Postfix - SMTP - Relayhost

jcdole · August 29, 2014, 4:55pm

Hello.

I use to use an email address my_user_name@free.fr since the creation of my account from my first provider 20 years ago.
I used to connect by DIALUP.
15 years ago I by a new account from a new provider using dsl. But I continue to keep my first email account.
Today I have a new “dsl” and “tv” account from another provider.
And I continue to use my first email account.

I don’t own any domain name, and have no fix IP. (In the future I planned to get one using OpenDNS free service).

To day I try to install a mail server as relayhost.
I have set :

#relayhost = [smtp.free.fr]
# or relay SMTP on port of submission in SASL
relayhost = [smtp.free.fr]: 587

While trying to verify my POSTFIX configuration by sending a mail to my_user_name@free.fr account

mail -s "subject : Message Test to myself" my_user_name@free.fr <<< "This is a test message sent to myself"

I got the following error message:

postfix/smtp[4892]:, MSG  6955F2408FD: to=<my_user_name@free.fr>, relay=smtp.free.fr[212.27.48.4]:587, delay=0.23, delays=0.09/0.03/0.11/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host smtp.free.fr[212.27.48.4])

The only help from my provider is :

Your login "my_user_name" is already authorized to make SMTP authenticated on "smtp.free.fr".
Only encrypted password authentication methods are accepted. For example the use of SSL (on port 465) or of the ' MD5 Challenge-Response' (on port 587).

Here modified parameters in main.cf

#
disable_vrfy_command = yes
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
#
smtpd_delay_reject = yes
#
smtpd_banner = $myhostname ESMTP
#
transport_maps = hash:/etc/postfix/transport
#
# Great New feature Address Mapping
#  for example may mchirico@localhost to mchirico@gmail.com
smtp_generic_maps = hash:/etc/postfix/generic

mydomain = my-dom.nwk
myorigin = $mydomain
myhostname = LINUX-TEST-123.$mydomain
mydestination = localhost.localdomain
mynetworks = 127.0.0.0/8
mynetworks_style = subnet

#relayhost = [smtp.free.fr]
# ou  RELAIS SMPT sur port de soumission en SASL
relayhost = [smtp.free.fr]:587
#relayhost = [smtp.free.fr]:465

#smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, permit

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains

Here postconf -n

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
biff = no
canonical_maps =
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter =
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
defer_transports =
delay_warning_time = 0h
disable_dns_lookups = yes
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix-doc/html
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions =
message_size_limit = 0
message_strip_characters =
mydestination = localhost.localdomain
mydomain = my-dom.nwk
myhostname = LINUX-TEST-123.$mydomain
mynetworks = 127.0.0.0/8
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix-doc/README_FILES
relay_clientcerts =
relayhost = [smtp.free.fr]:587
relocated_maps =
sample_directory = /usr/share/doc/packages/postfix-doc/samples
sender_canonical_maps =
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_enforce_tls = no
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = digest-md5
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_CApath =
smtp_tls_cert_file = /etc/postfix/POSTFIX-cert.pem
smtp_tls_key_file = /etc/postfix/POSTFIX-key.pem
smtp_tls_loglevel = 3
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = no
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions =
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_relay_domains
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_CApath =
smtpd_tls_ask_ccert = no
smtpd_tls_cert_file = /etc/postfix/POSTFIX-cert.pem
smtpd_tls_key_file = /etc/postfix/POSTFIX-key.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains =

Any help is welcome

malcolmlewis · August 29, 2014, 8:52pm

Hi
This is what I followed for gmail, works fine in my virtual machines…
http://mhawthorne.net/posts/postfix-configuring-gmail-as-relay.html

jcdole · September 5, 2014, 5:32pm

I will give news as I will return to this problem.
Thank you for your answer.

tsu2 · September 5, 2014, 6:13pm

My question is why you feel you need to install and run your own SmartSMTP Relay server.

Nowadays,

It starts with how your actual mailserver (typically POP or IMAP) is configured, whether it will accept mail from anywhere or if the sender needs to be authenticated. Various rules can be implemented, including settings in your Public DNS… and if you configure your own SmartSMTP, it may need to be listed. So, setting up your own SMTP Smarthost should be avoided unless necessary.
You may be able to use the SmartSMTP server your ISP provides. Many ISPs provide this service today, the idea is that you either need to authenticate or are automatically authenticated to your ISP’s SMTP Smarthost, so your mail server is satisfied incoming mail is not spam.
As Malcolm describes, if your ISP does not provide an SMTP Smarthost and you own a Gmail account, you can use a Gmail SMTP Smarthost.

Regarding your posted error, it describes a TLS handshake error. Typically this is caused by

TLS/SSL may not be enabled and configured on your own SMTP Smarthost
The wrong version TLS/SSL is required and configured. Although v3 is “best” it’s not universally implemented, so v2 may be configured by default. Both sides need to agree, and this requires knowledge of the remote SMTP Smarthost you are connecting to.

HTh,
TSU

jcdole · September 5, 2014, 7:54pm

I am fed up with all the spam I receive and I want filter what I receive. I think that I could better filter than my provider.

As I said the only information I got is :

Your login “my_user_name” is already authorized to make SMTP authenticated on “smtp.free.fr”.
Only encrypted password authentication methods are accepted. For example the use of SSL (on port 465) or of the ’ MD5 Challenge-Response’ (on port 587).

robin_listas · September 6, 2014, 3:55am

On 2014-09-05 19:56, jcdole wrote:
> I am fed up with all the spam I receive and I want filter what I
> receive. I think that I could better filter than my provider.

Typically, even using postfix in the chain, you do not need to use a
relayhost with postfix in order to do spamfiltering when receiving.

The relayhost is needed for sending.

Also, a relayhost is used when you send ALL your email that way. If you
have more than one account, and emails from all of them can not be sent
(accepted) by the single relay host, there are other methods (with
postfix). I can expand info on this another day.

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)

tsu2 · September 7, 2014, 2:43am

Actually, an SMTP Smarthost can be used anywhere and anytime SMTP is used, it can be a perfectly legitimate use for deploying a spam filter app. The alternative is for the spam filtering to be configured as a “sink” - ie plugin to the mailserver.

It’s been awhile since I’ve supported this topology…
But I would think that a remote SMTP server would need to authenticate to your SMTP Smarthost, not the other way around…
I’d have to think about that more deeply to try to remember how that is setup…

But, in any case instead of re-inventing the wheel at a very basic level, I’d recommend you find a “cookbook” for the specific spam filtering app you plan on using, eg spamassassin… Which should describe in detail how to setup. Would be backwards to try to figure out how to configure an SMTP smarthost before knowing whether it’s required and how it would work with your filtering app. And, more than likely I assume you have a filtering app in mind instead of “rolling your own” doing some very basic lookups from a custom text file…

TSU

tsu2 · September 7, 2014, 2:54am

I’m speculating (as before)
That you need to configure your SMTP Smarthost to output an SSL connection to the remote mail server.
The error message is slightly vague, but I think it’s saying that the username/password credentials are valid but the method of encryption is not recognized (or not configured).

So, the possibilities in my previous post all still apply 100%. You need to configure an SSL or TLS connection, and it must use versions acceptable to the remote mailserver.

TSU

robin_listas · September 7, 2014, 3:35am

On 2014-09-07 02:46, tsu2 wrote:
>
> Actually, an SMTP Smarthost can be used anywhere and anytime SMTP is
> used, it can be a perfectly legitimate use for deploying a spam filter
> app. The alternative is for the spam filtering to be configured as a
> “sink” - ie plugin to the mailserver.
>
> It’s been awhile since I’ve supported this topology…
> But I would think that a remote SMTP server would need to authenticate
> to your SMTP Smarthost, not the other way around…
> I’d have to think about that more deeply to try to remember how that is
> setup…

But you see, I do use that kind of setup here

And I tell you, you do not need to define an smtp smarthost in order to
filter spam for the email you get.

You need to set up an smtp smarthost only for sending your email, and
only on some types of setups.

So, please JCD, define what is the problem you want to solve, instead of
how you want to solve it, and we’ll try to propose you solutions

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)