Postfix smtp relay can send emails but not relay other hosts

Question

Use Case: We have several Eaton PDU/PSUs that don't support SSL/TLS authentication. I was tasked with building a SMTP relay server that can take the basic SMTP/25 emails and forward them to our email provider via SSL.

Note: The relay host makes the smtps connectione on 465 using stunnel.

I am at a point where my SMTP Postfix Relay Server is able to send mail successfully via our email provider, alimail. But I cannot get it to relay emails from other hosts on our network.

/etc/postfix/main.cf

smtpd_banner = mail01v-la ESMTP
inet_interfaces = all
inet_protocols = ipv4

mynetworks = 127.0.0.0/8, 10.96.80.0/24
relayhost = [127.0.0.1]:5000
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CApath = /etc/ssl/certs
smtp_use_tls = no
smtp_generic_maps = regexp:/etc/postfix/generic

/etc/postfix/sasl_passwd

[127.0.0.1]:5000 notify@domain.com:notifypwd

/etc/postfix/generic

/^root@(.*)$/ notify@domain.com

/etc/stunnel/stunnel.conf

client = yes
foreground = no

[smtps]
accept = 5000
connect = smtp.mxhichina.com:smtps

SMTP Telnet to Provider

[root@mail01v-la ~]# telnet smtp.mxhichina.com smtp
Trying 205.204.101.152...
Connected to smtp.mxhichina.com.
Escape character is '^]'.
220 smtp.aliyun-inc.com MX AliMail Server
ehlo google.come
250-smtp.aliyun-inc.com
250-STARTTLS
250-8BITMIME
250-AUTH=PLAIN LOGIN XALIOAUTH
250-AUTH PLAIN LOGIN XALIOAUTH
250-PIPELINING
250 DSN

Checking Stunnel Connection

[root@mail01v-la ~]# telnet 127.0.0.1 5000
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 smtp.aliyun-inc.com MX AliMail Server

Sending an Email from the Relay Server

echo "Stack Body" | mail -s "Test Subject for Stack" user@domain.com

Results

Feb 14 18:30:29 mail01v-la postfix/pickup[4812]: 3194940DE2: uid=0 from=<root>
Feb 14 18:30:29 mail01v-la postfix/cleanup[4865]: 3194940DE2: message-id=<20200215023029.3194940DE2@mail01v-la.domain.com>
Feb 14 18:30:29 mail01v-la postfix/qmgr[2606]: 3194940DE2: from=<root@mail01v-la.domain.com>, size=481, nrcpt=1 (queue active)
Feb 14 18:30:30 mail01v-la postfix/smtp[4867]: 3194940DE2: to=<user@domain.com>, relay=127.0.0.1[127.0.0.1]:5000, delay=1.3, delays=0.01/0.01/0.85/0.46, dsn=2.0.0, status=sent (250 Data Ok: queued as freedom)
Feb 14 18:30:30 mail01v-la postfix/qmgr[2606]: 3194940DE2: removed

Email

Testing with other hosts

Random CentOS Server

/etc/postfix/main.cf

relayhost = [10.96.80.126]:5000

Result

Feb 14 18:06:52 test01v-la postfix/pickup[1247]: BB87C305A42F: uid=0 from=<root>
Feb 14 18:06:52 test01v-la postfix/cleanup[1387]: BB87C305A42F: message-id=<20200215020652.BB87C305A42F@test01v-la.domain.com>
Feb 14 18:06:52 test01v-la postfix/qmgr[1248]: BB87C305A42F: from=<root@test01v-la.domain.com>, size=477, nrcpt=1 (queue active)
Feb 14 18:06:53 test01v-la postfix/smtp[1389]: BB87C305A42F: to=<notify@domain.com>, relay=10.96.80.126[10.96.80.126]:5000, delay=0.78, delays=0.01/0.01/0.61/0.15, dsn=5.0.0, status=bounced (host 10.96.80.126[10.96.80.126] said: 553 authentication is required (in reply to MAIL FROM command))

Eaton PSU

config creds

Eaton Result

email[17131]: message error -110 in function smtp_start_session test - (Connection timed out) retrying smtp_start_session test email[17131]: Failed to connect to SMTP server 10.96.80.126:5000 with username notify@domain.com

__

This is my first time doing a setup like this. Theres likely a lot of holes in my knowledge that are causing me grief.

1. In a proper setup, do you even need to re-type credentials for any hosts that want to use the relay server? For example, in the eaton smtp config, should it be the creds of the email used in the sasl file? Or a system account permitted for forwarding with postfix? Or an account name defined in the postfix/generic file? A bit lost.

2. Is stunnel even the proper way I should be connecting via ssl/tls? I see starttls available in the telnet prompt for smtp.mxhichina.com.

Honestly, I think I'm overcomplicating this or am missing something obvious. If anyone has a better setup to accomodate my use case, it be greatly appreciated as well.

---

Switching SSL connection from Stunnel to Postfix only

Results

Feb 20 11:27:22 mail01v-la postfix/qmgr[1537]: 6B38AE5EE: from=<root@mail01v-la.domain.com>, size=479, nrcpt=1 (queue active)
Feb 20 11:27:22 mail01v-la postfix/smtp[1558]: CLIENT wrappermode (port smtps/465) is unimplemented
Feb 20 11:27:22 mail01v-la postfix/smtp[1558]: instead, send to (port submission/587) with STARTTLS
Feb 20 11:27:40 mail01v-la postfix/smtp[1558]: 6B38AE5EE: to=<user@domain.com>, relay=smtp.mxhichina.com[205.204.101.152]:465, delay=613, delays=595/0.02/19/0, dsn=4.4.2, status=deferred (lost connection with smtp.mxhichina.com[205.204.101.152] while receiving the initial server greeting)
Feb 20 11:32:22 mail01v-la postfix/qmgr[1537]: A3F736B2: from=<root@mail01v-la.domain.com>, size=477, nrcpt=1 (queue active)

main.cf

inet_interfaces = all
inet_protocols = ipv4

mynetworks = 127.0.0.0/8, 10.96.80.0/24
relayhost = [smtp.mxhichina.com]:465
smtp_use_tls = yes
smtp_enforce_tls = yes
smtp_tls_wrappermode = yes

soft_bounce = yes
smtp_sasl_auth_soft_bounce = yes

/etc/postfix/sasl_passwd

smtp.mxhichina.com notify@domain.com:notifypwd

Answer 1

Your line

  mynetworks = 127.0.0.0/8, 10.96.80.1/24

Looks incorrect - you have specified a single host (not sure how it interprets the associated network.) Try changing the second entry to 10.96.80.0/24

Answer 2

As far as I can tell

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

are used when postfix acts as a SMTP client, not a server and enables authentication of the postfix itself to the remote server. More details in http://www.postfix.org/SASL_README.html.

I think you should be enabling

smtpd_sasl_auth_enable = yes

and looking at "Enabling SASL authentication and authorization in the Postfix SMTP server" section of the abovementioned readme.

Answer 3

Unless you are using an old Postfix version, you don't need to configure stunnel to talk to your e-mail provider using SSL/SMTPS. Postfix >= 3.0 can do so directly by setting the following parameters in your /etc/postfix/main.cf:

relayhost = [smtp.mxhichina.com]:465
smtp_use_tls = yes
smtp_enforce_tls = yes
smtp_tls_wrappermode = yes

# Optional, but recommended to prevent mail loss
soft_bounce = yes
smtp_sasl_auth_soft_bounce = yes

Then, in your /etc/postfix/sasl_passwd, have the following entry defined:

smtp.mxhichina.com notify@domain.com:notifypwd

Once you change /etc/postfix/sasl_passwd file, make sure that the command line postmap /etc/postfix/sasl_passwd has been run. In addition, run the command line postmap -q smtp.mxhichina.com hash:/etc/postfix/sasl_passwd to ensure that authentication credentials have been stored correctly.

Reference: http://www.postfix.org/TLS_README.html#client_smtps

---

Regarding Eaton PSUs and the other CentOS server in your network, I believe that you just have to set the address of your relay server and the port 25/tcp as the SMTP server/relayhost:

relayhost = [10.96.80.126]:25

By doing so, Postfix server will receive e-mail messages using plain and unauthenticated SMTP connections, store them in its own e-mail queue and, then, forward messages to your provider using SSL/SMTPS connections and proper credentials.

Answer 4

Thanks for the help everyone. My original setup was correct except for the port I was trying to connect to from the other clients, which should've been 25, instead of 5000.

EX. In Random CentOS Server:

/etc/postfix/main.cf

relayhost = [10.96.80.126]:25

The reason the Eaton wasn't working was because the network wasn't defined in mynetworks in /etc/postfix/main.cf and because of a routing issue to my OOB network.

Thank you all for the help.