Q: OS X Server - Relay outgoing mail through ISP - Operation timed out
Hello,
I have my OS X Server setup but i can only receive mail. Because of my ISP i can't send, so i need to relay the mail through them.
I have a personal e-mail address
hostname: mail.ispmail.com with the ip XXX.XX.80.110
user:
password:
mypassword
I've entered them in the Relay outgoing mail through ISP field in OS X Server app and now i get an operation timed out?
Can't i use my account to relay mail through it? Does the isp relay have to have somekind of special settings?
Mar 6 21:48:46 server.mydomain.com postfix/smtp[6664]: 792DA5C5245: to=<destination@mail.ro>, relay=none, delay=30, delays=0.06/0.04/30/0, dsn=4.4.1, status=deferred (connect to XXX.XX.80.110[XXX.XX.80.110]:25: Operation timed out)
Am i doing something wrong?
Posted on Mar 6, 2013 12:06 PM
EUREKA!!!
It works!
I'm using 587.
What i've learned:
1. Postfix relay does not work on 465 unless you add some kind of add-on. (i don't know what this means but i was advised to try 587)
So SSL in a no go.
2. On 587 i'll give you my GUT feeling about the issue. I'm using OS X Server Mountain Lion and it has many out of the box limitations, when you are trying to authenticate it OR to it. In short, unless you are using SSL, authenticating in cleartext is banned, as long as you use their interface. To do this they use "smtp_sasl_mechanism_filter=" to ban certain auth mechanisms.
CONCLUSION: 1 + 2 means postfix can't use SSL for relay (out of the box) AND since you are not using SSL all cleartext auth mechanisms get banned.
To get around this you have to:
sudo postconf -c /Library/Server/Mail/Config/postfix/ -e "smtp_sasl_mechanism_filter="
sudo postconf -c /Library/Server/Mail/Config/postfix/ -e "smtp_sasl_security_filter=" (this second one might not be needed since i think it's an old setting and is no longer in use)
then
sudo postfix reload
sudo postsuper -r ALL
SO the fix is not actually a fix, you just disable all the filters to let postfix try the "normal" auth methods first.
Hope i'm making sense here since i lost Screenshare connection with the server and i'm out of the office right now.
PS. From my experience in the OS X Server interface under Mail -> Authentication - when you use OpenDirectory out of the box you have the authentication options enabled: Kerberos, Digest (CRAM-MD5) and Digest-MD5
My issue is that OS X Server security is doing what is supposed to do, essentially not letting shoot your own foot off, and expose passwords in cleartext to sniffers, as long as you use their interface.
The two others Cleartext, is used for compatibility with Active Directory (if you use one in the network) and APOP (which is for POP) and come disabled.
Not only that, but purposefully written here in there in certain configuration files so the setting is system wide. My guess is that once you set the inbound authentication mechanisms, the interface just propagates this as a system wide choice, and all outbound postfix (in this case relay authentication get the same treatment, on second throught this might just pe postfix doing its thing)
Posted on Mar 13, 2013 1:12 PM
