6

I have an Elastix server box that I want to send email notifications of voice mails from. I'd like to send them through our company email (hosted by shared web host provider Bluehost). I have followed instructions on how to use Postfix as a relay server. Emails don't go out tho. I get the following in the logs (slightly obfuscated):

Sep 27 16:31:51 TD1000 postfix/smtp[9757]: 1B2C357117: to=<me@mycompany.com>, relay=boxNNN.bluehost.com[a.b.c.d]:465, delay=5241, delays=5076/0.03/165/0, dsn=4.4.2, status=deferred (lost connection with boxNNN.bluehost.com[a.b.c.d] while receiving the initial server greeting)

Various places suggest that it might be a blacklisting issue. However, it seems like that would be an issue for my outlook running on my PC also. What I am trying to do is get the postfix to act like Outlook, and send through Bluehost, using SSL. (my outlook settings: boxNNN.bluehost.com:465, SSL, authentication required)

When I up the debugging level, I get the following message:

dns_query: boxNNN.bluehost.com (MX): Host found but no data record of requested type

But since the ultimate message is no response, and it finds an IP address for the server, I don't the DNS issues are the problem.

postconf -n reveals:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 5
debug_peer_list = boxNNN.bluehost.com
html_directory = no
inet_interfaces = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = cenginc-office.local
myhostname = td1000.my-office.local
mynetworks = /etc/postfix/network_table
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
relayhost = boxNNN.bluehost.com:465
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_connect_timeout = 300
smtp_enforce_tls = yes
smtp_helo_name = my-phone-system
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_type = cyrus
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains =
virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp

(we are using Postifix 2.3.3 according to the Elastix UI, so I'm not sure why the samples say 2.5.6)

When I telnet to the bluehost box and port, the connection remains open for a short time, and then closes, I think because I'm not coming in as SSL.

I used this site (among others) for the configuration, but I don't see what I'm missing. https://www.zulius.com/how-to/set-up-postfix-with-a-remote-smtp-relay-host/

Any ideas on what I'm doing wrong? My theory is that postfix isn't doing something that bluehost expects in the initial connection, but I have no idea what. Thanks for your help.

MrPhilTX
  • 91
  • 1
  • 1
  • 7
  • Try testing connection with `openssl s_client -connect boxNNN.bluehost.com:465`. – kworr Oct 01 '13 at 04:39
  • 1
    I don't see any place in your configuration where you tell postfix to use ssl while connecting to boxNNN.bluehost.com:465. Does it try to connect without ssl? –  Oct 01 '13 at 08:00
  • @befreeandgood: I'm not sure how to tell it to use SSL, then. I thought that's what the smtp_sasl_auth_enable was. But now that I look into it a little more, I'm not sure that it is. – MrPhilTX Oct 01 '13 at 15:59
  • @kworr: I was able to connect, get a banner and a response to an EHLO command. Sounds like I need to get postfix to actually use SSL – MrPhilTX Oct 01 '13 at 16:00
  • http://www.eglug.org/book/export/html/1923 showed tunneling the relay through stunnel, which seems to work, but now I've got names all mumbled up. Bounces cuz it is sending `asterix@td1000.my-office.local` as a sender or reply-to. I'm connecting to the bluehost box, but not sending the correct account names, etc. – MrPhilTX Oct 01 '13 at 18:39
  • I'm not sure how to give y'all credit for helping: kworr and @befreeandgood I can't mark your comments above as helpful. – MrPhilTX Oct 01 '13 at 21:17
  • I'm not sure tunneling is a clean solution. Try https://www.zulius.com/how-to/set-up-postfix-with-a-remote-smtp-relay-host/ –  Oct 02 '13 at 08:30
  • @befreeandgood: I looked at that, but I couldn't see how that was using an SSL connection. Does the TLS option mean we are starting an SSL connection? Is there a way to simulate the TLS connection (like I did with the openssl suggestion above)? – MrPhilTX Oct 02 '13 at 23:02

3 Answers3

6

We have two facts here

  • You are connect to bluehost via port 465
  • Postfix reported an error message: lost connection with boxNNN.bluehost.com[a.b.c.d] while receiving the initial server greeting

One possible explanation is SMTP client in Postfix 2.11 or older doesn't support SSL.

Explanation

In SMTP, there are two encryptions scheme: STARTTLS and SMTPS. The difference is (1) SMTPS require SSL encryption from the first byte and (2) STARTTLS require plain text mode first and optionally client and server do SSL negotiation after STARTTLS command.

Postfix SMTP Server (smtpd) support both protocols. The problem is SMTP client (before postfix 3.0) - the one who sending email to remote server - doesn't support SMTPS connection. It only support plain text mode or STARTTLS mode.

What happens here is: Postfix SMTP client use plain text mode to connect to Bluehost because postfix want to established STARTTLS. But the Bluehost expect the first byte was SSL negotiation not plain text. This mismatch make Bluehost server silently discard the data and disconnect postfix. Postfix doesn't know what's going here, so it throws the error in maillog

Sep 27 16:31:51 TD1000 postfix/smtp[9757]: 1B2C357117: to=<me@mycompany.com>, relay=boxNNN.bluehost.com[a.b.c.d]:465, delay=5241, delays=5076/0.03/165/0, dsn=4.4.2, status=deferred (lost connection with boxNNN.bluehost.com[a.b.c.d] while receiving the initial server greeting)

Solution

Postfix TLS documentation provide a workaround to use stunnel here. So the solution from MrPhilTX was correct for Postfix < 3.0.

In postfix 3.0, Wietse Venema decided to give additional SMTPS feature for postfix SMTP client. With this feature, the stunnel solution doesn't needed here. There two variations here:

a) Enable SMTPS to all outgoing SMTP connection

Usually, in this case postfix has SMTPS-only relayhost like OP's problem. So

# Client-side SMTPS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
# The [] suppress MX lookups.
relayhost = [mail.example.com]:465

b) Enable SMTPS to several host

For other case, you need custom transport and transport_maps to selective turn on SMTPS

# /etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport

# /etc/postfix/transport:
example.com  relay-smtps:example.com:465

#/etc/postfix/master.cf:
relay-smtps  unix  -       -       n       -       -       smtp
    # Client-side SMTPS requires "encrypt" or stronger.
    -o smtp_tls_security_level=encrypt
    -o smtp_tls_wrappermode=yes
Community
  • 1
masegaloeh
  • 17,978
  • 9
  • 56
  • 104
  • 1
    Thanks for the explanation and validation of my answer. A clear, understandable answer: well done. – MrPhilTX Mar 26 '15 at 23:01
2

I'm not sure if this is where I should put this, but here is how I got it working.

So, kworr and befreeandgood put me on the right track. The smtp_sasl_* doesn't do anything with SSL, just with authentication.

I followed a combination of the instructions from the following links: This one got me close http://www.eglug.org/book/export/html/1923 but left out a few things to set. This one http://tech.surveypoint.com/blog/relay-mail-with-postfix-and-stunnel/ added inet_interfaces = loopback_only.

Those options got me to some problems with the mail server rejecting various header names, like "from" and "reply-to". I fixed those via some instructions that I found via googling, (but I'm not allowed to post those links as I have exceeded my link quota already).

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
debug_peer_level = 2
html_directory = no
inet_interfaces = loopback-only
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = my-office.local
myhostname = td1000.my-office.local
mynetworks = /etc/postfix/network_table
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.5.6/README_FILES
relayhost = 127.0.0.1:5001
sample_directory = /usr/share/doc/postfix-2.5.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_connect_timeout = 60
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_type = cyrus
smtp_use_tls = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 2
smtpd_tls_received_header = no
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_base = /var/mail/vhosts
virtual_mailbox_domains =
virtual_transport = lmtp:unix:/var/lib/imap/socket/lmtp

So the smtp_generic_maps was used to rename the various addresses that came up to some address that actually exists. I had to do that for two different names, that I found by looking in the /var/log/maillog file.

So, the summary to connect to Bluehost:

  • Enable smtp_sasl authentication
  • Use stunnel to create an SSL tunnel
  • Use smtp_generic_maps to map the non-existent usernames that asterisk is using.
  • Dinking around with the mydomain and such might get you around the generic maps requirement. I also saw someone reference $myorigin as a potential work around.
MrPhilTX
  • 91
  • 1
  • 1
  • 7
  • Have you tried setting up postfix without stunnel first? If so, why did it fail? –  Oct 02 '13 at 09:49
  • Yes. It failed with the original question: status=deferred then lost connection with boxNNN.bluehost.com[a.b.c.d] while receiving the initial server greeting. How does one tell postfix to use SSL? My google-fu only found the tunneling suggestions. Thanks for following up. – MrPhilTX Oct 02 '13 at 23:04
0

When destination domain has no MX records SMTP server should try delivering mail to any of domain A records. For example.net this would be any address of example.net.

If the connection to encrypted port fails you need to consult postfix manual about smtp_tls_security_level parameter. You can find there a lengthy explanation but I think in most cases you just need to add to your config:

smtp_tls_security_level=may
kworr
  • 1,055
  • 8
  • 14