https://wiki.zimbra.com/api.php?action=feedcontributions&user=EricBaenen&feedformat=atomZimbra :: Tech Center - User contributions [en]2024-03-28T21:58:19ZUser contributionsMediaWiki 1.39.0https://wiki.zimbra.com/index.php?title=Outgoing_SMTP_Authentication&diff=9654Outgoing SMTP Authentication2008-08-14T01:50:31Z<p>EricBaenen: </p>
<hr />
<div>== Overview ==<br />
<br />
When you need to route all outgoing mail through your ISP's MTA, and that MTA requires that you authenticate, certain settings in postfix are required.<br />
<br />
For this example, we will use ''mailrelay.example.com'' as the outgoing relay<br />
The authentication user will be ''username''<br />
The password will be ''password''<br />
<br />
The outbound destination should be the canonical address. postfix will resolve CNAMEs to canonical addresses and then use that to lookup the username and password .<br />
<pre><br />
Godaddy example: <br />
<br />
smtpout.secureserver.net is really smtp.starfieldtech.com, so make sure you enter smtp.starfieldtech.com<br />
<br />
nslookup smtpout.secureserver.net<br />
...<br />
Non-authoritative answer:<br />
smtpout.secureserver.net canonical name = smtp.starfieldtech.com.<br />
Name: smtp.starfieldtech.com<br />
Address: 64.202.165.58<br />
</pre><br />
<br />
== Setting a [[relay host]] ==<br />
<br />
Set the [[relay host]] in the [[admin console]], [[MTA]] tab to point to your ISPs outgoing mail server. Your ISP can tell you the proper value for this. You may have to set the port, as well.<br />
<br />
zmprov ms server.domain.com zimbraMtaRelayHost external.relay.com:#<br />
<br />
== Enabling smtp authentication ==<br />
<br />
''Run all these commands as the [[zimbra user]]''<br />
<br />
Create a text file mapping which name/password should be used for each given outbound destination:<br />
echo mailrelay.example.com ''username:password'' > /opt/zimbra/conf/relay_password<br />
<br />
Create a postfix lookup table<br />
postmap hash:/opt/zimbra/conf/relay_password<br />
<br />
Test that the map is okay<br />
postmap -q mailrelay.example.com /opt/zimbra/conf/relay_password<br />
<br />
This should return ''username:password'' if done right<br />
<br />
Make postfix use the above<br />
postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password<br />
postconf -e smtp_sasl_auth_enable=yes<br />
<br />
postconf -e smtp_cname_overrides_servername=no<br />
This last one might be MORE THEN VERY IMPORTANT if you want it to work and<br />
not to loose 3 days searching the internet and trying every possible configurations<br />
you can find as I did!. We may say it's not the best secure way to do it but you can<br />
improve security with smtp_tls_per_site once it works and once you know that the<br />
authentication works. If you apply smtp_tls_per_site settings then<br />
smtp_cname_overrides_servername may become obsolete.<br />
<br />
The purpose of using smtp_cname_overrides_servername=no is because many smtp servers use load balancing or other technology witch cause your machine to send or forward the outgoing emails to a server having a different name then the one set in the smtp_sasl_password_maps file. Example of the problem :<br />
<br />
/opt/zimbra/conf/relay_password :<br />
smtp.gmail.com blabla@gmail.com:password<br />
<br />
but postfix connect to gmail-smtp.l.google.com<br />
<br />
What happens is that postfix will not send the authentication info contained in smtp_sasl_password_maps file because it as no entry for the server gmail-smtp.l.google.com but has one for smtp.gmail.com<br />
<br />
Using directly gmail-smtp.l.google.com everywhere COULD resolve the problem too but may cause two others problems. First, the server gmail-smtp.l.google.com may not accept direct connections. Second, the day it goes down you are screwed! Using the server CNAME entry or whatever it can be as smtp.gmail.com in this exemple is a much better way to make it works.<br />
<br />
Finally if youre using a Zimbra package (some readers may land here looking for POSTFIX config) and if you have been searching the internet or are about to do so for troubleshooting youre installation, DON'T use the brakets [] for the server name definition as we can see in many places. Exp.:[smtp.gmail.com]<br />
<br />
By the way if you intent to use smtp.gmail.com make it works on the port 587. Port 25 gave me timeout as well did port 465. Exp.: relayhost=smtp.gmail.com:587<br />
<br />
Good luck! <br />
- Frederik Bacon -<br />
<br />
<br />
Restart postfix:<br />
postfix reload<br />
<br />
== Troubleshooting ==<br />
<br />
After sending a test message, check the [[Log Files]] for the error:<br />
(Authentication failed: cannot SASL authenticate to server ...: no mechanism available)<br />
<br />
You can fix this problem by tweaking the auth mechanisms that postfix is willing to use. First check what auth mechanism postfix is configured to use - by default, you will see:<br />
<br />
$ postconf smtp_sasl_security_options<br />
smtp_sasl_security_options = noplaintext, noanonymous<br />
<br />
Since noplaintext is present, postfix will refuse to use a mechanism that sends passwords in the clear. If your upstream relay host only supports PLAIN or LOGIN mechanisms (both of which send password in the clear), you have to remove noplaintext from smtp_sasl_security_options:<br />
<br />
$ postconf -e smtp_sasl_security_options=noanonymous<br />
$ postfix reload<br />
<br />
If you are concerned about password-in-the-clear and your upstream relay host offers TLS, you might be interested in this [http://www.postfix.org/postconf.5.html#smtp_use_tls smtp_use_tls] variable.<br />
<br />
See also [http://www.postfix.org/SASL_README.html#debugging].<br />
<br />
== Persistence across Zimbra upgrades ==<br />
<br />
I just did an upgrade of Zimbra 5.0.5 to 5.0.8 after doing the above - and all of the relay smtp auth changes stayed - they were not wiped out by the upgrade.<br />
<br />
[[Category:MTA]]<br />
[[Category:Troubleshooting]]</div>EricBaenen