Forums
Zextras Carbonio
Carbonio General
Carbonio Mail Relay...
 
Notifications
Clear all

Carbonio Mail Relay multiple domains and multiple username and password

 
Carbonio General
Last Post by westofsa 2 days ago
1 Posts
1 Users
0 Reactions
10 Views
RSS
 westofsa
(@westofsa)
Joined: 3 days ago
Posts: 1
Topic starter 01/19/2025 04:39  

I am posting this as I have not been able to find a single document that explains how to do this and managed to figure it out using multiple documents and lots of trial and error. Hopefully someone else might find it useful (or I will be able to reference it again in the future).

I am by no means an expert, so maybe there is another way to handle some of this, but this worked for me.

References

Relay per domain - removed link

Outgoing SMTP Authentication - removed link

Overview

My use case, I have multiple domains on a single Carbonio Mail Server, that I host from my home using dynamic DNS. As with many external mail servers, they require certain security measures to be in place, and in some cases will validate your PTR records which would not match. As a result, you may need to relay your email through a mail relay service.

My DNS hosting provider offers a mail relay service, which requires both username and password, however the mail relay was different for each of the Domains, making it necessary to set different mail relays with usernames and passwords.

I found that to achieve what I needed, I had to refer to multiple documents, that got me part of the way but not all of the way.

If you only need to relay through a single host and single domain, this document will also apply or you can reference one of the reference docs, but don't add the extra domains and relay servers.

File paths are updated for zextras directory structure assuming installed in /opt directory

 

When you need to route all outgoing mail through your ISP's MTA, and that MTA requires that you authenticate, certain settings in postfix are required.

 

For this example, we will use

 

    smtp-relay.example<x>.com as the outgoing relay,

    # as the port number (often 25 or 587),

    username<x> as the authentication user,

    password as the password.

 

The outbound destination should be the canonical address. postfix will resolve CNAMEs to canonical addresses and then use that to lookup the username and password.

 

Example: see Outgoing SMTP Authentication - removed link

 

If your outbound relay server provided by your ISP is mailout.example.com, this may not be the actual name of the server but rather an alias. The Canonical Name maybe smtp.differentname.com.

When doing an nslookup, ensure that the Canonical name is used as your mail relay. You can use your regular PC to do the lookup as it should produce the same results.

 

You must use the "Zextras User"

su - zextras

Relay per Domain

Take a backup of ' removed link '  and open it with your favorite editor. Look for the "SECTION mta" and add the following line.

POSTCONF sender_dependent_relayhost_maps    FILE postfix_sender_dependent_relayhost_maps.cf

 

Note: Do not add anything with "#" as will cause issues.

cat >> removed link <<EOF

lmdb:/opt/zextras/common/conf/relay_domain_conf

EOF

:NOTE: For the Relay Servers, if preferred the port to be used can also be defined such as smtp-relay.example1.com:<port>

 

cat >> /opt/zextras/common/conf/relay_domain_conf << EOF

@domain1.com     smtp-relay.example1.com

@domain2.com     smtp-relay.example2.com

@domain3.com     smtp-relay.example3.com

EOF

 

  • Create a postfix Relay domain lookup table

 

postmap /opt/zextras/common/conf/relay_domain_conf

 

  • Restart the MTA service or wait it will take this configuration in the next poll of zmconfigd.

 

Enabling SMTP Authentication

 

  • Setting up the Relay Host.

 

:NOTE - If only a single Relay Host is being used, this next step can be performed. This will set all mail via this host.

If you have multiple relays based on sending domain, you may choose not to do this step.

Set the relay host in the admin console, MTA tab to point to your ISPs outgoing mail server. Your ISP can tell you the proper value for this.

 

You may have to set the port, as well. From the command line:

 

zmprov ms server.domain.com zimbraMtaRelayHost mailrelay.example.com

or

zmprov ms server.domain.com zimbraMtaRelayHost mailrelay.example.com:<port>

 

  • Create the relay password file

 

cat >> /opt/zextras/conf/relay_password << EOF

smtp-relay.example1.com username1:password

smtp-relay.example2.com username2:password

smtp-relay.example3.com username3:password

EOF

 

  • Create a postfix lookup table [Command below reads the information from above and creates a LMDB file in the same directory]

 

postmap /opt/zextras/conf/relay_password

 

  • To test that the lookup table is correct, the following should return username:password:

 

postmap -q smtp-relay.example<x>.com /opt/zextras/conf/relay_password

 

  • Configure postfix to use the new password map:

 

postconf -e smtp_sasl_password_maps=hash:/opt/zextras/conf/relay_password

zmprov ms <server> zimbraMtaSmtpSaslPasswordMaps lmdb:/opt/zextras/conf/relay_password

 

  • Configure postfix to use SSL authentication:

 

postconf -e smtp_sasl_auth_enable=yes

zmprov ms <server> zimbraMtaSmtpSaslAuthEnable yes

 

  • Configure postfix to use the outgoing servername rather than the canonical server name:

 

postconf -e smtp_cname_overrides_servername=no

zmprov ms <server> zimbraMtaSmtpCnameOverridesServername no

 

 

  • Restart postfix:

 

postfix reload or wait for it to automatically update within 2 minutes.

Enable TLS

 

By Default, Carbonio should already be using TLS and can ve viewed in the MTA fields in the Admin Console.

 

As zextras user:

 

postconf -e smtp_tls_security_level=may

 

zmprov ms <server> zimbraMtaSmtpTlsSecurityLevel may

 

postfix reload or wait for it to automatically update within 2 minutes.

 

Troubleshooting

 

After sending a test message, check the Log Files for the error:

 

tail -f removed link

[once the error has been captured CTRL+C to exit and stop the file to view the log without more logs being added)

 

(Authentication failed: cannot SASL authenticate to server ...: no mechanism available)

 

You can fix this problem by tweaking the auth mechanisms that postfix is willing to use. First check what auth mechanism postfix is configured to use - by default, you will see:

 

postconf smtp_sasl_security_options

smtp_sasl_security_options = noplaintext, noanonymous

 

Since noplaintext is present, postfix will refuse to use a mechanism that sends passwords in the clear. If your upstream relay host only supports PLAIN or LOGIN mechanisms (both of which send password in the clear), you have to remove noplaintext from smtp_sasl_security_options.

 

To see if you upstream relay expects passwords in clear, enable higher level logging by setting the following flags and reloading postfix. (Replace mailrelay.example.com with your relay name). This should increase what's logged for the smtp auth transaction. For more information read man 5 postconf.

 

postconf -e debug_peer_list=mailrelay.example.com

postconf -e debug_peer_level=3

postfix reload

 

The log file removed link will contain something like the following:

 

Aug  3 17:50:19 mailserver_name postfix/smtp[7273]: smtp_sasl_authenticate: mailrelay.example.com[000.000.000.000]:25:

SASL mechanisms PLAIN LOGIN

 

To remove the noplaintext option, do the following:

 

postconf -e smtp_sasl_security_options=noanonymous

zmprov ms <mailserver> zimbraMtaSmtpSaslSecurityOptions noanonymous

postfix reload

 

Once testing is complete remember to set the debug level back to 1 (the minimum)

 

postconf -e debug_peer_level=1

postfix reload

 

Hope that helps. If you are a genius and have better suggestions for the benefit of someone else I assume you can weigh in


   
Quote
Forum Jump:
  Previous Topic
Next Topic