Results 1 to 4 of 4

Thread: Howto setup TLS usage with upstream MTA

  1. #1
    markymarknz is offline Junior Member
    Join Date
    May 2007
    Posts
    7
    Rep Power
    8

    Exclamation Howto setup TLS usage with upstream MTA

    Hi Everyone,
    Firstly I would like to say how great I find zimbra.
    I have it setup and working fine from my standard install however seeing my mailserver is on a dynamic IP emails from it usually get marked as SPAM or Junkmail.
    I have a friend who is allowing me to route my emails through his server however it is setup to only accept TLS connections which a username and password.
    His server is running Exim not Postfix so isn't able to help me with the setup.
    When I try to send an email using his upstream relay I always get a bounce back message saying it has been rejected. My friend tells me that it isn't even getting to the stage to authenticate using the username/password.
    I've been playing around with the Postfix main.cf settings to try get TLS working but have had no success.
    Could someone please tell me how to get this working.
    My main.cf file is as follows:

    sender_canonical_maps = ldap:/opt/zimbra/conf/ldap-scm.cf
    virtual_alias_domains = ldap:/opt/zimbra/conf/ldap-vad.cf
    recipient_delimiter =
    smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
    smtpd_tls_auth_only = yes
    myhostname = mail.xxxx.net
    virtual_mailbox_domains = ldap:/opt/zimbra/conf/ldap-vmd.cf
    mailbox_size_limit = 0
    smtpd_client_restrictions = reject_unauth_pipelining
    virtual_alias_maps = ldap:/opt/zimbra/conf/ldap-vam.cf
    transport_maps = ldap:/opt/zimbra/conf/ldap-transport.cf
    sendmail_path = /opt/zimbra/postfix-2.2.9/sbin/sendmail
    message_size_limit = 10240000
    broken_sasl_auth_clients = yes
    alias_maps = hash:/etc/aliases
    manpage_directory = /opt/zimbra/postfix-2.2.9/man
    smtpd_helo_required = yes
    daemon_directory = /opt/zimbra/postfix-2.2.9/libexec
    virtual_transport = error
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_hostname, r
    eject_non_fqdn_sender, reject_unauth_destination, permit
    smtpd_tls_loglevel = 1
    relayhost = [ip address]:25
    disable_dns_lookups = no
    content_filter = smtp-amavis:[127.0.0.1]:10024
    virtual_mailbox_maps = ldap:/opt/zimbra/conf/ldap-vmm.cf
    version = 2.2.9
    mailq_path = /opt/zimbra/postfix-2.2.9/sbin/mailq
    header_checks = pcre:/opt/zimbra/conf/postfix_header_checks
    smtpd_use_tls = yes
    queue_directory = /opt/zimbra/postfix-2.2.9/spool
    newaliases_path = /opt/zimbra/postfix-2.2.9/sbin/newaliases
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_reject_unlisted_recipient = no
    smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
    command_directory = /opt/zimbra/postfix-2.2.9/sbin
    smtpd_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/opt/zimbra/conf/relay_password
    smtp_sasl_auth_enable = yes
    smtp_use_tls = yes
    smtp_tls_peer_match = no

    When I check the zimbra logs I get the following:

    root@mail:/var/log# less zimbra.log | grep postfix
    Jun 23 13:43:05 mail postfix/postqueue[4003]: fatal: Queue report unavailable - mail system is down
    Jun 23 13:52:48 mail postfix/postqueue[4050]: fatal: Queue report unavailable - mail system is down
    Jun 23 13:52:52 mail postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.2.9/conf/main.cf
    Jun 23 13:52:52 mail postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.2.9/conf/main.cf.bk
    Jun 23 13:52:52 mail postfix/postfix-script: starting the Postfix mail system
    Jun 23 13:52:52 mail postfix/master[4272]: daemon started -- version 2.2.9, configuration /opt/zimbra/postfix-2.2.9/conf
    Jun 23 14:42:24 mail postfix/smtpd[11877]: connect from mail.xxx.net[192.168.2.3]
    Jun 23 14:42:24 mail postfix/smtpd[11877]: 2885A1E7877: client=mail.xxx.net[192.168.2.3]
    Jun 23 14:42:24 mail postfix/cleanup[11881]: 2885A1E7877: message-id=<32482448.01182566543349.JavaMail.root@mail.xxx.net>
    Jun 23 14:42:24 mail postfix/qmgr[4276]: 2885A1E7877: from=, size=548, nrcpt=1 (queue active)
    Jun 23 14:42:24 mail postfix/smtpd[11877]: disconnect from mail.xxx.net[192.168.2.3]
    Jun 23 14:42:25 mail postfix/smtpd[11885]: connect from localhost.localdomain[127.0.0.1]
    Jun 23 14:42:25 mail postfix/smtpd[11885]: BA3E41E7885: client=localhost.localdomain[127.0.0.1]
    Jun 23 14:42:25 mail postfix/cleanup[11881]: BA3E41E7885: message-id=<32482448.01182566543349.JavaMail.root@mail.xxx.net>
    Jun 23 14:42:25 mail postfix/smtpd[11885]: disconnect from localhost.localdomain[127.0.0.1]
    Jun 23 14:42:25 mail postfix/smtp[11882]: 2885A1E7877: to=, relay=127.0.0.1[127.0.0.1], delay=1, status=sent (250 2.6.0 Ok, id=04221-01, from MTA([127.0.0.1]:10025): 250 Ok: queued as BA3E41E7885)
    Jun 23 14:42:25 mail postfix/qmgr[4276]: BA3E41E7885: from=, size=1132, nrcpt=1 (queue active)
    Jun 23 14:42:25 mail postfix/qmgr[4276]: 2885A1E7877: removed
    Jun 23 14:42:27 mail postfix/smtp[11886]: certificate verification failed for 65.99.222.183: num=20:unable to get local issuer certificate
    Jun 23 14:42:27 mail postfix/smtp[11886]: certificate verification failed for 65.99.222.183: num=27:certificate not trusted
    Jun 23 14:42:27 mail postfix/smtp[11886]: certificate verification failed for 65.99.222.183: num=21:unable to verify the first certificate
    Jun 23 14:42:28 mail postfix/smtp[11886]: Server certificate could not be verified
    Jun 23 14:42:29 mail postfix/smtp[11886]: BA3E41E7885: to=, relay=[upstream mta ip], delay=4, status=bounced (host [upstream mta ip] said: 550 relay not permitted (in reply to RCPT TO command))
    Jun 23 14:42:29 mail postfix/cleanup[11881]: 452521E7886: message-id=<20070623024229.452521E7886@mail.xxx.net>
    Jun 23 14:42:29 mail postfix/qmgr[4276]: 452521E7886: from=<>, size=3034, nrcpt=1 (queue active)
    Jun 23 14:42:29 mail postfix/qmgr[4276]: BA3E41E7885: removed
    Jun 23 14:42:29 mail postfix/lmtp[11888]: 452521E7886: to=, relay=mail.xxx.net[192.168.2.3], delay=0, status=sent (250 2.1.5 OK)
    Jun 23 14:42:29 mail postfix/qmgr[4276]: 452521E7886: removed

    I have noticed that there are messages about certificates not being verified. Would this affect the TLS transaction? Would I have to install the root certificate which verifies his? http://crt.litessl.com/LiteSSL_CA.crt
    When I grep TLS in the zimbra logs I get nothing.

    Any help on this would be awesome as I have been struggling for a while now to get this going.

    Regards

    Mark

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    I would suggest your best course of action would be to use the mail server provided by your ISP as the relay, they're less likely to have problems.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    markymarknz is offline Junior Member
    Join Date
    May 2007
    Posts
    7
    Rep Power
    8

    Default

    Thanks for your reply phoenix.
    I guess that is always an option but I would prefer to get TLS working through my friend's server.
    Does anyone have it working?
    If so could I see your main.cf settings for postfix.

    Cheers

    Mark

  4. #4
    Ian Forbes is offline Intermediate Member
    Join Date
    Apr 2008
    Location
    Toronto
    Posts
    16
    Rep Power
    7

    Default

    We're trying to setup Zimbra MTA with TLS usage. Is it just as simple as checking 'TLS authentication only' on the MTA tab of the server in the Admin Console?

    Thanks

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Daily mail report always reports "No messages found"
    By McPringle in forum Installation
    Replies: 42
    Last Post: 06-13-2011, 08:57 AM
  2. External MTA and TLS Question
    By 3RiversTechAdmin in forum Administrators
    Replies: 5
    Last Post: 12-20-2006, 10:36 AM
  3. Problem with MTA setup?
    By robinBones in forum Installation
    Replies: 2
    Last Post: 10-25-2006, 12:28 AM
  4. Server Stats Cont...
    By DMRDave in forum Administrators
    Replies: 15
    Last Post: 02-16-2006, 01:16 PM
  5. MTA TLS authentication
    By gutzeit in forum Installation
    Replies: 10
    Last Post: 11-16-2005, 04:15 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •