4 Replies Latest reply: Apr 16, 2012 11:02 AM by Rikakiah
Rikakiah Level 1 Level 1 (40 points)

I'm at a small university where my mac network is sandboxed inside of a greater campus network.  The main IT dept doesn't want me to relay mail through them (completely ignorant of macs and worried my network will mess them up) so I'm trying to relay through a gmail account.  I have an equipment checkout form on my local network that is supposed to send emails to the users when certain things are approved/etc, but would also like normal server status emails (like warnings when disks are full, etc) to be sent externally.

 

Anyway, turned on the mail server and have my gmail account set up.  Checked "Relay outgoing mail through host: smtp.gmail.com" along with the gmail's account credentials in Server Admin.  However, when an email is sent out, my log returns:

 

Apr 12 15:05:44 myserver postfix/pickup[77953]: 6B896EAF8C8: uid=70 from=<_www>

Apr 12 15:05:44 myserver postfix/cleanup[77996]: 6B896EAF8C8: message-id=<20120412200544.6B896EAF8C8@myserver.example.com>

Apr 12 15:05:44 myserver postfix/qmgr[77954]: 6B896EAF8C8: from=<_www@myserver.example.com>, size=600, nrcpt=1 (queue active)

Apr 12 15:05:44 myserver postfix/smtp[77998]: 6B896EAF8C8: to=<me@email.edu>, relay=smtp.gmail.com[209.85.225.108]:25, delay=0.2, delays=0.02/0.02/0.14/0.02, dsn=5.7.0, status=bounced (host smtp.gmail.com[209.85.225.108] said: 530 5.7.0 Must issue a STARTTLS command first. gr1sm30865123igc.1 (in reply to MAIL FROM command))

Apr 12 15:10:44 myserver postfix/smtp[77998]: 6B896EAF8C8: conversation with smtp.gmail.com[209.85.225.108] timed out while sending RCPT TO

Apr 12 15:10:44 myserver postfix/cleanup[78127]: A1C0EEAF99A: message-id=<20120412201044.A1C0EEAF99A@myserver.example.com>

Apr 12 15:10:44 myserver postfix/bounce[78126]: 6B896EAF8C8: sender non-delivery notification: A1C0EEAF99A

Apr 12 15:10:44 myserver postfix/qmgr[77954]: A1C0EEAF99A: from=<>, size=2643, nrcpt=1 (queue active)

Apr 12 15:10:44 myserver postfix/qmgr[77954]: 6B896EAF8C8: removed

Apr 12 15:10:44 myserver postfix/local[78129]: od[getpwnam_ext]: no attribute dsAttrTypeStandard:MailAttribute in record for user _www

Apr 12 15:10:44 myserver postfix/pipe[78130]: A1C0EEAF99A: to=<_www@myserver.example.com>, relay=dovecot, delay=0.04, delays=0.02/0.01/0/0.02, dsn=2.0.0, status=sent (delivered via dovecot service)

Apr 12 15:10:44 myserver postfix/qmgr[77954]: A1C0EEAF99A: removed

 

 

It appears to not be going through due to the STARTTLS issue.  Per another post I found, I added the line "smtpd_tls_security_level = may" to main.cf.  I also tried changing "smtpd_use_tls = no" and "smtpd_enforce_tls = no" both to "yes", but the result was always exactly the same.

 

On a minor side note, how was the "_www" account created and is there any way I can change this?

 

Thanks.


XServe, Mac OS X (10.6.7)
  • Camelot Level 8 Level 8 (46,295 points)

    Your smtpd postfix settings relate to clients connecting TO this server, not for outgoing connections.

     

    There are ways of setting up relay through gmail, but you have to encode and store your username and password in specific ways/places on your server. There are numerous online posts about how to do this. I found this as a starting point.

     

    As for the _www user, that's there because it looks like it's Apache that's generating your emails (the result of a web form, maybe?). Most web form processors have the ability to define the 'from' address, so you should look at whatever system you're using to generate the messages.

  • MrHoffman Level 6 Level 6 (13,020 points)

    I'd encourage working this issue through campus IT and campus management; that's the best solution here.  These sorts of cases can sometimes blow up, should a mail server become compromised or otherwise misused, or should centralized logging and malware scanning is required.

     

    That written, if you have a public DNS translation and a public static IP, then you can start your own server by getting the MX and forward and reverse DNS configured correctly.  That would run completely parallel to the main campus mail system, though it may still be identified by some remote mail servers as a rogue mail server if some other steps aren't performed.

     

    If you want to use a relay, you'll need to set it up with whomever you're hosting with, and I don't know off-hand that Google allows relays.  I know some other providers do.

     

    _www is Apache.  That's one of the standard accounts created on OS X and OS X Server, and not one that should be deleted.  That written, it looks like you're using the web server to send the mail messages; that the mail is arriving from something associated with Apache or web services.

     

    And here is one potential work-around.

  • Rikakiah Level 1 Level 1 (40 points)

    If you knew our IT dept, I think you'd agree that it would be more effective to bypass them as much as possible.    However, it's a moot point, as they refuse to work with me, or specifically a mac environment (I've tried over the past several years and finally have just given up dealing with them unless absolutely necessary).

     

    I'm working with an external consultant (he's hired by the main IT dept, and they passed him off to me to work on this issue) so I'm more comfortable that it won't get set up in such a way that it will get our servers blacklisted or anything, but he's not familiar with the mac side or how to get things set up fully on this end.  He is, however, much more willing to work on the issue than the IT dept.  He seemed pretty confident that gmail would allow relaying, but perhaps I'll try a different one as a test.  Do you know offhand which ones definitely do?  Does Yahoo?

     

    As to the _www, I had a hunch it was Apache and had no intention of outright deleting it.  Was just wanting to know how to get the emails to come from a different address--I'll check with the guy who programmed the web app and see if it can be set up internally in that or something.

     

    But back on topic...

     

    So "smtpd_..." refers to connections TO my server and "smtp_..." refers to connections FROM my server?  Because the links in your suggestions refer to just "smtp_...", but there wasn't anything like that already existing in my main.cf--it was all "smtpd_...".

     

    Also, the passwd file is located (and populated correctly already) in etc/postfix/sasl/ and named simply passwd, instead of at etc/postfix/ and named sasl_passwd.  Is this irrelevant and just specific to Snow Leopard, or should I move the passwd file down a level to /etc/postfix/ and rename it to sasl_passwd?

     

    Thanks again.

  • Rikakiah Level 1 Level 1 (40 points)

    Ha, well it definitely was the smtp vs smtpd (as you obviously know).  It now works, but I'm getting this line in my logs now:

     

    Apr 16 12:39:55 myserver postfix/smtp[60716]: certificate verification failed for smtp.gmail.com[209.85.225.108]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

     

    It's not a big deal, as far as I'm concerned (the process still works), but what kind of certificate do I need to get/create and put where to make this go away?

     

    Once again, thanks.