Relaymaps for outgoing mails to providers

Perhaps I explained the situation not detailed enough.
I have no idea how I can solve my situation without relaymaps and
sasl_passwd. If anybody has one please tell me.

The situation is the following. I cannot use only one smarthost because
all spamfilter would block the connection if you send mails with an open
relay.
So all mails have to send with the corresponding mailserver from which
domain you are sending the mail. Additional to that you have to
configure sasl_passwd for each emailaccount. I have replaced all @ with at.

So if you have the following emailadresses:
abcd at web.de
efgh at web.de
efgh at gmx.de
abcd at googlemail.com
efgh at googlemail.com

you have to send the one from abcd at web.de with the mailserver from
web.de with the smtp authentication user:abcd at webde pass: 123456

If you send from efgh at gmx.de the email has to send with the mailserver
from gmx.de with the corresponding authentication via smtp

I solved my situation by using sasl_passwd and relaymaps.
Here is an example strucure of both config files.

sasl_paswd:
Example:
username at foo.com username:password

relaymaps:
Example:
john at foo.com smtp.foo.com

main.cf:
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/relaymaps
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

What have I to do for a persistent nethserver configuration?

Thank you for your help and being interested at my case.

I would like to know a solution as well. I have the same situation and couldnā€™t find the time to look further.

First of all Iā€™m happy to say welcome on our community @Linux4All! Our community guy @alefattorini uses to greet newcomers every week but I bet heā€™s on holiday (as me and many others from Italy).

Before analyzing the configuration, I have a question here: why you say ā€œopen relayā€? By default NethServer allows relaying only to authenticated clients. In other words it knows the sender identity before sending the message to an external domain.

This is exactly what the other mail providers do, gmail, for instance.

However Iā€™m assuming you have a registered MX in DNS :smile:

1 Like

Davide, some providers needs 1:1 mapping between sending address ā€œFrom:ā€ and the auth credentialsā€¦

for example, almost all providers offering office365 services need so

for reference, take a look here: http://bugs.contribs.org/show_bug.cgi?id=9050

2 Likes

Thank you @zamboni for the hint!

@Linux4All could you confirm this is the scenario youā€™re fighting against :wink: ?

BTW I hope Linux will be 4all soon!

Thank you for friendly welcome :smile:

Thatā€™s exactly what I fighting against and what I try to explain all the time.
Hopefully there will be a solution with Nethserver.
I tried a lot of distributions and SBS editions. Nethserver was the only one which survived more than 30 minutes :smile:
I think I will find some more enhancements which I need but the base is very good.

@davidep avidep: What can I do to have a persistent postfix config, until this feature is implemented, hopefully it will.

Iā€™m glad to help you with custom templates, or any other mean. If we find a workable solution we could write down an howto ā€œNethServer vs Office365ā€ :wink:

I ask only to be patient, Iā€™ll be back next days.

1 Like

Cool! Thank you very much!

This is just an experiment, please let me know if it works for you!

This is an experiment DONā€™T use it on production

  • Copy each template fragment to its location under templates-custom, as reported in the comment
  • Edit each file replacing its contents with your site setup
  • To re-configure Postfix, execute the following commands:

    expand-template /etc/postfix/relaymaps
    signal-event nethserver-mail-common-save

Hey @davidep thank you for the quick solution.
I tested with gmail.com and web.de
Gmail is working!

web.de throws the following error:

Dec 10 23:22:46 asterix default/smtp[19439]: warning: SASL authentication failure: No worthy mechs found
Dec 10 23:22:46 asterix default/smtp[19439]: 1E6A9A807E9: SASL authentication failed; cannot authenticate to server smtp.web.de[213.165.67.108]: no mechanism available
Dec 10 23:22:46 asterix default/smtp[19439]: warning: SASL authentication failure: No worthy mechs found
Dec 10 23:22:46 asterix default/smtp[19439]: 1E6A9A807E9: to=abc@nothing.com, relay=smtp.web.de[213.165.67.124]:25, delay=0.52, delays=0.3/0.01/0.2/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.web.de[213.165.67.124]: no mechanism available)

telnet to smtp.web.de 587 is working.

Do you have an idea whats wrong?

1 Like

I tried to connect with your smtp proxy; on port 587 all seems OK:


$ openssl s_client -starttls smtp -crlf -connect smtp.web.de:587
[ā€¦]
250 STARTTLS
ehlo nethserver.org
250-web.de Hello nethserver.org [93.57.48.68]
250-SIZE 141557760
250 AUTH LOGIN PLAIN

Did you add one line for gmx.de to [tls_policy fragment][tls]?
[tls]:https://gist.githubusercontent.com/DavidePrincipi/b557fddba1554dabe857/raw/c54dcfd334bd29caf268011e0d674dabc22f8959/tls_policy

Edit: ok perhaps I got it:

It seems the port is wrong!

Whoa! thatā€™s a great news :smile:

Sorry for the delay. I will do an update the next days. I am very busy at the moment.

2 Likes

Here my update:
With tls-enabled no mail could be send. You will get the following error message:

Dec 15 23:45:09 asterix default/smtp[11678]: warning: SASL authentication failure: No worthy mechs found
Dec 15 23:45:09 asterix default/smtp[11678]: 84BEEA8081B: SASL authentication failed; cannot authenticate to server smtp.gmail.com[173.194.65.109]: no mechanism available
Dec 15 23:45:10 asterix default/smtp[11678]: warning: SASL authentication failure: No worthy mechs found
Dec 15 23:45:10 asterix default/smtp[11678]: 84BEEA8081B: to=abcd@gmx.de, relay=smtp.gmail.com[173.194.65.108]:587, delay=0.88, delays=0.28/0/0.6/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.gmail.com[173.194.65.108]: no mechanism available)

Without TLS, gmail.com is working!
Other accounts wonā€™t work with or without TLS. I get the same error message as above.

Thank you for your help!

The message to abcd@gmx.de is relayed to smtp.gmail.com, and is not what we expected. Could you fork NethServer mail configuration for Office365 (experimental) Ā· GitHub and show your actual setup (of course, without secrets)?

A want to point out a limitation of the current setup: any authenticated user can send messages through any smarthost, because thereā€™s no restriction on envelope sender address. Anyway we can address this problem in as a second step.

Just renamed the discussion and moved to feature. Hope that we can add this new functionality to our mailserver

That is correct because I am sending from my google account. In that case you have to use smtp.gmail.com as relayhost.
Does the config work at your testing environment?
I will check my opensuse environment if there is any other behavior.

It worked for a single gmail account. I canā€™t set up a more complex scenario at the moment. I suggest working on a fork of my gist repository and sharing your real-world configuration.

This is a very interesting discussion.

Just a recap

  1. NethServer is not published on the Internet and email accounts for any domains are hosted by the relative ISP
  2. NethServer is configured with two or more domains (alfa.de, beta.de ecc.)
  3. Each account need to use its own smtp server to send email (one@alfa.de -> smtp.alfa.de one@beta.de -> smtp.beta.de)

For what is my experience I usually configure just one smarthost that is: smtp.mydomain.xx or smtp.myisp.xx

Butā€¦we have always said that NethServer is a multisite server so I think that is correct thinking about the availability of multiple smarthost configuration.

This can prevent SPAM blacklist and unsuccessfully SPF record check? Maybe.

This will mean that you can configure this from the user details page ?
Also this can be faund later in the LDAP if it is set (other than default) for each user ?