Relaymaps for outgoing mails to providers

davidep · December 8, 2015, 8:45pm

I’m glad to help you with custom templates, or any other mean. If we find a workable solution we could write down an howto “NethServer vs Office365”

I ask only to be patient, I’ll be back next days.

Linux4All · December 8, 2015, 9:02pm

Cool! Thank you very much!

davidep · December 10, 2015, 2:21pm

This is just an experiment, please let me know if it works for you!

gist.github.com

https://gist.github.com/DavidePrincipi/b557fddba1554dabe857

main.cf

#
# 90smarthosts_accounts (template-custom)
# /etc/e-smith/templates-custom/etc/postfix/main.cf/90smarthosts_accounts
#
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/relaymaps
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

postfix_postmap

{
    #
    # 40smarthosts_accounts (custom templates)
    # /etc/e-smith/templates-custom/postfix/postmap/40smarthosts_accounts
    #
    push @postmapList, qw(relaymaps); 
    '';
}

relaymaps

#
# 90smarthosts_accounts
# /etc/e-smith/templates-custom/etc/postfix/relaymaps/90smarthosts_accounts
#
# This line is an example: replace it with actual data
#
first.user@{$DomainName}   smtp.gmail.com:587

There are more than three files. show original

This is an experiment DON’T use it on production

Copy each template fragment to its location under templates-custom, as reported in the comment
Edit each file replacing its contents with your site setup

To re-configure Postfix, execute the following commands:



expand-template /etc/postfix/relaymaps

signal-event nethserver-mail-common-save

Linux4All · December 10, 2015, 10:21pm

Hey @davidep thank you for the quick solution.
I tested with gmail.com and web.de
Gmail is working!

web.de throws the following error:

Dec 10 23:22:46 asterix default/smtp[19439]: warning: SASL authentication failure: No worthy mechs found
Dec 10 23:22:46 asterix default/smtp[19439]: 1E6A9A807E9: SASL authentication failed; cannot authenticate to server smtp.web.de[213.165.67.108]: no mechanism available
Dec 10 23:22:46 asterix default/smtp[19439]: warning: SASL authentication failure: No worthy mechs found
Dec 10 23:22:46 asterix default/smtp[19439]: 1E6A9A807E9: to=abc@nothing.com, relay=smtp.web.de[213.165.67.124]:25, delay=0.52, delays=0.3/0.01/0.2/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.web.de[213.165.67.124]: no mechanism available)

telnet to smtp.web.de 587 is working.

Do you have an idea whats wrong?

davidep · December 11, 2015, 8:01am

I tried to connect with your smtp proxy; on port 587 all seems OK:



$ openssl s_client -starttls smtp -crlf -connect  smtp.web.de:587

[…]

250 STARTTLS

ehlo nethserver.org

250-web.de Hello nethserver.org [93.57.48.68]

250-SIZE 141557760

250 AUTH LOGIN PLAIN

Did you add one line for gmx.de to [tls_policy fragment][tls]?
[tls]:https://gist.githubusercontent.com/DavidePrincipi/b557fddba1554dabe857/raw/c54dcfd334bd29caf268011e0d674dabc22f8959/tls_policy

Edit: ok perhaps I got it:

It seems the port is wrong!

alefattorini · December 11, 2015, 5:33pm

Whoa! that’s a great news

Linux4All · December 14, 2015, 9:15pm

Sorry for the delay. I will do an update the next days. I am very busy at the moment.

Linux4All · December 15, 2015, 10:52pm

Here my update:
With tls-enabled no mail could be send. You will get the following error message:

Dec 15 23:45:09 asterix default/smtp[11678]: warning: SASL authentication failure: No worthy mechs found
Dec 15 23:45:09 asterix default/smtp[11678]: 84BEEA8081B: SASL authentication failed; cannot authenticate to server smtp.gmail.com[173.194.65.109]: no mechanism available
Dec 15 23:45:10 asterix default/smtp[11678]: warning: SASL authentication failure: No worthy mechs found
Dec 15 23:45:10 asterix default/smtp[11678]: 84BEEA8081B: to=abcd@gmx.de, relay=smtp.gmail.com[173.194.65.108]:587, delay=0.88, delays=0.28/0/0.6/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.gmail.com[173.194.65.108]: no mechanism available)

Without TLS, gmail.com is working!
Other accounts won’t work with or without TLS. I get the same error message as above.

Thank you for your help!

davidep · December 16, 2015, 8:01am

The message to abcd@gmx.de is relayed to smtp.gmail.com, and is not what we expected. Could you fork NethServer mail configuration for Office365 (experimental) · GitHub and show your actual setup (of course, without secrets)?

A want to point out a limitation of the current setup: any authenticated user can send messages through any smarthost, because there’s no restriction on envelope sender address. Anyway we can address this problem in as a second step.

alefattorini · December 16, 2015, 11:19am

Just renamed the discussion and moved to feature. Hope that we can add this new functionality to our mailserver

Linux4All · December 16, 2015, 8:43pm

That is correct because I am sending from my google account. In that case you have to use smtp.gmail.com as relayhost.
Does the config work at your testing environment?
I will check my opensuse environment if there is any other behavior.

davidep · December 17, 2015, 9:11am

It worked for a single gmail account. I can’t set up a more complex scenario at the moment. I suggest working on a fork of my gist repository and sharing your real-world configuration.

sitz · December 17, 2015, 5:06pm

This is a very interesting discussion.

Just a recap

NethServer is not published on the Internet and email accounts for any domains are hosted by the relative ISP
NethServer is configured with two or more domains (alfa.de, beta.de ecc.)
Each account need to use its own smtp server to send email (one@alfa.de -> smtp.alfa.de one@beta.de -> smtp.beta.de)

For what is my experience I usually configure just one smarthost that is: smtp.mydomain.xx or smtp.myisp.xx

But…we have always said that NethServer is a multisite server so I think that is correct thinking about the availability of multiple smarthost configuration.

This can prevent SPAM blacklist and unsuccessfully SPF record check? Maybe.

Ctek · December 17, 2015, 5:11pm

This will mean that you can configure this from the user details page ?
Also this can be faund later in the LDAP if it is set (other than default) for each user ?

sitz · December 17, 2015, 7:18pm

Yes Bogdan it should if multiple smarthos can relly help, I mean at first impact I think multiple smarthost could be a plus, or maybe not?

You are talking to configure a different smarthost for each user?

I would like to analyze correctly every aspect of this feature.

Ctek · December 17, 2015, 10:54pm

Hi Roberto, Yes, different configurations for each user (optional set)
Multiple smtp’s per user…

BR
Bogdan

vhinzsanchez · December 18, 2015, 1:23am

I have done it with my Zimbra install, let me just check where I found the documents…it should be the same.

vhinzsanchez · December 18, 2015, 1:39am

my documents pertain to Zimbra only, but I hope the logic applies to your set-up as well.

http://imanudin.net/2014/12/25/relay-tips-based-on-userdomain-receiver-on-zimbra-8-5-8-6/

The one below is for Ubuntu PHP - Postfix:

http://blog.otelconsulting.com/2013/03/ubuntu-php-postfix-virtual-hosting-multiple-relay-host-via-gmail/

I was pretty sure that the document I followed was not pertaining to Zimbra per se but did adjustments. Test well before production.

Linux4All · December 22, 2015, 12:58pm

Hi @davidep
I did a fork with anonymized credentials. I disabled TLS in the tls_policy to prevent errors with tls.

gist.github.com

https://gist.github.com/Linux4All/062aed641ebae1a85ab3

main.cf

#
# 90smarthosts_accounts (template-custom)
# /etc/e-smith/templates-custom/etc/postfix/main.cf/90smarthosts_accounts
#
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/relaymaps
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

postfix_postmap

{
    #
    # 40smarthosts_accounts (custom templates)
    # /etc/e-smith/templates-custom/postfix/postmap/40smarthosts_accounts
    #
    push @postmapList, qw(relaymaps); 
    '';
}

relaymaps

#
# 90smarthosts_accounts
# /etc/e-smith/templates-custom/etc/postfix/relaymaps/90smarthosts_accounts
#
# This line is an example: replace it with actual data
#
user1@benjamin-zoeller.de       mail.benjamin-zoeller.de
user2@benjamin-zoeller.de       mail.benjamin-zoeller.de
user3@benjamin-zoeller.de       mail.benjamin-zoeller.de
user4@benjamin-zoeller.de       mail.benjamin-zoeller.de

This file has been truncated. show original

There are more than three files. show original

I am looking further to found the mistake.

Linux4All · December 22, 2015, 1:34pm

I found out something interesting.
If I add the option smtp_sasl_security_options = noanonymous to main.cf I get

SASL authentication failed; server smtp.web.de[213.165.67.108] said: 530 Must issue a STARTTLS command first

If I remove the option I get

Dec 22 14:33:10 asterix postfix/error[20351]: B9862A8081E: to=user1@gmx.de, relay=none, delay=0.37, delays=0.28/0.01/0/0.09, dsn=4.7.0, status=deferred (delivery temporarily suspended: SASL authentication failed; cannot authenticate to server smtp.web.de[213.165.67.108]: no mechanism available)

At my current opensuse environment this option is set.