Getting smtp working with my ISP

Ask questions about your setup or get help installing ZCS server (ZD section below).
Cpoc
Posts: 15
Joined: Fri Sep 12, 2014 10:02 pm

Getting smtp working with my ISP

Post by Cpoc »

My problem lies with smtp and my ISP. It makes contact but the auth gets refused.
Here is some of my main.cf in postix


# Enable TLS/SASL for the myisp server
smtp_tls_note_starttls_offer = yes

tls_random_source = dev:/dev/urandom



# SASL SUPPORT FOR SERVERS

#

# The following options set parameters needed by Postfix to enable

# Cyrus-SASL support for authentication of mail servers.

#

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/opt/zimbra/postfix-2.2.3/sasl/passwd

smtp_sasl_security_options =
smtp_use_tls = yes

smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt

smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key

smtpd_tls_loglevel = 3
content_filter = smtp-amavis:[127.0.0.1]:10024

smtpd_sasl_auth_enable = yes

smtpd_tls_auth_only = yes

disable_dns_lookups = yes

message_size_limit = 10240000
relayhost = myisp


The problem I beleive lies in this section
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt

smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
I beleive I have to provide my ISp's cert file and key
here is some of zimbra.log


Dec 15 05:20:12 localhost postfix/smtp[13587]: certificate verification failed for myisp: num=20:unable to get local issuer certificate

Dec 15 05:20:12 localhost postfix/smtp[13587]: certificate verification failed for myisp: num=27:certificate not trusted

Dec 15 05:20:12 localhost postfix/smtp[13587]: certificate verification failed for myisp: num=21:unable to verify the first certificate

Dec 15 05:20:12 localhost postfix/smtp[13587]: Server certificate could not be verified
I am using myisp for my real ISP smtp account
Here is another thing I don't understand when I start, stop postfix
Dec 15 07:10:58 localhost postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.2.3/conf/main.cf

Dec 15 07:12:11 localhost postfix/postfix-script: stopping the Postfix mail system

Dec 15 07:12:11 localhost postfix/master[3311]: terminating on signal 15

Dec 15 07:12:27 localhost postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.2.3/conf/main.cf

Dec 15 07:12:27 localhost postfix/postfix-script: starting the Postfix mail system

Dec 15 07:12:27 localhost postfix/master[1417]: daemon started -- version 2.2.3, configuration /opt/zimbra/postfix-2.2.3/conf
If I change it to root postix changes back to zimbra zimbra
Any suggetsions. I'm almost there to getting this fixed. So far fecthmail works perfectly and is suppling the proper certificates that I got from a how to guide for my ISP.
Do I use those same certifactes with postfix ?
marcmac
Elite member
Elite member
Posts: 2091
Joined: Fri Sep 12, 2014 9:53 pm

Getting smtp working with my ISP

Post by marcmac »

Don't worry about the postfix warnings - those aren't effecting this issue.
I believe that the smtp_ and smtpd_ config items are completely orthogonal - the first control how postfix behaves as a CLIENT, the second as a SERVER.
So, the smtpd_ config keys control how postfix will interact with your desktop client, which I think you said was working fine - you can submit mail to the zimbra postfix mta, and it's accepted.
The problem is that postfix can't submit email to the upstream mta at your ISP.
I'll assume that the information in /opt/zimbra/postfix-2.2.3/sasl/passwd is correct - but did you remember to run postmap on the file?
How does your ISP instruct you to set up smtp auth? Is it simply user/pass, or did they provide you with a client cert? (It's unlikely that they did).
You may also try this:

smtp_tls_enforce_peername=no in case there's a hostname mismatch.
And, smtp_tls_loglevel may provide more info:

smtp_tls_loglevel (default: 0)

Enable additional Postfix SMTP client logging of TLS activity. Each logging level

also includes the information that is logged at a lower logging level.
0 Disable logging of TLS activity.
1 Log TLS handshake and certificate information.
2 Log levels during TLS negotiation.
3 Log hexadecimal and ASCII dump of TLS negotiation process.
4 Log hexadecimal and ASCII dump of complete transmission after STARTTLS.
Use "smtp_tls_loglevel = 3" only in case of problems. Use of loglevel 4 is strongly

discouraged.
Cpoc
Posts: 15
Joined: Fri Sep 12, 2014 10:02 pm

Getting smtp working with my ISP

Post by Cpoc »

The passwd file and db file are working correctly becuse my ISP has 2 smtp accounts I can use. The one I'm having trouble is the one that uses the auth and certificates. If I use the old one that sends passwords in the clear it works fine and I can send email outbound. The problem is my ISP is going to shutdown that smtp account (this is what I hear) because they are converting all accounts to auth and ssl.
My ISP requires a cert to be used because if you use outlook you need to check that option in order to send mail out.
I'll give this a try

smtp_tls_enforce_peername=no
I'll also try

smtp_tls_loglevel = 1
If I can't figure this thing out I can always use the other smtp account which transmits eveything in the clear but I would rather fix this issue.
My isp is bell sympatico
Cpoc
Posts: 15
Joined: Fri Sep 12, 2014 10:02 pm

Getting smtp working with my ISP

Post by Cpoc »

Ok here is the log file conserning the email sent.
alhost postfix/smtpd[23963]: disconnect from localhost.localdomain[127.0.0.1]

Dec 15 09:14:38 localhost amavis[5587]: (05587-02) Passed CLEAN, LOCAL [127.0.0.1] [127.0.0.1] -> , Message-ID: , mail_id: y74JdxWpRY1i, Hits: -5.899, 2580 ms

Dec 15 09:14:38 localhost amavis[5587]: (05587-02) TIMING [total 2593 ms] - SMTP EHLO: 7 (0%)0, SMTP pre-MAIL: 3 (0%)0, lookup_ldap: 40 (2%)2, SMTP pre-DATA-flush: 4 (0%)2, SMTP DATA: 1 (0%)2, body_hash: 3 (0%)2, gen_mail_id: 2 (0%)2, mime_decode: 21 (1%)3, get-file-type1: 22 (1%)4, decompose_part: 1 (0%)4, parts_decode: 0 (0%)4, AV-scan-1: 302 (12%)16, spam-wb-list: 11 (0%)16, SA msg read: 1 (0%)16, SA parse: 2 (0%)16, SA check: 1994 (77%)93, update_cache: 5 (0%)93, deal_with_mail_size: 1 (0%)93, fwd-connect: 56 (2%)96, fwd-mail-from: 8 (0%)96, fwd-rcpt-to: 9 (0%)96, write-header: 6 (0%)96, fwd-data: 0 (0%)96, fwd-data-end: 45 (2%)98, fwd-rundown: 3 (0%)98, main_log_entry: 38 (1%)100, update_snmp: 4 (0%)100, unlink-1-files: 2 (0%)100, rundown: 0 (0%)100

Dec 15 09:14:38 localhost postfix/smtp[23959]: 215CF22766F: to=, relay=127.0.0.1[127.0.0.1], delay=2, status=sent (250 2.6.0 Ok, id=05587-02, from MTA([127.0.0.1]:10025): 250 Ok: queued as B1055227679)

Dec 15 09:14:38 localhost amavis[5587]: (05587-02) extra modules loaded: Net/LDAP/Bind.pm

Dec 15 09:14:38 localhost amavis[5587]: (05587-02) load: 0 %, total idle 16564.977 s, busy 6.743 s

Dec 15 09:14:38 localhost postfix/qmgr[23408]: 215CF22766F: removed

Dec 15 09:14:39 localhost postfix/smtp[23964]: certificate verification failed for smtphm.sympatico.ca: num=20:unable to get local issuer certificate

Dec 15 09:14:39 localhost postfix/smtp[23964]: certificate verification failed for smtphm.sympatico.ca: num=27:certificate not trusted

Dec 15 09:14:39 localhost postfix/smtp[23964]: certificate verification failed for smtphm.sympatico.ca: num=21:unable to verify the first certificate

Dec 15 09:14:39 localhost postfix/smtp[23964]: Server certificate could not be verified

Dec 15 09:14:39 localhost postfix/smtp[23964]: B1055227679: to=, relay=smtphm.sympatico.ca[65.54.xxx.xxx], delay=1, status=bounced (host smtphm.sympatico.ca[65.54.xxx.xxx] said: 550 5.7.3 Requested action aborted; user not authenticated (in reply to MAIL FROM command))

Dec 15 09:14:39 localhost postfix/cleanup[23958]: B304422767C: message-id=

Dec 15 09:14:39 localhost postfix/qmgr[23408]: B304422767C: from=<>, size=3272, nrcpt=1 (queue active)

Dec 15 09:14:39 localhost postfix/qmgr[23408]: B1055227679: removed

Dec 15 09:14:39 localhost postfix/lmtp[23967]: B304422767C: to=, relay=localhost.localdomain[127.0.0.1], delay=0, status=sent (250 2.1.5 OK)

Dec 15 09:14:39 localhost postfix/qmgr[23408]: B304422767C: removed

Dec 15 09:20:02 localhost zimbramon[24871]: 24871:info: 2005-12-15 09:20:02, QUEUE: 0 0
marcmac
Elite member
Elite member
Posts: 2091
Joined: Fri Sep 12, 2014 9:53 pm

Getting smtp working with my ISP

Post by marcmac »

Do they require a CLIENT certificate? If not, you should be ok with just user/pass
Cpoc
Posts: 15
Joined: Fri Sep 12, 2014 10:02 pm

Getting smtp working with my ISP

Post by Cpoc »

I'm not sure. How can I tell becuase if I call the help desk they won't help me because I'm using linux.
The only support windblows os so they are useless. I'm sure most of the tech there would not even know that question.
I know it requires authenication because its required in outlook setup. For the old smtp account no auth is required.
So what to I do, use the old smtp account.
I'll do some more searching and see what I can come up with.
marcmac
Elite member
Elite member
Posts: 2091
Joined: Fri Sep 12, 2014 9:53 pm

Getting smtp working with my ISP

Post by marcmac »

If they required a client cert, they would have provided you with one, so it's not likely that they do.
This is the error you logged:

Dec 15 09:14:39 localhost postfix/smtp[23964]: certificate verification failed for smtphm.sympatico.ca: num=20:unable to get local issuer certificate

Dec 15 09:14:39 localhost postfix/smtp[23964]: certificate verification failed for smtphm.sympatico.ca: num=27:certificate not trusted

Dec 15 09:14:39 localhost postfix/smtp[23964]: certificate verification failed for smtphm.sympatico.ca: num=21:unable to verify the first certificate
Am I correct in assuming that smtphm.sympatico.ca is the ISP's mailserver?
Try increasing the tls loglevel for smtp.
You might also try this:

debug_peer_list=smtphm.sympatico.ca

debug_peer_level=3
for more info
Cpoc
Posts: 15
Joined: Fri Sep 12, 2014 10:02 pm

Getting smtp working with my ISP

Post by Cpoc »

Disregard my last post. I got it working. After reading your post several times it got me thinking that it was my password file at fault all along.
smtphm.sympatico.ca is my ISP mail server that requires sasl to login the old server is smpt1.sympatico.ca which does not rerquie any auth to login in, everything is in the clear.
Now my password file was wrong because I did a copy and past from a how to guide a found googling.
here is a snipit
to use SASL we need a password file containing our user name and password for the server we are connecting to. Per Sympatico's instructions the server is smtphm.sympatico.ca.


cd /etc/postfix

mkdir sasl && cd sasl

echo "[smtphm.sympatico.ca] USERNAME@symaptico:PASSWORD" > passwd

postmap hash:passwd
The above creates the password file and the hash-based database file that Postfix uses. Of course replace USERNAME with your user name, and PASSWORD with your password (the email password, not the b1 password to access the Internet.)
Make sure in your main.cf you have configured your relayhost as: relayhost = [smtphm.sympatico.ca]
Finally, add the following lines to your main.cf file:


# Enable TLS/SASL for the smtphm.sympatico.ca server

smtp_use_tls = yes

smtp_tls_note_starttls_offer = yes

tls_random_source = dev:/dev/urandom



smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd

smtp_sasl_security_options =


Everything was right except the brackets which are not suppose to be used and the typo that I did not notice even though I read the config file many times over USERNAME@symaptico:PASSWORD

sympatico was misspelled and missing the .ca part
That is why I said before that it works with smtp1.sympatico.ca however that server does not use any auth so the password file is not used at all.
It goes to show somethimes howto guides can be a bit off and are not always 100 % correct. So after lots of pondering I figured it out.
Now I have another question. Can postfix use several smtp accounts.
Let me give an example. I have a few users that I'm setting up this server for and I am using the sympatico account for myself but others are using gmail accounts.
How can I set it up so that when I use zimbra client it uses smtphm.sympatico.ca and with the other users it uses smtp.gmail.com
This way zimbra will be transparent just like they were using hotmail for sympatico or gmail for their gmail accounts.
As for fetchmail I have the fetchmailrc file in the root account. Is that the best approach or should each user have their own fetchmailrc files in their home directory and set it all up via a cron job.
Thanks alot marcmac you have been a great help.
Cpoc
Posts: 15
Joined: Fri Sep 12, 2014 10:02 pm

Getting smtp working with my ISP

Post by Cpoc »

So now smtphm.sympatico.ca work but it's still giving me this error in the logs.
Dec 15 14:38:25 localhost postfix/smtp[19438]: certificate verification failed for smtphm.sympatico.ca: num=20:unable to get local issuer certificate

Dec 15 14:38:25 localhost postfix/smtp[19438]: certificate verification failed for smtphm.sympatico.ca: num=27:certificate not trusted

Dec 15 14:38:25 localhost postfix/smtp[19438]: certificate verification failed for smtphm.sympatico.ca: num=21:unable to verify the first certificate

Dec 15 14:38:25 localhost postfix/smtp[19438]: Server certificate could not be verified

Dec 15 14:38:26 localhost postfix/smtp[19438]: 61A5F227679: to=, relay=smtphm.sympatico.ca[65.54.191.190], delay=2, status=sent (250 2.6.0 Queued mail for delivery)

Dec 15 14:38:26 localhost postfix/qmgr[19247]: 61A5F227679: removed


How can fix the sever certificate error or this does not really matter.
marcmac
Elite member
Elite member
Posts: 2091
Joined: Fri Sep 12, 2014 9:53 pm

Getting smtp working with my ISP

Post by marcmac »

Either they're using a self-signed cert, or postfix doesn't have any CA files in it's smtp_* area.
Look in the postconf(5) man page for how to install smtp CA files, which may fix the problem.
Unless you're really worried about the warnings, you can ignore them - they won't really effect the security of the transaction.
Post Reply