1 Topic by romanmm

  • romanmm
  • Member
  • Offline
  • Registered: 2015-01-29
  • Posts: 31

Topic: Transport maps, Amazon SES and TLS authentication

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: CentOS 6.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

/var/log/maillog:
Dec 28 20:52:58 israelclinics postfix/smtp[29629]: 4E179423AA: to=<xxx@yahoo.com>, relay=email-smtp.us-east-1.amazonaws.com[23.23.155.28]:587, delay=1.4, delays=0.01/0.04/1.2/0.09, dsn=5.0.0, status=bounced (host email-smtp.us-east-1.amazonaws.com[23.23.155.28] said: 530 Authentication required (in reply to MAIL FROM command))

# postconf
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf, hash:/etc/postfix/transport
/etc/postfix/tranport:
yahoo.com      smtp:[email-smtp.us-east-1.amazonaws.com]:25
/etc/postfix/sasl_passwd file with correct Amazon credentials:
[email-smtp.us-east-1.amazonaws.com]:25 name:password


Hi,

I searched the forum but didn't find any mentions.
My problem is: certain mail servers like hotmail.com, yahoo.com, ukr.net etc from time to time start to block my outgoing mails because of their internal RBL or any other anti-spam rules. I have Amazon SES account that I can use as a temporary mail relay for mails to these domains till I solve the problem with these mail providers.
Amazon SES requires TLS authentication - below rows from their instructions:
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

And this works beautiful on my other web servers that send mails via Amazon SES.
I'm not Postfix professional but I see that in iRedmail  all TLS options are not defined or set to no.
I still receive 530 Authentication required error. I think this is because of TLS is disabled. And I don't know how to setup TLS authentication ONLY for the specific Amazon SES server.
As I understand from Google search I have to create a new transport/protocol in addition to existing smtp and use it in my transport file. But I can't find an exact description how to do it and I'm afraid to mess my working configuration.

Please, help me.
Roman

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Transport maps, Amazon SES and TLS authentication

Did you try our tutorial?
https://docs.iredmail.org/relayhost.html

3 Reply by romanmm

  • romanmm
  • Member
  • Offline
  • Registered: 2015-01-29
  • Posts: 31

Re: Transport maps, Amazon SES and TLS authentication

ZhangHuangbin wrote:

Did you try our tutorial?
https://docs.iredmail.org/relayhost.html

Hi Zhang,

I tried but without success.
Added to main.cf:

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sender_dependent_authentication = yes

Created /etc/postfix/sasl_passwd:

[email-smtp.us-east-1.amazonaws.com]:587      user:pwd
email-smtp.us-east-1.amazonaws.com      user:pwd
email-smtp.us-east-1.amazonaws.com:587 user:pwd
user@domain                user:pwd

Defined Relay outgoing mail to for a specific user in iRedAdmin Pro - see also an attached picture:

[email-smtp.us-east-1.amazonaws.com]:587

Then:

postmap /etc/postfix/sasl_passwd
postfix reload

Trying to send with the user@domain and receive:

Jan  3 09:27:37 hostname postfix/smtp[1489]: 2F0484286A: to=<xxx@xxx.com>, relay=email-smtp.us-east-1.amazonaws.com[54.204.40.68]:587, delay=0.86, delays=0.01/0.03/0.74/0.08, dsn=5.0.0, status=bounced (host email-smtp.us-east-1.amazonaws.com[54.204.40.68] said: 530 Authentication required (in reply to MAIL FROM command))

Just to clarify: I don't want to use global relay host, a sender dependent relay host is good enough for me. I mean that I didn't add this part:

relayhost = [relay_server]:25
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = login
smtp_sasl_security_options = noanonymous

to main.cf. I'm afraid that these changes will break my main mail flow that based on MX lookup.

Please, help me to understand what I do wrong.

Post's attachments

relay.PNG
relay.PNG 14.36 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Transport maps, Amazon SES and TLS authentication

According to the error message, SES requires secure connection.

What's the output of command below?

postconf smtp_tls_security_level

If you do NOT want to use global relayhost, it can be empty. Then add setting in Postfix main.cf:

smtp_tls_policy_maps = hash:/etc/postfix/smtp_tls_policy

Add one line in /etc/postfix/smtp_tls_policy:

email-smtp.us-east-1.amazonaws.com encrypt

Run command:

postmap hash:/etc/postfix/smtp_tls_policy

Restart or reload Postfix service, and send testing email again.

5 Reply by romanmm (edited by romanmm 2018-01-04 22:46:46)

  • romanmm
  • Member
  • Offline
  • Registered: 2015-01-29
  • Posts: 31

Re: Transport maps, Amazon SES and TLS authentication

ZhangHuangbin wrote:

According to the error message, SES requires secure connection.

Hi Zhang,

I did what you proposed to do but with the same result.

# postconf smtp_tls_security_level
smtp_tls_security_level = may
# postconf smtp_tls_policy_maps
smtp_tls_policy_maps = hash:/etc/postfix/smtp_tls_policy
# cat /etc/postfix/smtp_tls_policy
email-smtp.us-east-1.amazonaws.com encrypt
# postmap hash:/etc/postfix/smtp_tls_policy
# postfix reload

status=bounced (host email-smtp.us-east-1.amazonaws.com[23.21.251.48] said: 530 Authentication required (in reply to MAIL FROM command))

Do I need to add these rows as well?

smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = login
smtp_sasl_security_options = noanonymous

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: Transport maps, Amazon SES and TLS authentication

romanmm wrote:

Do I need to add these rows as well?

Yes. Otherwise Postfix don't know whether auth is required and what username/password Postfix should use.

7 Reply by romanmm

  • romanmm
  • Member
  • Offline
  • Registered: 2015-01-29
  • Posts: 31

Re: Transport maps, Amazon SES and TLS authentication

ZhangHuangbin wrote:
romanmm wrote:

Do I need to add these rows as well?

Yes. Otherwise Postfix don't know whether auth is required and what username/password Postfix should use.


Thank you a lot, Zhang.

Now it works.
Summary for everyone needs this. I use Amazon SES as my backup sender so all values are for this service.
Add to /etc/postfix/main.cf:

smtp_sender_dependent_authentication = yes
smtp_tls_policy_maps = hash:/etc/postfix/smtp_tls_policy
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = login
smtp_sasl_security_options = noanonymous

Then create /etc/postfix/smtp_tls_policy with next row:

email-smtp.us-east-1.amazonaws.com encrypt

Then create /etc/postfix/sasl_passwd with next rows (user and password are SMTP credentials for Amazon SES service):

user@domain user:password

And postmap command for both files and postfix reload:

postmap /etc/postfix/smtp_tls_policy
postmap /etc/postfix/sasl_passwd
postfix reload

Now it's possible to add to a user user@domain an appropriate setting in WebGUI of iRedAdmin Pro: 

https://<your_site_name>/iredadmin/profile/user/relay/user@domain

Just write [email-smtp.us-east-1.amazonaws.com]:587 inside Relay outgoing email to section.

After all these settings just check in /var/log/maillog that only mails originated from user@domain will be routed via Amazon SES server and not via your default relayhost or via MX lookup.

Jan  7 08:24:06 server postfix/qmgr[20558]: D575942A4C: from=<user@domain>, size=2246, nrcpt=1 (queue active)
Jan  7 08:24:08 server postfix/smtp[20611]: D575942A4C: to=<xxx@xxx.com>, relay=email-smtp.us-east-1.amazonaws.com[174.129.43.45]:587, delay=1.8, delays=0.01/0/1.3/0.54, dsn=2.0.0, status=sent (250 Ok 01000160cf4a6923-588eb5ea-8eb1-4ad4-bc9f-910638ae4c73-000000)

Mails from other senders will be routed via default transport.