  • password as the password.

The outbound destination should be the canonical address. postfix will resolve CNAMEs to canonical addresses and then use that to lookup the username and password .


Godaddy example:

smtpout.secureserver.net is really smtp.starfieldtech.com, so make sure you enter smtp.starfieldtech.com

nslookup smtpout.secureserver.net
...
Non-authoritative answer:
smtpout.secureserver.net        canonical name = smtp.starfieldtech.com.
Name:   smtp.starfieldtech.com
Address: 64.202.165.58


Run all commands as the zimbra user

Setting a relay host

see also Sending mail through an external relay

Set the relay host in the admin console, MTA tab to point to your ISPs outgoing mail server. Your ISP can tell you the proper value for this.

You may have to set the port, as well. From the command line:

zmprov ms server.domain.com zimbraMtaRelayHost mailrelay.example.com

Enabling SMTP authentication

Create a text file mapping which name/password should be used for each given outbound destination:

echo mailrelay.example.com username:password > /opt/zimbra/conf/relay_password

Create a postfix lookup table:

postmap /opt/zimbra/conf/relay_password

To test that the lookup table is correct, the following should return username:password:

postmap -q mailrelay.example.com /opt/zimbra/conf/relay_password

Configure postfix to use the new password map:

postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password
On 8.0:
zmlocalconfig -e postfix_smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password
On 8.5 and later:
zmprov ms <server> zimbraMtaSmtpSaslPasswordMaps lmdb:/opt/zimbra/conf/relay_password

Configure postfix to use SSL authentication:

postconf -e smtp_sasl_auth_enable=yes
On 8.0:
zmlocalconfig -e postfix_smtp_sasl_auth_enable=yes
On 8.5 and later:
zmprov ms <server> zimbraMtaSmtpSaslAuthEnable yes

Configure postfix to use the outgoing servername rather than the canonical server name:

postconf -e smtp_cname_overrides_servername=no
On 8.0:
zmlocalconfig -e postfix_smtp_cname_overrides_servername=no
On 8.5 and later:
zmprov ms <server> zimbraMtaSmtpCnameOverridesServername no

smtp_cname_overrides_servername=no is used because many smtp servers forward the connection different server than the one set in the smtp_sasl_password_maps file.

Example of the problem :

/opt/zimbra/conf/relay_password :

smtp.gmail.com username@gmail.com:password

but postfix connects to gmail-smtp.l.google.com

Postfix will not send the authentication info contained in smtp_sasl_password_maps file because it as no entry for the server gmail-smtp.l.google.com but has one for smtp.gmail.com

If you apply smtp_tls_per_site settings then smtp_cname_overrides_servername may become obsolete.

Restart postfix:

Pre 8.0:
postfix reload
8.0 and later:
no need to reload, updates will be automatic within 2 minutes

Enable TLS

As Zimbra user:

postconf -e smtp_tls_security_level=may
On 8.0:
zmlocalconfig -e postfix_smtp_tls_security_level=may
On 8.5 and later:
zmprov ms <server> zimbraMtaSmtpTlsSecurityLevel may
Pre 8.0:
postfix reload
On 8.0 and later:
reload is not necessary, it will automatically update within 2 minutes.

Troubleshooting

After sending a test message, check the Log Files for the error:

(Authentication failed: cannot SASL authenticate to server ...: no mechanism available)

You can fix this problem by tweaking the auth mechanisms that postfix is willing to use. First check what auth mechanism postfix is configured to use - by default, you will see:

postconf smtp_sasl_security_options
smtp_sasl_security_options = noplaintext, noanonymous

Since noplaintext is present, postfix will refuse to use a mechanism that sends passwords in the clear. If your upstream relay host only supports PLAIN or LOGIN mechanisms (both of which send password in the clear), you have to remove noplaintext from smtp_sasl_security_options.

To see if you upstream relay expects passwords in clear, enable higher level logging by setting the following flags and reloading postfix. (Replace mailrelay.example.com with your relay name). This should increase what's logged for the smtp auth transaction. For more information read man 5 postconf.

postconf -e debug_peer_list=mailrelay.example.com
postconf -e debug_peer_level=3
postfix reload

The log file /var/log/zimbra.log will contain something like the following:

Aug  3 17:50:19 mailserver_name postfix/smtp[7273]: smtp_sasl_authenticate: mailrelay.example.com[000.000.000.000]:25: 
SASL mechanisms PLAIN LOGIN

To remove the noplaintext option, do the following:

postconf -e smtp_sasl_security_options=noanonymous
On 8.0:
zmlocalconfig -e postfix_smtp_sasl_security_options=noanonymous
On 8.5 and later:
zmprov ms <server> zimbraMtaSmtpSaslSecurityOptions noanonymous
Pre 8.0:
postfix reload


If you are concerned about password-in-the-clear and your upstream relay host offers TLS, you might be interested in this smtp_use_tls variable.

See also [1].

Don't use brackets [] around the server name definition as seen in many places. Exp.:[smtp.gmail.com]

DynDNS configuration w/non standard ports

Having configured Zimba before, recofigured for personal email w/Ubuntu 10.04 (previously installed on an OpenSuse 11 server w/modifications made to get Zimbra to install)

http://www.dyndns.com/support/kb/mail_servers_and_mailhop_outbound.html#postfix

The above link resolved issues, not using lemming commands and using the actual config files.

AT&T Yahoo DSL Specific

If outgoing mail is not being delivered and /var/log/mail.log shows:

(lost connection with smtp.att.yahoo.com while receiving the initial server greeting)

Some ISP's SMTP servers do not implement TLS properly on port 465 (AT&T Yahoo DSL in particular); mail clients handle this when making an SSL connection, however Postfix loses the server connection in this case. Port 587, the standard secondary SSL SMTP port, does work properly with TLS.

The proper commands for AT&T DSL customers in the above setup are:

Change:

zmprov ms server.domain.com zimbraMtaRelayHost external.relay.com:#

To:

zmprov ms server.domain.com zimbraMtaRelayHost smtp.att.yahoo.com:587

And add:

postconf -e smtp_sasl_mechanism_filter=plain,login
postconf -e smtp_sasl_security_options=noanonymous
postconf -e smtp_tls_security_level=may

On 8.0:
zmlocalconfig -e postfix_smtp_sasl_mechanism_filter=plain,login
zmlocalconfig -e postfix_smtp_sasl_security_options=noanonymous
zmlocalconfig -e postfix_smtp_tls_security_level=may

With those changes the connection works properly. Source [2]

Beware, new wrinkle if using Yahoo!/AT&T DSL's outgoing SMTP. You MUST login to your Yahoo! webmail account once a year or the account is disabled. They take their sweet time reenabling it (as I'm finding out today) and your outgoing mail is bounced in the meantime.

Persistence across Zimbra restarts

Changes made in 8.0+ will persist across restarts and upgrades. Also see the settings in #Enabling SMTP authentication


Verified Against: ZCS 6.0.10 Date Created: 2/7/2013
Article ID: https://wiki.zimbra.com/index.php?title=Outgoing_SMTP_Authentication Date Modified: 2018-06-19



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search