Zimbra doesn't send mail via smtp relay anmore
As others pointed out your SMTP relay has probably changed something. Looks like they chagned their advertised authentication mechanisms.
I don't know if swaks
tells you which authentication mechanism it used in it's output, but you could try specifying an auth-type and see if you get through.
The parameter for digest-md5 would be:
swaks -s smtp.strato.de -tls -p 587 -f [email protected] -t [email protected] -a digest-md5 -au [email protected] -ap xxxxxx
See swaks man page for other auth-types (like SCRAM-SHA1).
In the Zimbra main.cf you can specify the auth-type by setting the following parameter (which is empty in your config):
smtp_sasl_mechanism_filter = digest-md5
If that doesn't help, maybe you are missing a package on your system.
Related videos on Youtube
Broco
System administrator and web-developer. Kind of a jack of all trades for a company specialized in work safety and environmental protection.
Updated on September 18, 2022Comments
-
Broco almost 2 years
our Zimbra-Server isn't working for outgoing external mail since yesterday. Friday I installed some updates (for shell shock and Kernel updates), restarted and it worked fine. But since yesterday sending mail to external recipients stopped working. Internal mail (which doesn't use the relay-MTA) works.
Since I didn't change any settings I checked the remote server (Strato) with swaks and it worked:
swaks -s smtp.strato.de -tls -p 587 -f [email protected] -t [email protected] -a -au [email protected] -ap xxxxxx
The same credentials as listed with -au and -ap are listed in /opt/zimbra/conf/relay_password
When sending a mail via Zimbra I get the following from /var/log/zimbra.log:
Oct 2 09:00:10 server postfix/smtp[8144]: 3952465A24A: to=<[email protected]>, relay=smtp.strato.de[81.169.145.133]:587, delay=0.55, delays=0.27/0.01/0.26/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.strato.de[81.169.145.133]: bad protocol / cancel)
Zimbra main.cf
mail_owner = postfix bounce_notice_recipient = postmaster content_filter = smtp-amavis:[127.0.0.1]:10024 smtp_sasl_security_options = noanonymous relayhost = smtp.strato.de:587 virtual_alias_expansion_limit = 10000 smtpd_sasl_authenticated_header = no smtp_helo_name = $myhostname broken_sasl_auth_clients = yes minimal_backoff_time = 300s sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf always_add_missing_headers = yes smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key smtpd_helo_required = yes virtual_transport = error sendmail_path = /opt/zimbra/postfix/sbin/sendmail smtpd_sasl_security_options = noanonymous smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, reject_unlisted_recipient, reject_non_fqdn_sender, permit smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination smtpd_reject_unlisted_recipient = no bounce_queue_lifetime = 5d smtp_sasl_mechanism_filter = local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated smtpd_data_restrictions = reject_unauth_pipelining smtpd_milters = smtpd_tls_security_level = may smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re lmtp_host_lookup = dns delay_warning_time = 0h header_checks = queue_run_delay = 300s virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf notify_classes = resource,software command_directory = /opt/zimbra/postfix/sbin smtpd_client_restrictions = reject_unauth_pipelining smtpd_tls_auth_only = yes virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf mailq_path = /opt/zimbra/postfix/sbin/mailq smtpd_banner = $myhostname ESMTP $mail_name mynetworks = 127.0.0.0/8 192.168.117.0/24 [::1]/128 [fe80::]/64 lmtp_connection_cache_time_limit = 4s transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf smtpd_sasl_auth_enable = yes smtpd_tls_loglevel = 1 maximal_backoff_time = 4000s virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf inet_protocols = ipv4 non_smtpd_milters = daemon_directory = /opt/zimbra/postfix/libexec smtp_tls_security_level = alias_maps = hash:/etc/aliases setgid_group = postdrop smtp_cname_overrides_servername = no mydestination = localhost smtpd_end_of_data_restrictions = import_environment = myhostname = mail.example.com message_size_limit = 1048576000 recipient_delimiter = in_flow_delay = 1s smtpd_sasl_tls_security_options = $smtpd_sasl_security_options queue_directory = /opt/zimbra/data/postfix/spool propagate_unmatched_extensions = canonical manpage_directory = /opt/zimbra/postfix/man smtp_fallback_relay = smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt smtp_sasl_password_maps = hash:/opt/zimbra/conf/relay_password lmtp_connection_cache_destinations = newaliases_path = /opt/zimbra/postfix/sbin/newaliases smtp_sasl_auth_enable = yes mailbox_size_limit = 0 disable_dns_lookups = no
It's Zimbra 8.04. Any hints?
Edit: With higher loglevel after sending a Mail this is what I get from zimbra.log:
Oct 2 09:26:51 server postfix/smtp[21000]: warning: SASL authentication failure: ServerSignature expected in SCRAM-SHA-1 input
-
Jenny D over 9 yearsWere any changes made on the remote server around that time? Could you get hold of the matching logs from that side?
-
Broco over 9 yearsNo, the remote server is hosted by a big service provider in Germany, the only logs I can get are those from our server. Since swaks says that the sasl authentication works I guess it's something on our side but we didn't change any settings...
-
Jenny D over 9 yearsIt would appear that the service provider has changed something. You need to contact their support center. Also, when you run
swaks
, you need to make sure you're using the same kind of authentication as your zimbra installation is using (in this case, SCRAM-SHA-1), or the result will be inconclusive. And the config you posted shows how your server handles incoming connections, not how it works when it acts as a client. -
Broco over 9 yearsYou are right, they set up scram-sha-1 to default. I fixed it using
zmlocalconfig -e postfix_smtp_sasl_mechanism_filter=plain,login
-
-
Broco over 9 yearsYep, they changed it, that was the problem. Fixed it using
zmlocalconfig -e postfix_smtp_sasl_mechanism_filter=plain,login