[SOLVED] Sending mail through an external relay - PER DOMAIN

[eugenejvr]

Good day,

I've read the article on configuring zimbra for using a external SMTP relay. Sending mail through an external relay - Zimbra :: Wiki

I have multiple domains on my server and only want one of them using a external SMTP relay.

How can I set it up to do this routing

Thank you in advance

[gvillari]

Hi,

the related bug is still assigned:

Bug 32740 – Per domain Relay MTA for external delivery

maybe this article could help you:

Relay per Domain - Zimbra :: Wiki

Regards

[eugenejvr]

Thanks a lot. This is a big help

[gvillari]

Glad you have solved.

Regards

[Labsy]

I've just been hitting the wall last two days trying to configure ZCS 7.1.4 to do the following:
- SmartHost/relay outbound mail only for single domain among lots of them
- relay to different smarthost relays depending on zimbra USER
- and finally, the toughest nut, to use SMTP authentication and SSL/TLS

Simple relay by domain and relay by user would have been working as described in link 2 posts above, but hey, how to use SMTP auth and also how to use TLS or SSL for SmartHost relay?

Well, I finally succeed!
Here's how:

0.) Change to zimbra user:

Code:

sudo su zimbra

1.) Add the following to /opt/zimbra/postfix/conf/main.cf file:

Code:

sender_dependent_relayhost_maps = hash:/opt/zimbra/postfix/conf/relaybysender

2.) Create file /opt/zimbra/postfix/conf/relaybysender and put the maps for smarthost relays in it, for example:

Code:

@domain1.com  [10.20.30.40]
@domain2.com  [relay2.someserver.com]:submission
user@domain3.com  [relay3.someserver.com]:submission

NOTE: Adding "submission" at the end tells relay to use TLS over 587 port instead of port 25. Also be aware if you use "[" , "]" and ":submission" port here, you must use them also in Relay_passwords file!
3.) Create hash file:

Code:

postmap /opt/zimbra/postfix/conf/relaybysender

4.) Not done yet!
Now we create matrix for SMTP authentication usernames and passwords. Create file /opt/zimbra/postfix/conf/relaypasswords and put server userass combinations in it:

Code:

[10.20.30.40] username:password
[relay2.someserver.com]:submission username:password
[relay3.someserver.com]:submission username:password

NOTE, how we preserved exact server notation, exactly as in previous file!
5.) Create map for this one, too:

Code:

postmap hash:/opt/zimbra/postfix/conf/relaypasswords

6.) In previous file we edited postfix configuration file manually, but we can do it also this way:

Code:

postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/postfix/conf/relaypasswords

7.) Configure postfix to use SSL authentication and try if available TLS:

Code:

postconf -e smtp_sasl_auth_enable=yes
postconf -e smtp_tls_security_level = may

8.) ...and to use outgoing server name, rather than canonical name:

Code:

postconf -e smtp_cname_overrides_servername=no

9.) Reload postfix

Code:

postfix reload

10) Restart some Zimbra services, just for sure:

Code:

zmmtactl restart

So, in /opt/zimbra/postfix/conf/main.cf you should see at the end of the file:

Code:

smtp_tls_security_level = may
sender_dependent_relayhost_maps = hash:/opt/zimbra/postfix/conf/relaybydomain
smtp_sasl_password_maps = hash:/opt/zimbra/postfix/conf/relaypasswords
smtp_cname_overrides_servername = no

Test! Should work fine.
See the logs for errors:

Code:

tail -n 500 /var/log/mail.info

IMPORTANT: This config will NOT survive Zimbra upgrade! You must repeat above steps after each Zimbra upgrade.

[seanjoyce]

Labsy,

I just read and followed you excellent instructions on getting Zimbra to send to an external SMTP relay for a single user.

However I ran into a little problem; when I send a test mail I get the following in the log file:

Code:

Mar 26 14:26:19 mail postfix/smtp[31360]: certificate verification failed for smtp.gmail.com[173.194.76.108]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Mar 26 14:26:19 mail postfix/smtp[31360]: warning: SASL authentication failure: No worthy mechs found
Mar 26 14:26:19 mail postfix/smtp[31360]: 6A9BAA399F: SASL authentication failed; cannot authenticate to server smtp.gmail.com[173.194.76.108]: no mechanism available

So it looks like Zimbra doesn't like the certificate for smtp.gmail.com. Is there a way to add an exception? Or does anyone have any other ideas?

Any help would be appreciated.

Sean

[Labsy]

Hi SeanJoyce,
you may try with suggestions from Troubleshoting part of this Wiki article: Outgoing SMTP Authentication - Zimbra :: Wiki

[seanjoyce]

Hi Labsy,

Thanks for the reply and the link to that post. I had seen it already but I haven't fully followed it yet. I just got some higher level debugging back in the log and I have a better idea of what's going on now. I have to try a few things and then I'll let you know how I get on. Thanks again.

Sean

[seanjoyce]

Thanks Labsy,

The solution to make this work with Gmail was in that post you sent me.

Add the following line to main.cf:

Code:

smtp_sasl_security_options = noanonymous

The default is:

Code:

smtp_sasl_security_options = noplaintext, noanonymous

Because you have already established a TLS tunnel, gmail then does the authenication in plaintext.

Sean