Difference between revisions of "Outgoing SMTP Authentication"
(→Persistence across Zimbra restarts)
|Line 200:||Line 200:|
== Persistence across Zimbra restarts ==
== Persistence across Zimbra restarts ==
will persist across restarts upgrades. Also see the settings in [[#Enabling SMTP authentication]]
Also see the settings in [[#Enabling SMTP authentication]]
Revision as of 20:26, 2 September 2014
|This article applies to the following ZCS versions.|
WARNING: THIS DOCUMENT IS NOT VALID WITH ZCS 8.5 AND LATER
When you need to route all outgoing mail through your ISP's MTA, and that MTA requires that you authenticate, certain settings in postfix are required.
For this example, we will use
- mailrelay.example.com as the outgoing relay,
- # as the port number (often 25 or 587),
- username as the authentication user,
- password as the password.
The outbound destination should be the canonical address. postfix will resolve CNAMEs to canonical addresses and then use that to lookup the username and password .
smtpout.secureserver.net is really smtp.starfieldtech.com, so make sure you enter smtp.starfieldtech.com nslookup smtpout.secureserver.net ... Non-authoritative answer: smtpout.secureserver.net canonical name = smtp.starfieldtech.com. Name: smtp.starfieldtech.com Address: 126.96.36.199
Run all commands as the zimbra user
Setting a relay host
Set the relay host in the admin console, MTA tab to point to your ISPs outgoing mail server. Your ISP can tell you the proper value for this.
You may have to set the port, as well. From the command line:
zmprov ms server.domain.com zimbraMtaRelayHost mailrelay.example.com
Enabling SMTP authentication
- For more info on SASLauthd, please see the following:
Create a text file mapping which name/password should be used for each given outbound destination:
echo mailrelay.example.com username:password > /opt/zimbra/conf/relay_password
Create a postfix lookup table:
To test that the lookup table is correct, the following should return username:password:
postmap -q mailrelay.example.com /opt/zimbra/conf/relay_password
Configure postfix to use the new password map:
postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password On 8.0: zmlocalconfig -e postfix_smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password On 8.5: zmprov ms <server> zimbraMtaSmtpSaslPasswordMaps lmdb:/opt/zimbra/conf/relay_password
Configure postfix to use SSL authentication:
postconf -e smtp_sasl_auth_enable=yes On 8.0: zmlocalconfig -e postfix_smtp_sasl_auth_enable=yes On 8.5: zmprov ms <server> zimbraMtaSmtpSaslAuthEnable yes
Configure postfix to use the outgoing servername rather than the canonical server name:
postconf -e smtp_cname_overrides_servername=no On 8.0: zmlocalconfig -e postfix_smtp_cname_overrides_servername=no On 8.5: zmproc ms <server> zimbraMtaSmtpCnameOverridesServername no
smtp_cname_overrides_servername=no is used because many smtp servers forward the connection different server than the one set in the smtp_sasl_password_maps file.
Example of the problem :
but postfix connects to gmail-smtp.l.google.com
Postfix will not send the authentication info contained in smtp_sasl_password_maps file because it as no entry for the server gmail-smtp.l.google.com but has one for smtp.gmail.com
If you apply smtp_tls_per_site settings then smtp_cname_overrides_servername may become obsolete.
Pre 8.0: postfix reload 8.0 and later: no need to reload, updates will be automatic within 2 minutes
As Zimbra user:
postconf -e smtp_tls_security_level=may On 8.0: zmlocalconfig -e postfix_smtp_tls_security_level=may On 8.5: zmprov ms <server> zimbraMtaSmtpTlsSecurityLevel may
Pre 8.0: postfix reload On 8.0 and later: reload is not necessary, it will automatically update within 2 minutes.
After sending a test message, check the Log Files for the error:
(Authentication failed: cannot SASL authenticate to server ...: no mechanism available)
You can fix this problem by tweaking the auth mechanisms that postfix is willing to use. First check what auth mechanism postfix is configured to use - by default, you will see:
postconf smtp_sasl_security_options smtp_sasl_security_options = noplaintext, noanonymous
Since noplaintext is present, postfix will refuse to use a mechanism that sends passwords in the clear. If your upstream relay host only supports PLAIN or LOGIN mechanisms (both of which send password in the clear), you have to remove noplaintext from smtp_sasl_security_options.
To see if you upstream relay expects passwords in clear, enable higher level logging by setting the following flags and reloading postfix. (Replace mailrelay.example.com with your relay name). This should increase what's logged for the smtp auth transaction. For more information read man 5 postconf.
postconf -e debug_peer_list=mailrelay.example.com postconf -e debug_peer_level=3 postfix reload
The log file /var/log/zimbra.log will contain something like the following:
Aug 3 17:50:19 mailserver_name postfix/smtp: smtp_sasl_authenticate: mailrelay.example.com[000.000.000.000]:25: SASL mechanisms PLAIN LOGIN
To remove the noplaintext option, do the following:
postconf -e smtp_sasl_security_options=noanonymous On 8.0: zmlocalconfig -e postfix_smtp_sasl_security_options=noanonymous On 8.5: zmprov ms <server> zimbraMtaSmtpSaslSecurityOptions noanonymous
Pre 8.0: postfix reload
If you are concerned about password-in-the-clear and your upstream relay host offers TLS, you might be interested in this smtp_use_tls variable.
See also .
Don't use brackets  around the server name definition as seen in many places. Exp.:[smtp.gmail.com]
DynDNS configuration w/non standard ports
Having configured Zimba before, recofigured for personal email w/Ubuntu 10.04 (previously installed on an OpenSuse 11 server w/modifications made to get Zimbra to install)
The above link resolved issues, not using lemming commands and using the actual config files.
AT&T Yahoo DSL Specific
If outgoing mail is not being delivered and /var/log/mail.log shows:
(lost connection with smtp.att.yahoo.com while receiving the initial server greeting)
Some ISP's SMTP servers do not implement TLS properly on port 465 (AT&T Yahoo DSL in particular); mail clients handle this when making an SSL connection, however Postfix loses the server connection in this case. Port 587, the standard secondary SSL SMTP port, does work properly with TLS.
The proper commands for AT&T DSL customers in the above setup are:
zmprov ms server.domain.com zimbraMtaRelayHost external.relay.com:#
zmprov ms server.domain.com zimbraMtaRelayHost smtp.att.yahoo.com:587
postconf -e smtp_sasl_mechanism_filter=plain,login postconf -e smtp_sasl_security_options=noanonymous postconf -e smtp_tls_security_level=may On 8.0: zmlocalconfig -e postfix_smtp_sasl_mechanism_filter=plain,login zmlocalconfig -e postfix_smtp_sasl_security_options=noanonymous zmlocalconfig -e postfix_smtp_tls_security_level=may
With those changes the connection works properly. Source 
Beware, new wrinkle if using Yahoo!/AT&T DSL's outgoing SMTP. You MUST login to your Yahoo! webmail account once a year or the account is disabled. They take their sweet time reenabling it (as I'm finding out today) and your outgoing mail is bounced in the meantime.
Persistence across Zimbra restarts
Changes made in 8.0+ will persist across restarts and upgrades. Also see the settings in #Enabling SMTP authentication