Results 1 to 6 of 6

Thread: Enabling outbound TLS not working

Hybrid View

  1. #1
    Join Date
    Feb 2008
    Location
    Urbana-Champaign, IL
    Posts
    68
    Rep Power
    7

    Default Enabling outbound TLS not working

    Hi,

    I'm having problems sending encrypted mail from Zimbra to our SMTP relay
    server specified by zimbraMtaRelayHost.

    I've tried the settings in

    Outgoing SMTP Authentication - Zimbra :: Wiki
    http://www.zimbra.com/forums/adminis...o-domains.html

    and a bunch of other stuff. Enabling session logging on the SMTP server shows that
    Zimbra just ignores the STARTTLS option entirely (there are no attempts to use it).
    checktls.com says that the relay is set up well, and other servers can send mail to
    that system without any problems.

    We are *not* requiring SMTP AUTH; we just want TLS. Does anyone have any
    ideas for our Zimbra 7.2.4 server? Even enabling smtp_tls_note_starttls_offer
    doesn't log anything.

    Thanks for any help!

  2. #2
    Join Date
    Dec 2009
    Location
    Michigan
    Posts
    454
    Rep Power
    5

    Default

    Ben Franklin quote:

    "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

  3. #3
    Join Date
    Feb 2008
    Location
    Urbana-Champaign, IL
    Posts
    68
    Rep Power
    7

    Default

    Quote Originally Posted by lytledd View Post
    Hi Doug,

    I did try that too, but also had no joy (I didn't link to it because the forums were down when I composed my forum posting offline).

    Code:
    [zimbra@zimbra ~]$ postconf smtp_tls_policy_maps smtp_tls_note_starttls_offer
    smtp_tls_policy_maps = hash:/opt/zimbra/conf/zimbra_tls_policy.cf
    smtp_tls_note_starttls_offer = yes
    
    [zimbra@zimbra ~]$ postmap -q example.com ~/conf/zimbra_tls_policy.cf
    encrypt  protocols=SSLv3:TLSv1
    If I send a mail to foo@example.com (not really, but you get the idea) then it shows up at that
    address, but TLS was not used. Enabling session logging on the sendmail server shows that
    STARTTLS was offered as an option in the ESMTP response to an EHLO command, but
    postfix just ignores it. There's no mention of it anywhere in the logs.

    I miss the simplicity of sendmail.

    Did you have to tweak anything else to get it to work?

    Thanks!

  4. #4
    Join Date
    Dec 2009
    Location
    Michigan
    Posts
    454
    Rep Power
    5

    Default

    No, didn't have to do anything special other then following the instructions I linked to.

    Doug
    Ben Franklin quote:

    "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety."

  5. #5
    Join Date
    Feb 2008
    Location
    Urbana-Champaign, IL
    Posts
    68
    Rep Power
    7

    Default

    Well, I figured out why it's not working. Duh. I'm setting zimbraMtaRelayHost *AND* zimbraSmtpHostname because all mail needs to be processed by that external relay. That means that the messages aren't going into postfix, so it really doesn't matter what I set the postfix client settings to for the most part. Zimbra is opening a direct connection to that remote relay server instead.

    Is there any way to force encryption to the zimbraMtaRelayHost from within Zimbra? Or am I stuck using stunnel or something and setting it to a weird port on localhost?

    Thanks!

  6. #6
    Join Date
    Feb 2008
    Location
    Urbana-Champaign, IL
    Posts
    68
    Rep Power
    7

    Default

    FWIW, stunnel was the route that I ended up taking. I set stunnel to listen on port 9125 and forwarded to port 465 on the relay server. Then I set

    zimbraSmtpPort 9125
    zimbraSmtpHostname localhost
    ZimbraMTARelayHost localhost:9125

    TCP wrappers were set (and iptables too) to only allow connections from the Zimbra server and not the outside world.

    If it's possible, I'd still love to see this functionality built into Zimbra so that I have one less daemon/service to configure and worry about.

Similar Threads

  1. Enabling BATV (prsv) signature for outbound emails
    By SmithMartinChristopher in forum Administrators
    Replies: 2
    Last Post: 06-23-2013, 05:00 AM
  2. Replies: 0
    Last Post: 11-28-2012, 04:28 AM
  3. [SOLVED] Outbound E-mail Not Working
    By zoomlmk in forum Administrators
    Replies: 6
    Last Post: 04-19-2010, 07:45 AM
  4. Replies: 2
    Last Post: 08-04-2009, 03:12 AM
  5. Replies: 3
    Last Post: 05-24-2007, 12:43 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •