Results 1 to 10 of 17

Thread: Getting smtp working with my ISP

Hybrid View

  1. #1
    Join Date
    Dec 2005
    Posts
    15
    Rep Power
    9

    Default Getting smtp working with my ISP

    My problem lies with smtp and my ISP. It makes contact but the auth gets refused.

    Here is some of my main.cf in postix


    # Enable TLS/SASL for the myisp server

    smtp_tls_note_starttls_offer = yes
    tls_random_source = dev:/dev/urandom

    # SASL SUPPORT FOR SERVERS
    #
    # The following options set parameters needed by Postfix to enable
    # Cyrus-SASL support for authentication of mail servers.
    #
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/opt/zimbra/postfix-2.2.3/sasl/passwd
    smtp_sasl_security_options =

    smtp_use_tls = yes
    smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
    smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
    smtpd_tls_loglevel = 3

    content_filter = smtp-amavis:[127.0.0.1]:10024
    smtpd_sasl_auth_enable = yes
    smtpd_tls_auth_only = yes
    disable_dns_lookups = yes
    message_size_limit = 10240000

    relayhost = myisp


    The problem I beleive lies in this section

    smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
    smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key

    I beleive I have to provide my ISp's cert file and key

    here is some of zimbra.log


    Dec 15 05:20:12 localhost postfix/smtp[13587]: certificate verification failed for myisp: num=20:unable to get local issuer certificate
    Dec 15 05:20:12 localhost postfix/smtp[13587]: certificate verification failed for myisp: num=27:certificate not trusted
    Dec 15 05:20:12 localhost postfix/smtp[13587]: certificate verification failed for myisp: num=21:unable to verify the first certificate
    Dec 15 05:20:12 localhost postfix/smtp[13587]: Server certificate could not be verified

    I am using myisp for my real ISP smtp account

    Here is another thing I don't understand when I start, stop postfix

    Dec 15 07:10:58 localhost postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.2.3/conf/main.cf
    Dec 15 07:12:11 localhost postfix/postfix-script: stopping the Postfix mail system
    Dec 15 07:12:11 localhost postfix/master[3311]: terminating on signal 15
    Dec 15 07:12:27 localhost postfix/postfix-script: warning: not owned by root: /opt/zimbra/postfix-2.2.3/conf/main.cf
    Dec 15 07:12:27 localhost postfix/postfix-script: starting the Postfix mail system
    Dec 15 07:12:27 localhost postfix/master[1417]: daemon started -- version 2.2.3, configuration /opt/zimbra/postfix-2.2.3/conf

    If I change it to root postix changes back to zimbra zimbra

    Any suggetsions. I'm almost there to getting this fixed. So far fecthmail works perfectly and is suppling the proper certificates that I got from a how to guide for my ISP.

    Do I use those same certifactes with postfix ?

  2. #2
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default smtp auth

    Don't worry about the postfix warnings - those aren't effecting this issue.

    I believe that the smtp_ and smtpd_ config items are completely orthogonal - the first control how postfix behaves as a CLIENT, the second as a SERVER.

    So, the smtpd_ config keys control how postfix will interact with your desktop client, which I think you said was working fine - you can submit mail to the zimbra postfix mta, and it's accepted.

    The problem is that postfix can't submit email to the upstream mta at your ISP.

    I'll assume that the information in /opt/zimbra/postfix-2.2.3/sasl/passwd is correct - but did you remember to run postmap on the file?

    How does your ISP instruct you to set up smtp auth? Is it simply user/pass, or did they provide you with a client cert? (It's unlikely that they did).

    You may also try this:
    smtp_tls_enforce_peername=no in case there's a hostname mismatch.

    And, smtp_tls_loglevel may provide more info:
    smtp_tls_loglevel (default: 0)
    Enable additional Postfix SMTP client logging of TLS activity. Each logging level
    also includes the information that is logged at a lower logging level.

    0 Disable logging of TLS activity.

    1 Log TLS handshake and certificate information.

    2 Log levels during TLS negotiation.

    3 Log hexadecimal and ASCII dump of TLS negotiation process.

    4 Log hexadecimal and ASCII dump of complete transmission after STARTTLS.

    Use "smtp_tls_loglevel = 3" only in case of problems. Use of loglevel 4 is strongly
    discouraged.

  3. #3
    Join Date
    Dec 2005
    Posts
    15
    Rep Power
    9

    Default

    The passwd file and db file are working correctly becuse my ISP has 2 smtp accounts I can use. The one I'm having trouble is the one that uses the auth and certificates. If I use the old one that sends passwords in the clear it works fine and I can send email outbound. The problem is my ISP is going to shutdown that smtp account (this is what I hear) because they are converting all accounts to auth and ssl.

    My ISP requires a cert to be used because if you use outlook you need to check that option in order to send mail out.

    I'll give this a try
    smtp_tls_enforce_peername=no

    I'll also try
    smtp_tls_loglevel = 1

    If I can't figure this thing out I can always use the other smtp account which transmits eveything in the clear but I would rather fix this issue.

    My isp is bell sympatico
    Last edited by Cpoc; 12-15-2005 at 12:07 PM.

  4. #4
    Join Date
    Dec 2005
    Posts
    15
    Rep Power
    9

    Default

    Ok here is the log file conserning the email sent.

    alhost postfix/smtpd[23963]: disconnect from localhost.localdomain[127.0.0.1]
    Dec 15 09:14:38 localhost amavis[5587]: (05587-02) Passed CLEAN, LOCAL [127.0.0.1] [127.0.0.1] -> , Message-ID: <13961171.321134656075931.JavaMail.root@centos-zimbra>, mail_id: y74JdxWpRY1i, Hits: -5.899, 2580 ms
    Dec 15 09:14:38 localhost amavis[5587]: (05587-02) TIMING [total 2593 ms] - SMTP EHLO: 7 (0%)0, SMTP pre-MAIL: 3 (0%)0, lookup_ldap: 40 (2%)2, SMTP pre-DATA-flush: 4 (0%)2, SMTP DATA: 1 (0%)2, body_hash: 3 (0%)2, gen_mail_id: 2 (0%)2, mime_decode: 21 (1%)3, get-file-type1: 22 (1%)4, decompose_part: 1 (0%)4, parts_decode: 0 (0%)4, AV-scan-1: 302 (12%)16, spam-wb-list: 11 (0%)16, SA msg read: 1 (0%)16, SA parse: 2 (0%)16, SA check: 1994 (77%)93, update_cache: 5 (0%)93, deal_with_mail_size: 1 (0%)93, fwd-connect: 56 (2%)96, fwd-mail-from: 8 (0%)96, fwd-rcpt-to: 9 (0%)96, write-header: 6 (0%)96, fwd-data: 0 (0%)96, fwd-data-end: 45 (2%)98, fwd-rundown: 3 (0%)98, main_log_entry: 38 (1%)100, update_snmp: 4 (0%)100, unlink-1-files: 2 (0%)100, rundown: 0 (0%)100
    Dec 15 09:14:38 localhost postfix/smtp[23959]: 215CF22766F: to=, relay=127.0.0.1[127.0.0.1], delay=2, status=sent (250 2.6.0 Ok, id=05587-02, from MTA([127.0.0.1]:10025): 250 Ok: queued as B1055227679)
    Dec 15 09:14:38 localhost amavis[5587]: (05587-02) extra modules loaded: Net/LDAP/Bind.pm
    Dec 15 09:14:38 localhost amavis[5587]: (05587-02) load: 0 %, total idle 16564.977 s, busy 6.743 s
    Dec 15 09:14:38 localhost postfix/qmgr[23408]: 215CF22766F: removed
    Dec 15 09:14:39 localhost postfix/smtp[23964]: certificate verification failed for smtphm.sympatico.ca: num=20:unable to get local issuer certificate
    Dec 15 09:14:39 localhost postfix/smtp[23964]: certificate verification failed for smtphm.sympatico.ca: num=27:certificate not trusted
    Dec 15 09:14:39 localhost postfix/smtp[23964]: certificate verification failed for smtphm.sympatico.ca: num=21:unable to verify the first certificate
    Dec 15 09:14:39 localhost postfix/smtp[23964]: Server certificate could not be verified
    Dec 15 09:14:39 localhost postfix/smtp[23964]: B1055227679: to=, relay=smtphm.sympatico.ca[65.54.xxx.xxx], delay=1, status=bounced (host smtphm.sympatico.ca[65.54.xxx.xxx] said: 550 5.7.3 Requested action aborted; user not authenticated (in reply to MAIL FROM command))
    Dec 15 09:14:39 localhost postfix/cleanup[23958]: B304422767C: message-id=<20051215141439.B304422767C@centos-zimbra.gateway.clarkconnect.lan>
    Dec 15 09:14:39 localhost postfix/qmgr[23408]: B304422767C: from=<>, size=3272, nrcpt=1 (queue active)
    Dec 15 09:14:39 localhost postfix/qmgr[23408]: B1055227679: removed
    Dec 15 09:14:39 localhost postfix/lmtp[23967]: B304422767C: to=, relay=localhost.localdomain[127.0.0.1], delay=0, status=sent (250 2.1.5 OK)
    Dec 15 09:14:39 localhost postfix/qmgr[23408]: B304422767C: removed
    Dec 15 09:20:02 localhost zimbramon[24871]: 24871:info: 2005-12-15 09:20:02, QUEUE: 0 0

  5. #5
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default certificate

    Do they require a CLIENT certificate? If not, you should be ok with just user/pass

  6. #6
    Join Date
    Dec 2005
    Posts
    15
    Rep Power
    9

    Default

    I'm not sure. How can I tell becuase if I call the help desk they won't help me because I'm using linux.

    The only support windblows os so they are useless. I'm sure most of the tech there would not even know that question.

    I know it requires authenication because its required in outlook setup. For the old smtp account no auth is required.

    So what to I do, use the old smtp account.

    I'll do some more searching and see what I can come up with.
    Last edited by Cpoc; 12-15-2005 at 01:59 PM.

  7. #7
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default client cert

    If they required a client cert, they would have provided you with one, so it's not likely that they do.

    This is the error you logged:
    Dec 15 09:14:39 localhost postfix/smtp[23964]: certificate verification failed for smtphm.sympatico.ca: num=20:unable to get local issuer certificate
    Dec 15 09:14:39 localhost postfix/smtp[23964]: certificate verification failed for smtphm.sympatico.ca: num=27:certificate not trusted
    Dec 15 09:14:39 localhost postfix/smtp[23964]: certificate verification failed for smtphm.sympatico.ca: num=21:unable to verify the first certificate

    Am I correct in assuming that smtphm.sympatico.ca is the ISP's mailserver?

    Try increasing the tls loglevel for smtp.

    You might also try this:
    debug_peer_list=smtphm.sympatico.ca
    debug_peer_level=3

    for more info

  8. #8
    Join Date
    Dec 2005
    Posts
    15
    Rep Power
    9

    Default

    Disregard my last post. I got it working. After reading your post several times it got me thinking that it was my password file at fault all along.

    smtphm.sympatico.ca is my ISP mail server that requires sasl to login the old server is smpt1.sympatico.ca which does not rerquie any auth to login in, everything is in the clear.

    Now my password file was wrong because I did a copy and past from a how to guide a found googling.

    here is a snipit

    to use SASL we need a password file containing our user name and password for the server we are connecting to. Per Sympatico's instructions the server is smtphm.sympatico.ca.


    cd /etc/postfix
    mkdir sasl && cd sasl
    echo "[smtphm.sympatico.ca] USERNAME@symaptico:PASSWORD" > passwd
    postmap hashasswd

    The above creates the password file and the hash-based database file that Postfix uses. Of course replace USERNAME with your user name, and PASSWORD with your password (the email password, not the b1 password to access the Internet.)

    Make sure in your main.cf you have configured your relayhost as: relayhost = [smtphm.sympatico.ca]

    Finally, add the following lines to your main.cf file:


    # Enable TLS/SASL for the smtphm.sympatico.ca server
    smtp_use_tls = yes
    smtp_tls_note_starttls_offer = yes
    tls_random_source = dev:/dev/urandom

    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
    smtp_sasl_security_options =


    Everything was right except the brackets which are not suppose to be used and the typo that I did not notice even though I read the config file many times over USERNAME@symaptico:PASSWORD
    sympatico was misspelled and missing the .ca part

    That is why I said before that it works with smtp1.sympatico.ca however that server does not use any auth so the password file is not used at all.

    It goes to show somethimes howto guides can be a bit off and are not always 100 % correct. So after lots of pondering I figured it out.

    Now I have another question. Can postfix use several smtp accounts.

    Let me give an example. I have a few users that I'm setting up this server for and I am using the sympatico account for myself but others are using gmail accounts.

    How can I set it up so that when I use zimbra client it uses smtphm.sympatico.ca and with the other users it uses smtp.gmail.com

    This way zimbra will be transparent just like they were using hotmail for sympatico or gmail for their gmail accounts.

    As for fetchmail I have the fetchmailrc file in the root account. Is that the best approach or should each user have their own fetchmailrc files in their home directory and set it all up via a cron job.

    Thanks alot marcmac you have been a great help.

  9. #9
    Join Date
    Dec 2005
    Posts
    15
    Rep Power
    9

    Default

    So now smtphm.sympatico.ca work but it's still giving me this error in the logs.

    Dec 15 14:38:25 localhost postfix/smtp[19438]: certificate verification failed for smtphm.sympatico.ca: num=20:unable to get local issuer certificate
    Dec 15 14:38:25 localhost postfix/smtp[19438]: certificate verification failed for smtphm.sympatico.ca: num=27:certificate not trusted
    Dec 15 14:38:25 localhost postfix/smtp[19438]: certificate verification failed for smtphm.sympatico.ca: num=21:unable to verify the first certificate
    Dec 15 14:38:25 localhost postfix/smtp[19438]: Server certificate could not be verified
    Dec 15 14:38:26 localhost postfix/smtp[19438]: 61A5F227679: to=, relay=smtphm.sympatico.ca[65.54.191.190], delay=2, status=sent (250 2.6.0 <14952429.1001134675503699.JavaMail.root@centos-zimbra> Queued mail for delivery)
    Dec 15 14:38:26 localhost postfix/qmgr[19247]: 61A5F227679: removed


    How can fix the sever certificate error or this does not really matter.

  10. #10
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    14

    Default per user auth

    Not sure if you can use per-user auth - you can use per-site auth (see postconf(5) man page) but I don't know if you can have it switch sites based on the user

Similar Threads

  1. sms zimlet troubleshooting
    By switchnetworks in forum Zimlets
    Replies: 19
    Last Post: 09-09-2009, 05:37 AM
  2. Isp Smtp
    By Routers in forum Installation
    Replies: 3
    Last Post: 07-17-2007, 06:08 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 08:46 PM
  4. SMTP auth not working outside of ZCS's subnet
    By dvb in forum Administrators
    Replies: 3
    Last Post: 02-08-2007, 02:34 PM
  5. Send mail via ISP SMTP
    By mcevoys in forum Administrators
    Replies: 12
    Last Post: 05-09-2006, 09:49 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •