Howto setup TLS usage with upstream MTA

[markymarknz]

Hi Everyone,
Firstly I would like to say how great I find zimbra.
I have it setup and working fine from my standard install however seeing my mailserver is on a dynamic IP emails from it usually get marked as SPAM or Junkmail.
I have a friend who is allowing me to route my emails through his server however it is setup to only accept TLS connections which a username and password.
His server is running Exim not Postfix so isn't able to help me with the setup.
When I try to send an email using his upstream relay I always get a bounce back message saying it has been rejected. My friend tells me that it isn't even getting to the stage to authenticate using the username/password.
I've been playing around with the Postfix main.cf settings to try get TLS working but have had no success.
Could someone please tell me how to get this working.
My main.cf file is as follows:

sender_canonical_maps = ldap:/opt/zimbra/conf/ldap-scm.cf
virtual_alias_domains = ldap:/opt/zimbra/conf/ldap-vad.cf
recipient_delimiter =
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtpd_tls_auth_only = yes
myhostname = mail.xxxx.net
virtual_mailbox_domains = ldap:/opt/zimbra/conf/ldap-vmd.cf
mailbox_size_limit = 0
smtpd_client_restrictions = reject_unauth_pipelining
virtual_alias_maps = ldap:/opt/zimbra/conf/ldap-vam.cf
transport_maps = ldap:/opt/zimbra/conf/ldap-transport.cf
sendmail_path = /opt/zimbra/postfix-2.2.9/sbin/sendmail
message_size_limit = 10240000
broken_sasl_auth_clients = yes
alias_maps = hash:/etc/aliases
manpage_directory = /opt/zimbra/postfix-2.2.9/man
smtpd_helo_required = yes
daemon_directory = /opt/zimbra/postfix-2.2.9/libexec
virtual_transport = error
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_hostname, r
eject_non_fqdn_sender, reject_unauth_destination, permit
smtpd_tls_loglevel = 1
relayhost = [ip address]:25
disable_dns_lookups = no
content_filter = smtp-amavis:[127.0.0.1]:10024
virtual_mailbox_maps = ldap:/opt/zimbra/conf/ldap-vmm.cf
version = 2.2.9
mailq_path = /opt/zimbra/postfix-2.2.9/sbin/mailq
header_checks = pcre:/opt/zimbra/conf/postfix_header_checks
smtpd_use_tls = yes
queue_directory = /opt/zimbra/postfix-2.2.9/spool
newaliases_path = /opt/zimbra/postfix-2.2.9/sbin/newaliases
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_reject_unlisted_recipient = no
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
command_directory = /opt/zimbra/postfix-2.2.9/sbin
smtpd_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/opt/zimbra/conf/relay_password
smtp_sasl_auth_enable = yes
smtp_use_tls = yes
smtp_tls_peer_match = no

When I check the zimbra logs I get the following:

root@mail:/var/log# less zimbra.log | grep postfix
Jun 23 13:43:05 mail postfix/postqueue[4003]: fatal: Queue report unavailable - mail system is down
Jun 23 13:52:48 mail postfix/postqueue[4050]: fatal: Queue report unavailable - mail system is down
Jun 23 13:52:52 mail postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.2.9/conf/main.cf
Jun 23 13:52:52 mail postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.2.9/conf/main.cf.bk
Jun 23 13:52:52 mail postfix/postfix-script: starting the Postfix mail system
Jun 23 13:52:52 mail postfix/master[4272]: daemon started -- version 2.2.9, configuration /opt/zimbra/postfix-2.2.9/conf
Jun 23 14:42:24 mail postfix/smtpd[11877]: connect from mail.xxx.net[192.168.2.3]
Jun 23 14:42:24 mail postfix/smtpd[11877]: 2885A1E7877: client=mail.xxx.net[192.168.2.3]
Jun 23 14:42:24 mail postfix/cleanup[11881]: 2885A1E7877: message-id=<32482448.01182566543349.JavaMail.root@mail.xxx.net>
Jun 23 14:42:24 mail postfix/qmgr[4276]: 2885A1E7877: from=, size=548, nrcpt=1 (queue active)
Jun 23 14:42:24 mail postfix/smtpd[11877]: disconnect from mail.xxx.net[192.168.2.3]
Jun 23 14:42:25 mail postfix/smtpd[11885]: connect from localhost.localdomain[127.0.0.1]
Jun 23 14:42:25 mail postfix/smtpd[11885]: BA3E41E7885: client=localhost.localdomain[127.0.0.1]
Jun 23 14:42:25 mail postfix/cleanup[11881]: BA3E41E7885: message-id=<32482448.01182566543349.JavaMail.root@mail.xxx.net>
Jun 23 14:42:25 mail postfix/smtpd[11885]: disconnect from localhost.localdomain[127.0.0.1]
Jun 23 14:42:25 mail postfix/smtp[11882]: 2885A1E7877: to=, relay=127.0.0.1[127.0.0.1], delay=1, status=sent (250 2.6.0 Ok, id=04221-01, from MTA([127.0.0.1]:10025): 250 Ok: queued as BA3E41E7885)
Jun 23 14:42:25 mail postfix/qmgr[4276]: BA3E41E7885: from=, size=1132, nrcpt=1 (queue active)
Jun 23 14:42:25 mail postfix/qmgr[4276]: 2885A1E7877: removed
Jun 23 14:42:27 mail postfix/smtp[11886]: certificate verification failed for 65.99.222.183: num=20:unable to get local issuer certificate
Jun 23 14:42:27 mail postfix/smtp[11886]: certificate verification failed for 65.99.222.183: num=27:certificate not trusted
Jun 23 14:42:27 mail postfix/smtp[11886]: certificate verification failed for 65.99.222.183: num=21:unable to verify the first certificate
Jun 23 14:42:28 mail postfix/smtp[11886]: Server certificate could not be verified
Jun 23 14:42:29 mail postfix/smtp[11886]: BA3E41E7885: to=, relay=[upstream mta ip], delay=4, status=bounced (host [upstream mta ip] said: 550 relay not permitted (in reply to RCPT TO command))
Jun 23 14:42:29 mail postfix/cleanup[11881]: 452521E7886: message-id=<20070623024229.452521E7886@mail.xxx.net>
Jun 23 14:42:29 mail postfix/qmgr[4276]: 452521E7886: from=<>, size=3034, nrcpt=1 (queue active)
Jun 23 14:42:29 mail postfix/qmgr[4276]: BA3E41E7885: removed
Jun 23 14:42:29 mail postfix/lmtp[11888]: 452521E7886: to=, relay=mail.xxx.net[192.168.2.3], delay=0, status=sent (250 2.1.5 OK)
Jun 23 14:42:29 mail postfix/qmgr[4276]: 452521E7886: removed

I have noticed that there are messages about certificates not being verified. Would this affect the TLS transaction? Would I have to install the root certificate which verifies his? http://crt.litessl.com/LiteSSL_CA.crt
When I grep TLS in the zimbra logs I get nothing.

Any help on this would be awesome as I have been struggling for a while now to get this going.

Regards

Mark

[phoenix]

I would suggest your best course of action would be to use the mail server provided by your ISP as the relay, they're less likely to have problems.

[markymarknz]

Thanks for your reply phoenix.
I guess that is always an option but I would prefer to get TLS working through my friend's server.
Does anyone have it working?
If so could I see your main.cf settings for postfix.

Cheers

Mark

[Ian Forbes]

We're trying to setup Zimbra MTA with TLS usage. Is it just as simple as checking 'TLS authentication only' on the MTA tab of the server in the Admin Console?

Thanks