Relaymaps for outgoing mails to providers

I’m glad to help you with custom templates, or any other mean. If we find a workable solution we could write down an howto “NethServer vs Office365” :wink:

I ask only to be patient, I’ll be back next days.

1 Like

Cool! Thank you very much!

This is just an experiment, please let me know if it works for you!

This is an experiment DON’T use it on production

  • Copy each template fragment to its location under templates-custom, as reported in the comment
  • Edit each file replacing its contents with your site setup
  • To re-configure Postfix, execute the following commands:

    expand-template /etc/postfix/relaymaps
    signal-event nethserver-mail-common-save

Hey @davidep thank you for the quick solution.
I tested with gmail.com and web.de
Gmail is working!

web.de throws the following error:

Dec 10 23:22:46 asterix default/smtp[19439]: warning: SASL authentication failure: No worthy mechs found
Dec 10 23:22:46 asterix default/smtp[19439]: 1E6A9A807E9: SASL authentication failed; cannot authenticate to server smtp.web.de[213.165.67.108]: no mechanism available
Dec 10 23:22:46 asterix default/smtp[19439]: warning: SASL authentication failure: No worthy mechs found
Dec 10 23:22:46 asterix default/smtp[19439]: 1E6A9A807E9: to=abc@nothing.com, relay=smtp.web.de[213.165.67.124]:25, delay=0.52, delays=0.3/0.01/0.2/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.web.de[213.165.67.124]: no mechanism available)

telnet to smtp.web.de 587 is working.

Do you have an idea whats wrong?

1 Like

I tried to connect with your smtp proxy; on port 587 all seems OK:


$ openssl s_client -starttls smtp -crlf -connect smtp.web.de:587
[…]
250 STARTTLS
ehlo nethserver.org
250-web.de Hello nethserver.org [93.57.48.68]
250-SIZE 141557760
250 AUTH LOGIN PLAIN

Did you add one line for gmx.de to [tls_policy fragment][tls]?
[tls]:https://gist.githubusercontent.com/DavidePrincipi/b557fddba1554dabe857/raw/c54dcfd334bd29caf268011e0d674dabc22f8959/tls_policy

Edit: ok perhaps I got it:

It seems the port is wrong!

Whoa! that’s a great news :smile:

Sorry for the delay. I will do an update the next days. I am very busy at the moment.

2 Likes

Here my update:
With tls-enabled no mail could be send. You will get the following error message:

Dec 15 23:45:09 asterix default/smtp[11678]: warning: SASL authentication failure: No worthy mechs found
Dec 15 23:45:09 asterix default/smtp[11678]: 84BEEA8081B: SASL authentication failed; cannot authenticate to server smtp.gmail.com[173.194.65.109]: no mechanism available
Dec 15 23:45:10 asterix default/smtp[11678]: warning: SASL authentication failure: No worthy mechs found
Dec 15 23:45:10 asterix default/smtp[11678]: 84BEEA8081B: to=abcd@gmx.de, relay=smtp.gmail.com[173.194.65.108]:587, delay=0.88, delays=0.28/0/0.6/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.gmail.com[173.194.65.108]: no mechanism available)

Without TLS, gmail.com is working!
Other accounts won’t work with or without TLS. I get the same error message as above.

Thank you for your help!

The message to abcd@gmx.de is relayed to smtp.gmail.com, and is not what we expected. Could you fork https://gist.github.com/DavidePrincipi/b557fddba1554dabe857 and show your actual setup (of course, without secrets)?

A want to point out a limitation of the current setup: any authenticated user can send messages through any smarthost, because there’s no restriction on envelope sender address. Anyway we can address this problem in as a second step.

Just renamed the discussion and moved to feature. Hope that we can add this new functionality to our mailserver

That is correct because I am sending from my google account. In that case you have to use smtp.gmail.com as relayhost.
Does the config work at your testing environment?
I will check my opensuse environment if there is any other behavior.

It worked for a single gmail account. I can’t set up a more complex scenario at the moment. I suggest working on a fork of my gist repository and sharing your real-world configuration.

This is a very interesting discussion.

Just a recap

  1. NethServer is not published on the Internet and email accounts for any domains are hosted by the relative ISP
  2. NethServer is configured with two or more domains (alfa.de, beta.de ecc.)
  3. Each account need to use its own smtp server to send email (one@alfa.de -> smtp.alfa.de one@beta.de -> smtp.beta.de)

For what is my experience I usually configure just one smarthost that is: smtp.mydomain.xx or smtp.myisp.xx

But…we have always said that NethServer is a multisite server so I think that is correct thinking about the availability of multiple smarthost configuration.

This can prevent SPAM blacklist and unsuccessfully SPF record check? Maybe.

This will mean that you can configure this from the user details page ?
Also this can be faund later in the LDAP if it is set (other than default) for each user ?

Yes Bogdan it should if multiple smarthos can relly help, I mean at first impact I think multiple smarthost could be a plus, or maybe not?

You are talking to configure a different smarthost for each user?

I would like to analyze correctly every aspect of this feature.

Hi Roberto, Yes, different configurations for each user (optional set)
Multiple smtp’s per user…

BR
Bogdan

I have done it with my Zimbra install, let me just check where I found the documents…it should be the same.

:scream: my documents pertain to Zimbra only, but I hope the logic applies to your set-up as well.

http://imanudin.net/2014/12/25/relay-tips-based-on-userdomain-receiver-on-zimbra-8-5-8-6/

The one below is for Ubuntu PHP - Postfix:

http://blog.otelconsulting.com/2013/03/ubuntu-php-postfix-virtual-hosting-multiple-relay-host-via-gmail/

I was pretty sure that the document I followed was not pertaining to Zimbra per se but did adjustments. Test well before production.

1 Like

Hi @davidep
I did a fork with anonymized credentials. I disabled TLS in the tls_policy to prevent errors with tls.


I am looking further to found the mistake.

I found out something interesting.
If I add the option smtp_sasl_security_options = noanonymous to main.cf I get

SASL authentication failed; server smtp.web.de[213.165.67.108] said: 530 Must issue a STARTTLS command first

If I remove the option I get

Dec 22 14:33:10 asterix postfix/error[20351]: B9862A8081E: to=user1@gmx.de, relay=none, delay=0.37, delays=0.28/0.01/0/0.09, dsn=4.7.0, status=deferred (delivery temporarily suspended: SASL authentication failed; cannot authenticate to server smtp.web.de[213.165.67.108]: no mechanism available)

At my current opensuse environment this option is set.