Adding SSL based SMTP authentication

[Miklos Kalman]

Hi,

How can I setup SSL based SMTP authentication? I need this to allow me to send emails using the Zimbra server from my PDA, since I am getting relay denied in the Zimbra logs. The ISP allows port 25 so that part shouldn't be a problem.

Thanks,
Miklos

[phoenix]

Look in the Global Settings/IMAP tab for the settings (& MTA tab for Authentication). BTW, the correct port for Submissions is 587 not 25, to use that you would require a change to the master.cf file. If you want to make that chang, do the following:

Code:

In the /opt/zimbra/postfix/conf/master.conf file uncomment the following three lines:

#submission inet n      -       n       -       -       smtpd
#	-o smtpd_etrn_restrictions=reject
#	-o smtpd_client_restrictions=permit_sasl_authenticated,reject

make sure that the whitespace remain at the beginning of lines 2 & 3. You might also want to vote on this bug. Changes you make to the master.cf file will not survive an upgrade, you'll need to make the change again.

[Miklos Kalman]

Hi,

I uncommented the lines and restarted/reloaded postfix. In the admin I have enable SSL for IMAP.

I tried sending a mail from my PDA (WM6, outgoing requires SSL setting), it reached the server and this is what I got in the logs:

Feb 10 15:00:39 mail postfix/smtpd[6336]: NOQUEUE: reject: RCPT from apn-89-223-245-75.vodafone.hu[89.223.245.75]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=
Feb 10 15:00:39 mail postfix/smtpd[6336]: 9B0461B4006C: client=apn-89-223-245-75.vodafone.hu[89.223.245.75]
Feb 10 15:00:40 mail postfix/smtpd[6336]: NOQUEUE: reject: RCPT from apn-89-223-245-75.vodafone.hu[89.223.245.75]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=

The request reaches the server so the ISP is not blocking anything. The PDA responded with : "Cannot establish SSL connection, check your setting and try again...". I also tried without SSL but still got the error in the logs, also a message came back to the PDA saying relay not permitted.

Any ideas what else can be wrong?

Miklos

[Miklos Kalman]

for some reason the email addresses were omitted during the post, but both sender and recipients are valid email addresses with the sender being on the domain of the zimbra server.

[phoenix]

This has been covered dozens of times in the forums, authenticated users are able to relay through Zimbra servers. You should check the mynetworks configuration in the following articles:

Outgoing Mail Problems - Zimbra :: Wiki
ZimbraMtaMyNetworks - Zimbra :: Wiki

One thing to note, the mynetworks configuration is for your local LAN and the Zimbra server itself, you do NOT need to add the IP of your remote PDA.

[Miklos Kalman]

I know it has been covered, but mynetworks in not the solution in this case. I want to allow authenticated users to use the zimbra server as an SMTP server no matter which network they are on. If for instance I use thunderbird and authenticate using TLS I am able to send email using the same Zimbra server. I want to have the same effect happen using my PDA. However since my PDA does not allow TLS for outgoing I am left with the SSL option which should work the same way right?

[phoenix]

Please check that your mynetworks configuration is OK and post some output to show that it is. Once you've done that we can move forward with any other checks that may be necessary.

[Miklos Kalman]

This is the output of mynetworks:

zimbra@mail:~$ zmprov gs `zmhostname` | grep zimbraMtaMyNetworks
zimbraMtaMyNetworks: 127.0.0.0/8 217.65.100.0/26 172.16.228.0/24

[phoenix]

Run the following on your Zimbra server:

Code:

host `hostname`  <-- use backticks not single quotes
dig yourdomain.com mx
dig yourdomain.com any

cat /etc/hosts
cat /etc/resolv.conf

and post the exact output that you get from those commands.

[Miklos Kalman]

Hi,

Here is the output:

root@mail:~# host `hostname`
mail.westerlike.com has address 217.65.100.52
root@mail:~# dig mail.westerlike.com mx

; <<>> DiG 9.3.2 <<>> mail.westerlike.com mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59790
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.westerlike.com. IN MX

;; AUTHORITY SECTION:
westerlike.com. 10800 IN SOA ans0.t-online.hu. hostmaster.t-online.hu. 2008020603 28800 7200 1209600 86400

;; Query time: 18 msec
;; SERVER: 195.228.240.249#53(195.228.240.249)
;; WHEN: Sun Feb 10 15:55:02 2008
;; MSG SIZE rcvd: 100



root@mail:~# dig mail.westerlike.com any

; <<>> DiG 9.3.2 <<>> mail.westerlike.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6529
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;mail.westerlike.com. IN ANY

;; ANSWER SECTION:
mail.westerlike.com. 66714 IN A 217.65.100.52

;; Query time: 12 msec
;; SERVER: 195.228.240.249#53(195.228.240.249)
;; WHEN: Sun Feb 10 15:55:10 2008
;; MSG SIZE rcvd: 53

root@mail:~# cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
217.65.100.52 mail.westerlike.com mail

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

root@mail:~# cat /etc/resolv.conf
search westerlike.com
nameserver 195.228.240.249
nameserver 195.228.242.180
nameserver 217.65.96.3

root@mail:~#