Smarthost enhancement

I don’t know if this has been discussed, but I would like to see the following enhancement on smarthost.

For now there is only one account configurable to send mails through smarthost. Now our mailservice provider does not accept a generic account lets call it sender@ourdomain.com for sending mails for all users@ourdomain.com, but only individual emailaccounts as users to send throughtheir smtp server.

Thus I have configured imap on our nethserver and connectors to download mails for our users, but we send mails directly through external smtp server of our email provider.

My idea is: As we have configured all individual external user credentials in email connector settings, wouldn’t it be nice, if smarthost would be able use those credentials also for sending emails? That way our users could use internal smtp and the mails would be sent through smarthost with the configured credentials in connector settings.

Why using a provider? You can centralize all your email accounts on NethServer and use it to receive and send email.

@alefattorini

Hi Alessio

As I know Elleni here and his situation, and I myself have two clients using a Mail Provider and collecting the mails with POP3/IMAP to their Inhouse NethServer, I’ll take the liberty to answer…

Sometimes reasons are historic, like an old Exchange Server 2003 not fit to expose to the Internet…
Sometimes it’s politics or business
and sometimes there are “Holy Cows”, which you can’t touch…

I can live with reasons 1 and 2, but have a bit of problems with Nr.3…

And sometimes it’s all in movement, but certain things take longer than expected!

My 2 cents
Andy

Our boss is afraid that if our mailserver serves the domain, we could run into problems like bad reputation of the ip thus non-delivery so he did decide that he wants to keep our mailprovider, while he still wants us to do additonal email filtering. I had thought about looking into mailproxy, but when I read that it will not be ported to new cockpit webinterface, I thought, its not worth it as it maybe be soon obsolete? Thus we have an additional domain for our imap server, and configured connectors for users to their external mailbox. We have to send mails through our provider, at least for now. Maybe later - if he gains confidence in our new systems, we will upgrade to a full blown mailserver with smtp directly to the outside and serve our real domain. I know, that this setup can be problematic, as for example the sender will not be notified on blocked mails from nethserver, but we will workaround that for the time being by monitor rspamd and download those mails through webamail of the mailprovider. Maybe there is even a way to get a mailnotificaton whenever a mail is blocked; I asked if this could be easily configured in this forum but did not get a reply yet.

So for now, we setup our mailclients to connect to nethserver imap server, but send mails directly by external smtp server. I had tried to use smarthost, but our mailprovider does not allow one generic account to send mails for all our users, thus my idea asked here. But if this is such an uncommon usecase and it is of no real advantage or too complicated to implement, it is no problem, I just thought, I should ask. Thanks for providing us such a great product.

Afaik it is like this office365 works, you cannot send an email with a generic smtp but with the smtp account of the user.
Gmail has also a quite similar behavior because the header of the sender is modified by the email name of the smtp account, so you cannot use a generic gmail smtp account.

I do use also a smtp relayhost mainly because it is a nightmare to send email now to Office365 and I have other hobbies in the life.

Therefore it is for me a valid feature request however I am sure you can find a smtp provider that allows you to use one generic account for all your emails…we call this a workaround

@Elleni

I use KreativMedia as SMTP, they allow a generic SMTP user (for outgoing) and have very moderate prices.
You could use this, and leave yor existing Provider “as is”!

It only needs correct DNS entries!

My 2 cents
Andy

I doubt, our boss wants to risk this change. I think, we stay the way I have setup the system by configuring emailclients with external smtp server, but nethserver as imap, until my boss gained enough confidence to allow our nethmailserver directly serve as smtp server too.

The client is king, even if that’s your boss!

Try this:

Create /etc/e-smith/templates-custom/etc/postfix/main.cf/29Authentication

mkdir -p /etc/e-smith/templates-custom/etc/postfix/main.cf
cd /etc/e-smith/templates-custom/etc/postfix/main.cf
vi 29Authentication

#
# custom
#
# 29Authentication
#

{
    if($postfix{SmartHostStatus} ne 'enabled') {
    return <<FRAGMENT
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_security_options =
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
FRAGMENT
    }
}

#smtp_sasl_auth_enable = yes
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#smtp_sasl_mechanism_filter = plain, login
#smtp_sasl_security_options =
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps

:

Create /etc/e-smith/templates-custom/etc/postfix/relayhost_maps/20Relayhosts_map

mkdir -p /etc/e-smith/templates-custom/etc/postfix/relayhost_maps
cd /etc/e-smith/templates-custom/etc/postfix/relayhost_maps
vi 29Relayhosts_map

#
# custom
#
# 20Relayhost_maps
#

yourdomain.tld	[smarthost.yourdomain.tld]:25

Create /etc/e-smith/templates-custom/etc/postfix/sasl_passwd/30Authentication

mkdir -p /etc/e-smith/templates-custom/etc/postfix/sasl_passwd
cd /etc/e-smith/templates-custom/etc/postfix/sasl_passwd
vi 30Authentication

#
# custom
#
# 30Authentication

user1@yourdomain.tld		login_user1:password_user1
user2@yourdomain.tld		login_user2:password_user2
user3@yourdomain.tld		login_user3:password_user3

finally give these commands to activate the changes

expand-template /etc/postfix/relayhost_maps
postmap /etc/postfix/relayhost_maps

expand-template /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd

signal-event nethserver-mail-server-update

the same commands marked above should be given after making changes to the above configuration files

Cool, thanks for this. I will have a look but it will take me some time, as I am on vacation for two weeks. One question though. As I want to avoid putting users passwords in a config file manually - would it be possible to get them from the system? I am asking as the smtp passwords are already stored in nethserver because for every user a connector is configured for download emails from external domain.

This script generate sasl_passwd fragment from getmail data:

vi importpop3c

#!/bin/sh
#

GRDir=/etc/e-smith/templates-custom/etc/postfix/sasl_passwd
GRFile=30Authentication

mkdir -p ${GRDir}

echo "#" > ${GRDir}/${GRFile}
echo "# custom" >> ${GRDir}/${GRFile}
echo "#" >> ${GRDir}/${GRFile}
echo "# ${GRFile}" >> ${GRDir}/${GRFile}
echo "#" >> ${GRDir}/${GRFile}
echo >> ${GRDir}/${GRFile}

for l in `/sbin/e-smith/db getmail print`
do
        GRKey=`echo $l | cut -f 1 -d =`
        GRAccount=`/sbin/e-smith/db getmail getprop ${GRKey} Account`
        GRPassword=`/sbin/e-smith/db getmail getprop ${GRKey} Password`
        echo -e ${GRKey}'\t'${GRAccount}:${GRPassword} >> ${GRDir}/${GRFile}
done

This script takes the data from the configuration of the pop3 connector so, every time you make a change to the popo3 connector, remember to launch this script and postfix reconfiguration

importpop3c

expand-template /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd

signal-event nethserver-mail-server-update

I finally tried this and it works, but I have found out that in email mailboxes and adresses section of cockpit/email the entries of the local domain hosted by the nethserver were gone, and in connector settings it’s not possible anymore to add a new entry, I rolled back the snapshot and thought maybe better ask why this happens and if the scripts would need modifications to not be so intrusive and preserve the internal mailboxes while still providing this great enhancement. In our case we registered a domain.work which is fully served by our nethservers, while domain.ch is externally served, so each user has a domain.work emailadress, and a connector to its domain.ch address. Your scripts work nicely in the asked context of being able to send with individual credentials, but unfortunatelly the .work mailboxes are gone.

Following the printscreens I took before rolling back:

grafik1380×632 64.7 KB

grafik1438×574 58 KB

Very strange because the modifications don’t touch neither the Nethserver configuration DB nor Cockpit.

Moreover it’s a configuration that I’m using on my server to manage PEC* on a couple of users, in combination with stunnel and getmail, and it doesn’t give me these problems.

The only thing that “might” touch the db is the importpop3c script, but it should be read-only and not change anything.

At most try to create the users by hand in 30authentication without running the importpop3c script.

*PEC (Posta Elettronica Certificata) is a “strange” thing all Italian

It was very strange indeed as I also realized that I was not able to revert the accounts by removing those configs, so I rolled back the snapshot.

I am trying again now, and I cannot reproduce the strange behaviour. It looks good, but I fear to run into this again, although I have no idea what had caused this in the first place. I had tried twice the other day and both times with the above result.

For not having to recreate those files, I had scp-ed them to another machine. This time, I just copied back /etc/e-smith/templates-custom/postfix and issued the two expand and postmap commands followed by signal-event nethserver-mail-server-update and all looks good. I also rebooted the server to check that the error did not show up again and it doesn’t.

I then also recreated and executed the script without problem. Mailboxes of local domain.work are still there, so I have no idea what I had done to make the above problem appear

Now I still hesitate as I have the uncertainty that this might show up again, and that would be a problem as I would not be able to rollback a snapshot after a day or more of work as the mails would be lost that were written inbetween…

While testing I think, I found a possible bug in connector settings. Or maybe ths is intended, but the name of the connector stays with the old domain name, even if the server entry is changed.

As our external mailprovider changed his domain from extdomain1.ch to extdomain2.ch I had to modify our connectors from imap.extdom1.ch to imap.extdom2.ch and that worked, but looking into email/mailboxes the collumn connector still showed the old name imap.extdom1.ch.

db getmail show also showed:
user1@extdomain.ch@imap.extdom1.ch=getmail
Account=user1@internaldomain.work
Delete=90
FilterCheck=enabled
Password=password
Retriever=SimpleIMAPSSLRetriever
Server=imap.extdom2.ch
Time=1
Username=user1@extdomain.ch
status=enabled

Thus your script extracted the old imap.extdom1.ch in the first column instead of the actual imap.extdom2.ch

I was able to correct this by deleting the connector and recreating it. It was not enough to just change the server entry. @devteam Is this a bug and should this be addressed? And may this addition of saitobenkei be worth to be added as smarthost enhancement?