King0770-Notes-Outbound SMTP Authentication Using Port 465

If you have the need to authenticate outbound messages through a 3rd party MTA using port 465, this article may be of interest to you.

Typically, sending through a 3rd party MTA server requires updating the zimbraMtaRelayHost


zmprov ms zimbraMtaRelayHost


Using sender_dependent_relayhost_maps = lmdb:/opt/zimbra/conf/bysender

Contents of the /opt/zimbra/conf/bysender file		[]:465

Typical settings are...

smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /opt/zimbra/conf/cert.crt       <<== Cert from the 3rd party MTA
smtp_sasl_security_options = noanonymous
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/opt/zimbra/conf/relay_password

Use zmprov to update the MTA settings...

postconf -e smtp_tls_wrappermode=yes   # No Zimbra setting for smtp_tls_wrappermode yet
zmprov ms zimbraMtaSmtpTlsSecurityLevel encrypt
zmprov ms zimbraMtaSmtpTlsCAfile /opt/zimbra/conf/cert.crt
zmprov ms zimbraMtaSmtpSaslSecurityOptions noanonymous
zmprov ms zimbraMtaSmtpSaslAuthEnable yes
zmprov ms zimbraMtaSmtpSaslPasswordMaps lmdb:/opt/zimbra/conf/relay_password

Contents of the /opt/zimbra/conf/relay_password by example

If you are running Amavis on the MTA node, if you have enabled the settings as indicated above, you may see something similiar in the /var/log/zimbra.log.

Oct 25 16:56:18 mta postfix/smtp[26452]: 1991520301E: to=<>, relay=[]:10026, delay=0.29, delays=0.23/0.05/0.01/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

If you see the handshake failure error, you will need to update the amavis section from zimbra's file.


smtp-amavis unix -      -       n       -       %%zimbraAmavisMaxServers%%  smtp
        -o smtp_data_done_timeout=1200
        -o smtp_send_xforward_command=yes
        -o disable_dns_lookups=yes
        -o smtpd_sasl_auth_enable=no
        -o max_use=20


smtp-amavis unix -      -       n       -       %%zimbraAmavisMaxServers%%   smtp
    -o smtp_tls_security_level=none
    -o smtp_tls_wrappermode=no
    -o smtp_data_done_timeout=1200 
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

From my testing, it appears as though in order to allow amavis to pass the message, would be to use both smtp_tls_security_level & smtp_tls_wrappermode; basically turning them off *just* for amavis.

When you make your changes, make sure you edit the file (not, and restart services to pick up the changes.

If your 3rd party relay uses port 587, ignore this article.

More articles written by me,

Jump to: navigation, search