0

our Zimbra-Server isn't working for outgoing external mail since yesterday. Friday I installed some updates (for shell shock and Kernel updates), restarted and it worked fine. But since yesterday sending mail to external recipients stopped working. Internal mail (which doesn't use the relay-MTA) works.

Since I didn't change any settings I checked the remote server (Strato) with swaks and it worked: swaks -s smtp.strato.de -tls -p 587 -f mail@example.com -t mail@example2.com -a -au mail@example.com -ap xxxxxx

The same credentials as listed with -au and -ap are listed in /opt/zimbra/conf/relay_password

When sending a mail via Zimbra I get the following from /var/log/zimbra.log:

Oct 2 09:00:10 server postfix/smtp[8144]: 3952465A24A: to=<mail@example2.com>, relay=smtp.strato.de[81.169.145.133]:587, delay=0.55, delays=0.27/0.01/0.26/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.strato.de[81.169.145.133]: bad protocol / cancel)

Zimbra main.cf

mail_owner = postfix
bounce_notice_recipient = postmaster
content_filter = smtp-amavis:[127.0.0.1]:10024
smtp_sasl_security_options = noanonymous
relayhost = smtp.strato.de:587
virtual_alias_expansion_limit = 10000
smtpd_sasl_authenticated_header = no
smtp_helo_name = $myhostname
broken_sasl_auth_clients = yes
minimal_backoff_time = 300s
sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
always_add_missing_headers = yes
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
smtpd_helo_required = yes
virtual_transport = error
sendmail_path = /opt/zimbra/postfix/sbin/sendmail
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, reject_unlisted_recipient, reject_non_fqdn_sender, permit
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = no
bounce_queue_lifetime = 5d
smtp_sasl_mechanism_filter = 
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_milters = 
smtpd_tls_security_level = may
smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
lmtp_host_lookup = dns
delay_warning_time = 0h
header_checks = 
queue_run_delay = 300s
virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
notify_classes = resource,software
command_directory = /opt/zimbra/postfix/sbin
smtpd_client_restrictions = reject_unauth_pipelining
smtpd_tls_auth_only = yes
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
mailq_path = /opt/zimbra/postfix/sbin/mailq
smtpd_banner = $myhostname ESMTP $mail_name
mynetworks = 127.0.0.0/8 192.168.117.0/24 [::1]/128 [fe80::]/64
lmtp_connection_cache_time_limit = 4s
transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
smtpd_sasl_auth_enable = yes
smtpd_tls_loglevel = 1
maximal_backoff_time = 4000s
virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
inet_protocols = ipv4
non_smtpd_milters = 
daemon_directory = /opt/zimbra/postfix/libexec
smtp_tls_security_level = 
alias_maps = hash:/etc/aliases
setgid_group = postdrop
smtp_cname_overrides_servername = no
mydestination = localhost
smtpd_end_of_data_restrictions = 
import_environment = 
myhostname = mail.example.com
message_size_limit = 1048576000
recipient_delimiter = 
in_flow_delay = 1s
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
queue_directory = /opt/zimbra/data/postfix/spool
propagate_unmatched_extensions = canonical
manpage_directory = /opt/zimbra/postfix/man
smtp_fallback_relay = 
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtp_sasl_password_maps = hash:/opt/zimbra/conf/relay_password
lmtp_connection_cache_destinations = 
newaliases_path = /opt/zimbra/postfix/sbin/newaliases
smtp_sasl_auth_enable = yes
mailbox_size_limit = 0
disable_dns_lookups = no

It's Zimbra 8.04. Any hints?

Edit: With higher loglevel after sending a Mail this is what I get from zimbra.log:

Oct  2 09:26:51 server postfix/smtp[21000]: warning: SASL authentication failure: ServerSignature expected in SCRAM-SHA-1 input
Broco
  • 1,919
  • 12
  • 21
  • 1
    Were any changes made on the remote server around that time? Could you get hold of the matching logs from that side? – Jenny D Oct 02 '14 at 07:29
  • No, the remote server is hosted by a big service provider in Germany, the only logs I can get are those from our server. Since swaks says that the sasl authentication works I guess it's something on our side but we didn't change any settings... – Broco Oct 02 '14 at 07:31
  • 1
    It would appear that the service provider has changed something. You need to contact their support center. Also, when you run `swaks`, you need to make sure you're using the same kind of authentication as your zimbra installation is using (in this case, SCRAM-SHA-1), or the result will be inconclusive. And the config you posted shows how your server handles incoming connections, not how it works when it acts as a client. – Jenny D Oct 02 '14 at 07:41
  • You are right, they set up scram-sha-1 to default. I fixed it using `zmlocalconfig -e postfix_smtp_sasl_mechanism_filter=plain,login` – Broco Oct 02 '14 at 08:08

1 Answers1

4

As others pointed out your SMTP relay has probably changed something. Looks like they chagned their advertised authentication mechanisms.

I don't know if swaks tells you which authentication mechanism it used in it's output, but you could try specifying an auth-type and see if you get through.

The parameter for digest-md5 would be:

swaks -s smtp.strato.de -tls -p 587 -f mail@example.com -t mail@example2.com -a digest-md5 -au mail@example.com -ap xxxxxx

See swaks man page for other auth-types (like SCRAM-SHA1).

In the Zimbra main.cf you can specify the auth-type by setting the following parameter (which is empty in your config):

smtp_sasl_mechanism_filter = digest-md5

If that doesn't help, maybe you are missing a package on your system.

aairey
  • 310
  • 2
  • 13
  • Yep, they changed it, that was the problem. Fixed it using `zmlocalconfig -e postfix_smtp_sasl_mechanism_filter=plain,login` – Broco Oct 02 '14 at 08:09