amperfrombeinasco
Level 1 (4 points)
Mac OS X

Q: Relay outgoing mail through ISP - Mail Server

Good morning.

 

I need to set "Relay outgoing mail through ISP" with mail on Mac OS X SERVER ver. 5.1 (El Capitan).

Is it possible to set SSL on (port 465)?

How can I do?

I find only option authenticate to relay with username and password, but there is not option SSL...

 

Many thanks and best regards.

Mac Pro, OS X Server, El Capitan + app "OS X Server"

Posted on Apr 6, 2016 11:56 PM

Close
amperfrombeinasco

Q: Relay outgoing mail through ISP - Mail Server

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Apr 7, 2016 2:21 PM in response to amperfrombeinasco
    Level 10 (207,925 points)
    Applications
    Apr 7, 2016 2:21 PM in response to amperfrombeinasco

    The Server app provides for mail relaying with client authentication, but it doesn't provide for authenticated relaying over an SSL/TLS connection.

    Please take the following steps to configure Postfix to relay mail to a remote SMTP server with password authentication over SSL. Substitute as required for strings in italics below. Address is the fully-qualified domain name of the relay host. The value of port is usually either 25, 465, or 587. Username and password refer to your credentials on the relay host.

    In the current version of OS X Server (but maybe not in older versions), Steps 1 and 3 should be done for you when you enable relaying and relay authentication in the Server application.

    1. If necessary, create or update the relayhost directive in

         /Library/Server/Mail/Config/postfix/main.cf

    It should look like this:

         relayhost = [address]:port

    2. Add these lines, above the section at the end that begins with the comment "# Mac OS X Server":

         smtp_sasl_security_options =
         smtp_tls_CAfile = /etc/certificates/relayhost.pem
         smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache
         smtp_use_tls = yes

    3. If it doesn't already exist, create the password file

         /Library/Server/Mail/Config/postfix/sasl/passwd

    with this content:

         [address]:port
         username:password

    Here address must match $relayhost.

    Then create the password database:

    sudo postmap /Library/Server/Mail/Config/postfix/sasl/passwd

    This action creates the file

         /Library/Server/Mail/Config/postfix/sasl/passwd.db

    The two password files should be readable by root only.

    4. Create the file

         /etc/certificates/relayhost.pem

    with the CA certificate(s) to be trusted for authentication of the remote host. You get those certificates from the service provider. If you can't find a link to download them, try this:

    openssl s_client -connect address:port -showcerts < /dev/null | sed -n '/-BEGIN /,/-END /p' | sudo sh -c 'cat > /etc/certificates/relayhost.pem'

    The command may produce an error message that isn't necessarily significant. For servers that use the older STARTTLS protocol, rather than straight TLS or SSL, this command may need to be modified.

    5. Restart the Mail service.

  • by amperfrombeinasco,

    amperfrombeinasco amperfrombeinasco Apr 10, 2016 11:32 PM in response to Linc Davis
    Level 1 (4 points)
    Mac OS X
    Apr 10, 2016 11:32 PM in response to Linc Davis

    MANY THANKS.

     

    Now we are waiting for a new internet provider and so we don't know yet new server and authentication settings, for delivery mail trough ISP.

    When they will communicate to us tese informations, we'll try to use yours precious instructions to set SSL.

    We will inform you about the result as soon as possible.

     

    Best regards.

  • by Kirk White,

    Kirk White Kirk White Aug 18, 2016 12:01 AM in response to Linc Davis
    Level 1 (5 points)
    Aug 18, 2016 12:01 AM in response to Linc Davis

    Having some issues with step 4.  Attempting to use the command to retrieve the CA certs from Comcast, but not returning the cert.  relayhost.pem is empty.  Any suggestions?  Thanks.