Supporting SPA and TLS for SMTP relaying
I've solved my own problem but feel that this should be fixed in the system.
The problem that I was having is that we wanted to allow for authenticated clients to relay email/smtp traffic through the Zimbra server. We have clients using Outlook and Thunderbird. The problem is that Outlook only supports SPA and Thunderbird only supports TLS.
I originally setup the Zimbra server on the MTA tab, I checked the "Enable authentication" as well as "TLS authentication only" and Thunderbird clients were just ducky but Outlook didn't work. When I unchecked "TLS authentication only" Outlook worked with SPA but Thunderbird would only work with out any security so username/passwords are being transmitted in clear text.
I dug into the configuration files and found in the /opt/zimbra/conf/zmmta.cf the line:
POSTCONF smtpd_use_tls VAR zimbraMtaTlsAuthOnly
The issue is that TLS is disabled when "TLS Auth Only" is disabled. TLS should still be an optional service available in the application regardless if TLS is not enforced.
What I did to remedy the situation was to add a bang (!) to toggle the boolean setting for smtpd_use_tls, since I new that zimbraMtaTlsAuthOnly was false. I would prefer using a true/false,yes/no,1/0 but am not sure what the proper value should be.
POSTCONF smtpd_sasl_auth_enable VAR zimbraMtaAuthEnabled
POSTCONF smtpd_tls_auth_only VAR zimbraMtaTlsAuthOnly
POSTCONF smtpd_use_tls VAR !zimbraMtaTlsAuthOnly
I would appreciate feedback to confirm that I am correct in this functionality.
My recommendation is that in the GUI for the MTA tab, if authentication is enabled that there be a radio button selection with the options: SPA only, TLS Only, SPA or TLS Only, No security required.