1

Topic: Sender dependent relay hosts with both STARTTLS and SMTPS transports

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Ubuntu 16.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No.
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I'm trying to set up sender dependent relay host, and use multiple identities in RoundCube. With setup (A) below, I was able to send mail as "user1@host1.tld1" (via port 587 / STARTTLS) without problem, but sending as "user2@host2.tld2" (via port 465 / SMTPS) gave error in /var/log/mail.log: postfix/smtp[32530]: 13CC3180E00: to=<user3@host3.tld3>, relay=smtp.mail.host2.tld2 [123.456.7.89]:465, delay=1883, delays=1583/0.05/300/0, dsn=4.4.2, status=deferred (conversation with smtp.mail.host2.tld2 [123.456.7.89] timed out while receiving the initial server greeting).

With setup (B) instead, sending as "user2@host2.tld2" worked OK, but sending as "user1@host1.tld1" gave error:  postfix/smtp[1181]: A0710180E00: to=<user3@host3.tld3>, relay=smtp.host1.tld1[98.76.54.32]:587, delay=0.31, delays=0.01/0.01/0.29/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

I'm out of my wits now, and would really appreciate some pointers to what to try next. Thanks very much!

====
My setup (A) is:

/etc/postfix/main.cf:

smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes

/etc/postfix/sasl_password:

user1@host1.tld1 user1@host1.tld1:passwd1
user2@host2.tld2 user2:passwd2

/etc/postfix/master.cf:

relay-smtps  unix  -       -       n       -       -       smtp
    # Client-side SMTPS requires 'encrypt' or stronger.
    -o smtp_tls_security_level=encrypt
    -o smtp_tls_wrappermode=yes

I then added the two domains to vmail.sender_relayhost:

use vmail;
INSERT INTO sender_relayhost (account, relayhost) VALUES ('@host1.tld1', '[smtp.host1.tld1]:587');
INSERT INTO sender_relayhost (account, relayhost) VALUES ('@host2.tld2', '[smtp.mail.host2.tld2]:465');

And set a different transport for host2:

use vmail;
INSERT INTO domain (domain, transport, active, created) VALUES ('smtp.mail.host2.tld2', 'relay-smtps:[smtp.mail.host2.tld2]:465', 1, NOW());

====
Setup (B):

/etc/postfix/main.cf: stuff in (A) +

smtp_tls_security_level=encrypt
smtp_tls_wrappermode=yes

/etc/postfix/sasl_password: same as (A)

/etc/postfix/master.cf: without "relay-smtps" and add the following lines after "smtp-amavis" and after "127.0.0.1:10025":

    -o smtp_tls_security_level=none
    -o smtp_tls_wrappermode=no

vmail.sender_relayhost: same as (A)

vmail.domain: without the row in (A) for host2.tld2

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

rocwhite wrote:

(conversation with smtp.mail.host2.tld2 [123.456.7.89] timed out while receiving the initial server greeting).

It says "timed out".

3 (edited by rocwhite 2018-04-29 03:29:11)

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

ZhangHuangbin wrote:
rocwhite wrote:

(conversation with smtp.mail.host2.tld2 [123.456.7.89] timed out while receiving the initial server greeting).

It says "timed out".

I read that this was due to postfix SMTP client sending un-encrypted first bytes, which host2 server expected to be encrypted because it was SMTPS, so host2 never replied back. Before this error, there was actually another line in mail.log (setup A):  postfix/smtp[32530]: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger).

Note that the changes in setup (B) was able to solve this "timeout" issue. But setting "smtp_tls_security_level=encrypt" and "smtp_tls_wrappermode=yes" created problems with other servers relying on STARTTLS. My question was really how to make these two changes selectively for host2, as I attempted to do in setup (A). Or better yet, how to make the changes whenever any server communicates via the SMTPS port: "hostX.tldX:465".

4

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

What's the latest error message / log now?

5 (edited by rocwhite 2018-05-01 17:05:58)

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

ZhangHuangbin wrote:

What's the latest error message / log now?

The error/log message was actually in my original question -- would you please re-read the (entire) original question? It was not network timeouts, as further explained by my reply on 2018-04-26 08:22:29. Thank you very much!

6

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

Try this:

*) Revert back to your setup A
*) Add new Postfix setting in main.cf:

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

*) Add file /etc/postfix/tls_policy with content:

host2.tld2 encrypt

*) Run command:

postmap hash:/etc/postfix/tls_policy

*) Restart or reload Postfix service and try again.

7

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

ZhangHuangbin wrote:

Try this:

*) Revert back to your setup A
*) Add new Postfix setting in main.cf:

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

*) Add file /etc/postfix/tls_policy with content:

host2.tld2 encrypt

*) Run command:

postmap hash:/etc/postfix/tls_policy

*) Restart or reload Postfix service and try again.

Thanks for the suggestion. For some reason, it's still showing me the same "timeout" errors.

8

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

rocwhite wrote:

but sending as "user2@host2.tld2" (via port 465 / SMTPS) gave error in /var/log/mail.log: postfix/smtp[32530]: 13CC3180E00: to=<user3@host3.tld3>, relay=smtp.mail.host2.tld2 [123.456.7.89]:465

Same as this one? But you said it's "host2.tld2", the log is "host3.tld3". You know wrong log / info will lead to wrong conclusion.

Please show us the latest + full Postfix log for troubleshooting. and your setup.

9 (edited by rocwhite 2018-05-05 23:53:32)

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

ZhangHuangbin wrote:
rocwhite wrote:

but sending as "user2@host2.tld2" (via port 465 / SMTPS) gave error in /var/log/mail.log: postfix/smtp[32530]: 13CC3180E00: to=<user3@host3.tld3>, relay=smtp.mail.host2.tld2 [123.456.7.89]:465

Same as this one? But you said it's "host2.tld2", the log is "host3.tld3". You know wrong log / info will lead to wrong conclusion.

Please show us the latest + full Postfix log for troubleshooting. and your setup.

Yes, the latest log is indeed the same as this.

You may have misread it -- notice that postfix logs TO not FROM in this line, so it was TO the recipient user. Also note that it used the relay corresponding to "host2.tld2".

May  5 10:43:50 b141950d2f78 postfix/submission/smtpd[4100]: connect from unknown[172.17.0.1]
May  5 10:43:50 b141950d2f78 postfix/submission/smtpd[4100]: Anonymous TLS connection established from unknown[172.17.0.1]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
May  5 10:43:50 b141950d2f78 postfix/submission/smtpd[4100]: 8C2DB180D5D: client=unknown[172.17.0.1], sasl_method=PLAIN, sasl_username=myuser@mydomain.tld
May  5 10:43:50 b141950d2f78 postfix/cleanup[3775]: 8C2DB180D5D: message-id=<a9c474e1-c381-fd61-1906-6be76f0571d9@host2.tld2>
May  5 10:43:50 b141950d2f78 postfix/qmgr[968]: 8C2DB180D5D: from=<user2@host2.tld2>, size=517, nrcpt=1 (queue active)
May  5 10:43:50 b141950d2f78 postfix/10025/smtpd[3786]: connect from localhost[127.0.0.1]
May  5 10:43:50 b141950d2f78 postfix/10025/smtpd[3786]: C35BE1823F9: client=localhost[127.0.0.1]
May  5 10:43:50 b141950d2f78 postfix/cleanup[3775]: C35BE1823F9: message-id=<a9c474e1-c381-fd61-1906-6be76f0571d9@host2.tld2>
May  5 10:43:50 b141950d2f78 postfix/qmgr[968]: C35BE1823F9: from=<user2@host2.tld2>, size=1089, nrcpt=1 (queue active)
May  5 10:43:50 b141950d2f78 postfix/10025/smtpd[3786]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May  5 10:43:50 b141950d2f78 postfix/smtp[2823]: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)
May  5 10:43:50 b141950d2f78 amavis[28088]: (28088-01) Passed CLEAN {RelayedInternal}, ORIGINATING LOCAL [172.17.0.1]:56646 <user2@host2.tld2> -> <recipient@gmail.com>, Queue-ID: 8C2DB180D5D, Message-ID: <a9c474e1-c381-fd61-1906-6be76f0571d9@host2.tld2>, mail_id: d0mhxC-Z2zKZ, Hits: -1, size: 517, queued_as: C35BE1823F9, 221 ms, Tests: [ALL_TRUSTED=-1]
May  5 10:43:50 b141950d2f78 postfix/amavis/smtp[3780]: 8C2DB180D5D: to=<recipient@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.41, delays=0.18/0/0.01/0.22, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as C35BE1823F9)
May  5 10:43:50 b141950d2f78 postfix/qmgr[968]: 8C2DB180D5D: removed
May  5 10:43:50 b141950d2f78 postfix/submission/smtpd[4100]: disconnect from unknown[172.17.0.1] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
May  5 10:47:10 b141950d2f78 postfix/anvil[3772]: statistics: max connection rate 1/60s for (smtpd:172.17.0.1) at May  5 10:42:10
May  5 10:47:10 b141950d2f78 postfix/anvil[3772]: statistics: max connection count 1 for (smtpd:172.17.0.1) at May  5 10:42:10
May  5 10:47:10 b141950d2f78 postfix/anvil[3772]: statistics: max cache size 1 at May  5 10:42:10
May  5 10:48:50 b141950d2f78 postfix/smtp[2823]: C35BE1823F9: to=<recipient@gmail.com>, relay=smtp.mail.host2.tld2[123.456.7.89]:465, delay=300, delays=0.01/0/300/0, dsn=4.4.2, status=deferred (conversation with smtp.mail.host2.tld2[123.456.7.89] timed out while receiving the initial server greeting)

I did exactly what you suggested; that is, I created /etc/postfix/tls_policy with one line "host2.tld2 encrypt" for the SMTP server "smtp.mail.host2.tld2", and postmap-ed it. In addition, I added "smtp_tls_policy_maps = hash:/etc/postfix/tls_policy" to "main.cf", which wasn't there before. To re-iterate my current setup:

/etc/postfix/main.cf:

smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

/etc/postfix/sasl_password:

user1@host1.tld1 user1@host1.tld1:passwd1
user2@host2.tld2 user2:passwd2

/etc/postfix/tls_policy

host2.tld2 encrypt

/etc/postfix/master.cf:

relay-smtps  unix  -       -       n       -       -       smtp
    # Client-side SMTPS requires 'encrypt' or stronger.
    -o smtp_tls_security_level=encrypt
    -o smtp_tls_wrappermode=yes
mysql> select * from vmail.sender_relayhost;
+----+------------+-------------------------------+
| id | account    | relayhost                     |
+----+------------+-------------------------------+
|  1 | @host1.tld1   | [smtp.host1.tld1]:587          |
|  2 | @host2.tld2 | [smtp.mail.host2.tld2]:465 |
+----+------------+-------------------------------+
2 rows in set (0.00 sec)
use vmail;
INSERT INTO domain (domain, transport, active, created) VALUES ('smtp.mail.host2.tld2', '', 1, NOW());
mysql> select * from vmail.domain;
+-------------------------+-------------+------------+---------+-----------+----------+-------+-----------------------------------------+----------+--------------------------+---------------------+---------------------+---------------------+--------+
| domain                  | description | disclaimer | aliases | mailboxes | maxquota | quota | transport                               | backupmx | settings                 | created             | modified
   | expired             | active |
+-------------------------+-------------+------------+---------+-----------+----------+-------+-----------------------------------------+----------+--------------------------+---------------------+---------------------+---------------------+--------+
| smtp.mail.host2.tld2 | NULL        | NULL       |       0 |         0 |        0 |     0 | relay-smtps:[smtp.mail.host2.tld2]:465 |        0 | NULL                     | 2018-04-25 17:58:27 | 1970-01-01 01:01:01 | 9999-12-31 00:00:00 |      1 |
| mydomain.tld     | NULL        | NULL       |       0 |         0 |        0 |     0 | dovecot                                 |        0 | default_user_quota:1024; | 2018-04-16 18:32:32 | 1970-01-01 01:01:01 | 9999-12-31 00:00:00 |      1 |
+-------------------------+-------------+------------+---------+-----------+----------+-------+-----------------------------------------+----------+--------------------------+---------------------+---------------------+---------------------+--------+
2 rows in set (0.00 sec)

10

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

Why did you add domain 'smtp.mail.host2.tld2' in "vmail.domain" table? Is it a local domain?

rocwhite wrote:

May  5 10:48:50 b141950d2f78 postfix/smtp[2823]: C35BE1823F9: to=<recipient@gmail.com>, relay=smtp.mail.host2.tld2[123.456.7.89]:465, delay=300, delays=0.01/0/300/0, dsn=4.4.2, status=deferred (conversation with smtp.mail.host2.tld2[123.456.7.89] timed out while receiving the initial server greeting)

Can you connect to this server on port 465 (smtp.mail.host2.tld2[123.456.7.89]:465)? Is smtps listening on port 465?

11

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

Can you connect to this server on port 465 (smtp.mail.host2.tld2[123.456.7.89]:465)? Is smtps listening on port 465?

Yes, otherwise setup (B) in my original post shouldn't work either. The server also works fine (SSL mode on port 465) in Thunderbird. Do you have a working example config for how SSL on 465 should be setup? smtp.gmail.com listens both on 465 with SSL/TLS and on 587 with STARTTLS. Can you get port 465 of Google SMTP to work as a sender-dependent relayhost?

ZhangHuangbin wrote:

Why did you add domain 'smtp.mail.host2.tld2' in "vmail.domain" table? Is it a local domain?

It was not a local domain and I actually didn't have this row in "vmail.domain" table initially, but without it the same error occurred too. I added it in the hope "vmail.domain.transport" will be picked up because of the following in "/etc/postfix/main.cf":

transport_maps =
    proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf
    proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf

and the contents of "/etc/postfix/mysql/transport_maps_domain.cf" include:

dbname      = vmail
query       = SELECT transport FROM domain WHERE domain='%s' AND active=1

12

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

If it's not a local domain, please do NOT add it in "vmail.domain". Remove it and try again, show us the new error message.

Can you connect to this server on port 465 (smtp.mail.host2.tld2[123.456.7.89]:465) FROM YOUR iRedMail SERVER?

13 (edited by rocwhite 2018-05-10 08:40:29)

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

Hi Huangbin, (1) I really appreciate your help, but if you carefully read my last post -- as I mentioned, I started without this row in "vmail.domain", it was the same error. I just removed it and tried again, and I can copy and paste again, but it was the same error... (2) I can connect from my iRedMail server to "smtp.mail.host2.tld" on port 465. Again, this was indicated in my original question: setup (B) was able to send mail via "smtp.mail.host2.tld" on port 465. That was from my iRedMail server, so connection is NOT the problem.

14

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

I'm afraid that i need to get my hands on it for testing, i cannot help further without letting me try it myself.

One suggestion: try to change port 465 to another port, e.g. 25, FOR TESTING, see how it goes.

15

Re: Sender dependent relay hosts with both STARTTLS and SMTPS transports

ZhangHuangbin wrote:

I'm afraid that i need to get my hands on it for testing, i cannot help further without letting me try it myself.

One suggestion: try to change port 465 to another port, e.g. 25, FOR TESTING, see how it goes.

Thanks. I'll test changing the port to 25.

By the way, have you ever had a working setup with a SSL/TLS relayhost on port 465? If not, could you please see if you can get Google SMTP (smtp.gmail.com) on port 465 to work as a sender-dependent relayhost?