Outbound SMTP Smart Host

Questions and answers about how to do stuff
Post Reply
razorsedge
Posts: 4
Joined: 07 Aug 2015 13:08

Outbound SMTP Smart Host

Post by razorsedge »

Hey guys,

I'm new here (go figure), but absolutely love this product. I moved from scrollout to this because of the tracking capabilities. It is setup much like a cisco Ironport and I think this has potential to grow.

Anyways, now on to the problem.

Current setup:
VMware Appliance (EFA)
Mail Server (Zimbra on port 25)
Internally (No firewalls)
Externally (Port 587 opened)

All inbound mail comes in on port 587 using No-IP's mail reflector service and then gets scanned by EFA. Once scanned, it then sends it to my Zimbra server on port 25. If i reply to the message, it then gets sent back to my EFA Box and then gets routed to a smart host.

Here is where the problem comes in place. My service provider blocks port 25. By default, EFA uses port 25 to send mail to my smart host. When using port 25, I obviously get "Connection Timed Out".. no brainer so I change the port to 587.

When Changing the port, this is where the error comes in to play - I get an error status on the mail queue that states: "SASL Authentication failed: Cannot Authenticate to domanname[x.x.x.x]: no mechanism available. When disabling Auth, I then get an error that states authentication must be used.
[Domain name is a real domain name and x.x.x.x returns the correct ip.

I do know that my smart host does indeed use port 587 because i've used it previously on scrollout. Thoughts?

Razorsedge
DaN
Posts: 240
Joined: 19 Nov 2014 10:04
Location: Earth

Re: Outbound SMTP Smart Host

Post by DaN »

Hi
how do you change the port from 25 to 587?
razorsedge
Posts: 4
Joined: 07 Aug 2015 13:08

Re: Outbound SMTP Smart Host

Post by razorsedge »

**Edit - Dan - Do you mean for inbound or outbound? if Outbound, see below.

On the Webmin interface, I go to server, SMTP Authentication and Encryption.

Down at the bottom, I typed send outgoing mail via host: Mail.x.org:587

Then I use SASL SMTP AUTH and type in the credentials.

I'm assuming there is some other way to edit the smarthost section and get it to use a different port that 25. As well i'm assuming that it can't distinguish that after the : is a port? possibly?

Razorsedge
DaN
Posts: 240
Joined: 19 Nov 2014 10:04
Location: Earth

Re: Outbound SMTP Smart Host

Post by DaN »

I don't use/have webmin, so I don't know if this works. Does the config menu offers a option to change the outgoing port?

Is viewtopic.php?f=14&t=1035&p=3307&hilit=port#p3307 helpful?
razorsedge
Posts: 4
Joined: 07 Aug 2015 13:08

Re: Outbound SMTP Smart Host

Post by razorsedge »

That doesnt seem to work. Basically says Transport Failure.

I've tried in different strings
* smtp:plover.arvixe.com - this uses port 25
* plover.arvixe.com:587 Transport failure
* smtp:plover.arvixe.com:587 Transport failure


So not sure if sending it on any other port than 25 is possible when using smarthost :/

Razorsedge
razorsedge
Posts: 4
Joined: 07 Aug 2015 13:08

Re: Outbound SMTP Smart Host

Post by razorsedge »

I found an article out there on the web that deals with sending external email which still didnt work:
http://serverfault.com/questions/119278 ... a-port-587

So I got to thinking if it was something to do with my relay through arvixe, so I changed it to google's relay service and I still get SASL authentiaction failed, cannot authenticate to the server :smtp-relay.gmail.com[74.125.21.28]:no mechanism available.

Time to go back to the drawing board with google :)

Has anyone else has this problem?

razorsedge
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Outbound SMTP Smart Host

Post by shawniverson »

So I got to thinking if it was something to do with my relay through arvixe, so I changed it to google's relay service and I still get SASL authentiaction failed, cannot authenticate to the server :smtp-relay.gmail.com[74.125.21.28]:no mechanism available.
You may need to set up SASL credentials if you are trying to relay through Google.
e-d-i-t
Posts: 94
Joined: 27 Apr 2016 19:28
Contact:

Re: Outbound SMTP Smart Host

Post by e-d-i-t »

Tried to use a smarthost from my bsmtp-provider which needs to be on port 465 (don't know why, but it seems to react on 587 as well)
So I tried both, ports opened on the router to EFA on 465 and 587. I entered the smarthost, login username and password with webmin in the Postfix "SMTP Authentication and Encryption".

On port 465
Postfix: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)
So I did it, but now inbound to my mailserver is an issue with tls. So skip port 465 cause these additional settings work for in/outbound. And inbound mailserver stays on port 25 internally for reasons.

On port 587
SASL on: SASL authentication failed; cannot authenticate to server smtp.mysmarthost.com[x.x.x.x]: no mechanism available
SASL off: 554 5.7.1 Recipient address rejected: Authentication required (in reply to RCPT TO command)

I'm on a dead end here as well, will have to keep going on smarthost ISP on port 25, but that won't last forever.
Any free smtp-relays besides my ISP and bsmtp provider for further experiments?
stusmith
Posts: 63
Joined: 27 Jan 2017 15:24

Re: Outbound SMTP Smart Host

Post by stusmith »

I think that you can create a transport map to determine which way to forward your e-mail. Then you need to create a password map to authenticate. Port tcp:465 is the SMTPS protocol port. Port tcp:587 is the client submission port.
  • Create a map file for your username/passwords to authenticate to your relay servers
  • Create a transport map to determine which mail should go to which servers
  • Enable TLS with a setting of 'may' for your PostFix Server
  • Create a TLS policy map to override the setting for each relay ( so you can have multiple settings )

/etc/postfix/relay_password_maps

Code: Select all

smarthost.no1.somedomain.com   USERNAME:PASSWORD
smarhotst.no2.someotherdomain.com   USERNAME:PASSOWRD
then: #sudo postmap /etc/postfix/relay_password_maps

/etc/postfix/transport_maps

Code: Select all

somedomain.com     smtp:smarthost.no1.somedomain.com
someotherdomain.com     smtp:smarthost.no2.someotherdomain.com
*   smtp:if.allelse.fails.com
then: #sudo postmap /etc/postfix/transport_maps

/etc/postfix/main.cf

Code: Select all

relayhost = hash:/etc/postfix/transport_maps
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/relay_password_maps
smtp_sasl_mechanism_filter = digest-md5, auth, login, plain
smtp_sasl_security_options = 

smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps
smtp_tls_wrappermode = yes
/etc/postfix/tls_policy_maps

Code: Select all

somedomain.com:587   encrypt
someotherdomain.com:465 encrypt protocols=TLSv1 ciphers=high
then:#sudo postmap /etc/postfix/tls_policy_maps

If you check out http://www.postfix.org/SASL_README.html there is a section on using telnet to determine what the authentication method is that the other server supports. Since it looks like you need TLS, you'll need to read this http://www.postfix.org/TLS_README.html as well.

You may have to add the ports to the transport maps as well, like smtp:smarthost.no1.somedomain.com:465. I'm not really sure. Try it and let me know. You also may need to install the sasl libraries appropriate for the authentication types that you're trying to use...

Code: Select all

$ yum search sasl
Loaded plugins: fastestmirror, security
Determining fastest mirrors
 * EFA: dl.efa-project.org
 * base: mirror.net.cen.ct.gov
 * epel: fedora.mirrors.pair.com
 * extras: mirror.trouble-free.net
 * updates: mirror.umd.edu
===================================================================================== N/S Matched: sasl =====================================================================================
cyrus-sasl.x86_64 : The Cyrus SASL library
cyrus-sasl-devel.i686 : Files needed for developing applications with Cyrus SASL
cyrus-sasl-devel.x86_64 : Files needed for developing applications with Cyrus SASL
cyrus-sasl-gssapi.i686 : GSSAPI authentication support for Cyrus SASL
cyrus-sasl-gssapi.x86_64 : GSSAPI authentication support for Cyrus SASL
cyrus-sasl-ldap.i686 : LDAP auxprop support for Cyrus SASL
cyrus-sasl-ldap.x86_64 : LDAP auxprop support for Cyrus SASL
cyrus-sasl-lib.i686 : Shared libraries needed by applications which use Cyrus SASL
cyrus-sasl-lib.x86_64 : Shared libraries needed by applications which use Cyrus SASL
cyrus-sasl-md5.i686 : CRAM-MD5 and DIGEST-MD5 authentication support for Cyrus SASL
cyrus-sasl-md5.x86_64 : CRAM-MD5 and DIGEST-MD5 authentication support for Cyrus SASL
cyrus-sasl-ntlm.i686 : NTLM authentication support for Cyrus SASL
cyrus-sasl-ntlm.x86_64 : NTLM authentication support for Cyrus SASL
cyrus-sasl-plain.i686 : PLAIN and LOGIN authentication support for Cyrus SASL
cyrus-sasl-plain.x86_64 : PLAIN and LOGIN authentication support for Cyrus SASL
cyrus-sasl-sql.i686 : SQL auxprop support for Cyrus SASL
cyrus-sasl-sql.x86_64 : SQL auxprop support for Cyrus SASL
You can also check out http://www.postfix.org/postconf.5.html. Look for the smtp_tls_wrappermode and smtp_tls_security_level and smtp_tls_policy_maps.
Post Reply