Our setup is Zimbra 8.6 running on a Dell Poweredge, Centos 7.6. (Tried to upgrade Zimbra a few months ago and it bombed, so I'm waiting before I upgrade again. That's for a later discussion.) We have a valid cert from GoDaddy, all that works just fine, too. We use a pfsense router/firewall to NAT incoming to Zimbra and Barracuda, with dnsmasq spoofing DNS on the Zimbra server. Basically,
Code: Select all
Incoming Port 25 --> Barracuda Spam Filter --> Zimbra
Other incoming ports --> Zimbra
Zimbra outgoing --> Barracuda Spam Filter --> The Internet (port 25)
This was working splendidly for months and months ... then the Barracuda died yesterday morning with a bad hard drive. I temporarily bypassed Barracuda for incoming and outgoing and exposed Zimbra directly to the Internet. I went in to Zimbra admin/config and deleted the outgoing relay strings. It worked sort of: some outgoing emails were sent, others were rejected (most notably by Comcast and GMail) with the error 530 5.7.1.
This tells me that our Zimbra setup isn't doing something properly for outgoing mail. I don't know what Barracuda does differently, but as soon as we installed the replacement and put Barracuda back in line, Comcast and Gmail were happy again.
What's throwing me is that 530 5.7.1 supposedly means "authentication error." I'm just sending email to outside recipients over port 25. I'm not trying to log in with Comcast or GMail from our Zimbra server, so the Wiki article's suggestion for password lists doesn't apply. I just need to send an email to "joe-schmo@gmail.com."
No doubt I've missed something in our Zimbra settings, but if anyone here has any ideas, I'd appreciate it. Right now, we're back up and running, but if I ever lose Barracuda again, I need to be able to put Zimbra straight online and still have our outgoing email be handled properly by Comcast, Gmail, and the other criminals.
More detail, based on the Wiki article, follows. This is the current configuration with Barracuda back inline, operating normally (my comments in parentheses when Barracuda was bypassed). Sorry for the length.
I wonder if the SMTP server shouldn't be pointing to the certificate? Doesn't explain why Barracuda is happy (it's using a self-generated cert), but it's the only thing I wonder about.
Thanks in advance.
Code: Select all
zmprov gs mail.crawfordbroadcasting.com | grep -i mta
zimbraMtaAddressVerifyNegativeRefreshTime: 10m
zimbraMtaAddressVerifyPollCount: ${stress?3}${stress:5}
zimbraMtaAddressVerifyPollDelay: 3s
zimbraMtaAddressVerifyPositiveRefreshTime: 12h
zimbraMtaAliasMaps: lmdb:/etc/aliases
zimbraMtaAlwaysAddMissingHeaders: yes
zimbraMtaAntiSpamLockMethod: flock
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: mail.crawfordbroadcasting.com
zimbraMtaAuthTarget: TRUE
zimbraMtaAuthURL: https://mail.crawfordbroadcasting.com:443/service/soap/
zimbraMtaBounceNoticeRecipient: postmaster
zimbraMtaBounceQueueLifetime: 5d
zimbraMtaBrokenSaslAuthClients: yes
zimbraMtaCommandDirectory: /opt/zimbra/postfix/sbin
zimbraMtaDaemonDirectory: /opt/zimbra/postfix/libexec
zimbraMtaDefaultProcessLimit: 100
zimbraMtaDelayWarningTime: 0h
zimbraMtaDnsLookupsEnabled: FALSE
zimbraMtaEnableSmtpdPolicyd: FALSE
zimbraMtaHeaderChecks: pcre:/opt/zimbra/conf/postfix_header_checks
zimbraMtaInFlowDelay: 1s
zimbraMtaLmdbMapSize: 16777216
zimbraMtaLmtpConnectionCacheTimeLimit: 4s
zimbraMtaLmtpHostLookup: dns
zimbraMtaLmtpTlsCiphers: export
zimbraMtaLmtpTlsLoglevel: 0
zimbraMtaLmtpTlsMandatoryCiphers: medium
zimbraMtaLmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaLmtpTlsSecurityLevel: may
zimbraMtaMailqPath: /opt/zimbra/postfix/sbin/mailq
zimbraMtaManpageDirectory: /opt/zimbra/postfix/man
zimbraMtaMaxUse: 100
zimbraMtaMaximalBackoffTime: 4000s
zimbraMtaMilterCommandTimeout: 30s
zimbraMtaMilterConnectTimeout: 30s
zimbraMtaMilterContentTimeout: 300s
zimbraMtaMilterDefaultAction: tempfail
zimbraMtaMinimalBackoffTime: 300s
zimbraMtaMyDestination: localhost
zimbraMtaMyNetworks: 127.0.0.0/8 192.168.1.0/24 (the 192.x.x.x is my internal network, of course)
zimbraMtaNewaliasesPath: /opt/zimbra/postfix/sbin/newaliases
zimbraMtaNotifyClasses: resource
zimbraMtaNotifyClasses: software
zimbraMtaPolicyTimeLimit: 3600
zimbraMtaPropagateUnmatchedExtensions: canonical
zimbraMtaQueueDirectory: /opt/zimbra/data/postfix/spool
zimbraMtaQueueRunDelay: 300s
zimbraMtaRelayHost: 192.168.1.200:25 (this was set to an empty string while Barracuda was down)
zimbraMtaSaslAuthEnable: yes
zimbraMtaSaslSmtpdMechList: PLAIN
zimbraMtaSaslSmtpdMechList: LOGIN
zimbraMtaSenderCanonicalMaps: proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
zimbraMtaSendmailPath: /opt/zimbra/postfix/sbin/sendmail
zimbraMtaSmtpCnameOverridesServername: no
zimbraMtaSmtpHeloName: $myhostname
zimbraMtaSmtpSaslAuthEnable: no
zimbraMtaSmtpSaslSecurityOptions: noplaintext,noanonymous
zimbraMtaSmtpTlsCiphers: export
zimbraMtaSmtpTlsLoglevel: 0
zimbraMtaSmtpTlsMandatoryCiphers: medium
zimbraMtaSmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpTlsSecurityLevel: may
zimbraMtaSmtpdBanner: $myhostname ESMTP $mail_name
zimbraMtaSmtpdClientPortLogging: no
zimbraMtaSmtpdClientRestrictions: reject_unauth_pipelining
zimbraMtaSmtpdDataRestrictions: reject_unauth_pipelining
zimbraMtaSmtpdErrorSleepTime: 1s
zimbraMtaSmtpdHardErrorLimit: 20
zimbraMtaSmtpdHeloRequired: yes
zimbraMtaSmtpdProxyTimeout: 100s
zimbraMtaSmtpdRejectUnlistedRecipient: no
zimbraMtaSmtpdRejectUnlistedSender: yes
zimbraMtaSmtpdSaslAuthenticatedHeader: no
zimbraMtaSmtpdSaslSecurityOptions: noanonymous
zimbraMtaSmtpdSaslTlsSecurityOptions: $smtpd_sasl_security_options
zimbraMtaSmtpdSenderLoginMaps: proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
zimbraMtaSmtpdSenderRestrictions: reject_authenticated_sender_login_mismatch
zimbraMtaSmtpdTlsAskCcert: no
zimbraMtaSmtpdTlsCcertVerifydepth: 9
zimbraMtaSmtpdTlsCiphers: export
zimbraMtaSmtpdTlsLoglevel: 1
zimbraMtaSmtpdTlsMandatoryCiphers: medium
zimbraMtaSmtpdTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpdVirtualTransport: error
zimbraMtaStpdSoftErrorLimit: 10
zimbraMtaTlsAppendDefaultCA: no
zimbraMtaTlsAuthOnly: TRUE
zimbraMtaTlsSecurityLevel: may
zimbra@mail ~]$ postconf | grep -i tls
lmtp_enforce_tls = no
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_starttls_timeout = 300s
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_block_early_mail_reply = no
lmtp_tls_cert_file =
lmtp_tls_ciphers = export
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_eccert_file =
lmtp_tls_eckey_file = $lmtp_tls_eccert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_fingerprint_cert_match =
lmtp_tls_fingerprint_digest = md5
lmtp_tls_force_insecure_host_tlsa_lookup = no
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = !SSLv2
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_scert_verifydepth = 9
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level = may
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_trust_anchor_file =
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_use_tls = $smtpd_use_tls
smtp_enforce_tls = no
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_block_early_mail_reply = no
smtp_tls_cert_file =
smtp_tls_ciphers = export
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_eccert_file =
smtp_tls_eckey_file = $smtp_tls_eccert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_fingerprint_cert_match =
smtp_tls_fingerprint_digest = md5
smtp_tls_force_insecure_host_tlsa_lookup = no
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = !SSLv2
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = may
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_trust_anchor_file =
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtpd_client_new_tls_session_rate_limit = 0
smtpd_enforce_tls = no
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_policy_service inet:localhost:10031, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
smtpd_starttls_timeout = ${stress?10}${stress:300}s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtpd_tls_ciphers = export
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_eccert_file =
smtpd_tls_eckey_file = $smtpd_tls_eccert_file
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers =
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = yes
tls_append_default_CA = no
tls_daemon_random_bytes = 32
tls_dane_digest_agility = on
tls_dane_digests = sha512 sha256
tls_dane_trust_anchor_digest_enable = yes
tls_disable_workarounds =
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH
tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
tls_legacy_public_key_fingerprints = no
tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH
tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH
tls_null_cipherlist = eNULL:!aNULL
tls_preempt_cipherlist = no
tls_random_bytes = 32
tls_random_exchange_name = ${data_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
tls_ssl_options =
tls_wildcard_matches_multiple_labels = yes
tlsmgr_service_name = tlsmgr
tlsproxy_enforce_tls = $smtpd_enforce_tls
tlsproxy_service_name = tlsproxy
tlsproxy_tls_CAfile = $smtpd_tls_CAfile
tlsproxy_tls_CApath = $smtpd_tls_CApath
tlsproxy_tls_always_issue_session_ids = $smtpd_tls_always_issue_session_ids
tlsproxy_tls_ask_ccert = $smtpd_tls_ask_ccert
tlsproxy_tls_ccert_verifydepth = $smtpd_tls_ccert_verifydepth
tlsproxy_tls_cert_file = $smtpd_tls_cert_file
tlsproxy_tls_ciphers = $smtpd_tls_ciphers
tlsproxy_tls_dcert_file = $smtpd_tls_dcert_file
tlsproxy_tls_dh1024_param_file = $smtpd_tls_dh1024_param_file
tlsproxy_tls_dh512_param_file = $smtpd_tls_dh512_param_file
tlsproxy_tls_dkey_file = $smtpd_tls_dkey_file
tlsproxy_tls_eccert_file = $smtpd_tls_eccert_file
tlsproxy_tls_eckey_file = $smtpd_tls_eckey_file
tlsproxy_tls_eecdh_grade = $smtpd_tls_eecdh_grade
tlsproxy_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
tlsproxy_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
tlsproxy_tls_key_file = $smtpd_tls_key_file
tlsproxy_tls_loglevel = $smtpd_tls_loglevel
tlsproxy_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
tlsproxy_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols
tlsproxy_tls_req_ccert = $smtpd_tls_req_ccert
tlsproxy_tls_security_level = $smtpd_tls_security_level
tlsproxy_use_tls = $smtpd_use_tls
tlsproxy_watchdog_timeout = 10s