User profile for user: COWegner
COWegner Author
User level: Level 1
0 points

Mail server: ISP requires SSL for SMTP

Hi there,


while this question arises from time to time, I have not been able to find a solution.


I've set up a clean ML (10.8.2) an d OS X Server (2.1) and activated the mail service. My ISP requires me to authenticate with username and password, encryting the connection in SSL. But there is no switch to say use SSL in the Server app.


I can not send outgoing mails, the mail log says:


Sep 26 19:44:46 server.foo.net postfix/cleanup[13775]: 165B479538: message-id=<9B8A81E5-3F2C-43CB-BD27-53A24443B17F@foo.net>

Sep 26 19:44:46 server.foo.net postfix/qmgr[13691]: 165B479538: from=<alice@foo.net>, size=964, nrcpt=1 (queue active)

Sep 26 19:44:46 server.foo.net postfix/smtp[13776]: C53907951C: to=<bob@somewhere.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.33, delays=0.01/0.02/0.01/0.29, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 165B479538)

Sep 26 19:44:46 server.foo.net postfix/qmgr[13691]: C53907951C: removed

Sep 26 19:44:46 server.foo.net postfix/smtp[13782]: warning: SASL authentication failure: No worthy mechs found

Sep 26 19:44:46 server.foo.net postfix/smtp[13782]: 165B479538: to=<bob@somewhere.net>, relay=smtp.somewhere.net[xx.xx.xxx.xx]:25, delay=0.12, delays=0/0.02/0.09/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.somewhere.net[xx.xx.xxx.xx]: no mechanism available)


Even after changing /private/etc/postfix/main.cf and restarting mail server it is still the same. My changes in main.cf


smtp_sasl_tls_security_options =

smtp_sasl_mechanism_filter = plain, login

smtp_sasl_password_maps = hash:/etc/postfix/sasl-passwords


Also tried smtp_sasl_tls_security_options = noanonymous doesn't help. Of cause sasl-passwords has been created and run through postmap.


Kind regards,

Carsten

OS X Server

Posted on Sep 26, 2012 12:49 PM

Reply
7 replies
User profile for user: Mark23
Mark23
User level: Level 4
994 points

Oct 2, 2012 5:52 AM in response to COWegner

You can set up the certificate by going into the server app, under hardware click your server, click the settings tab, now click the button to the riht of 'SSL Certificate' if you have this one set up, it will also have set up the usage of the certificate with smtp and imap.


This sets up the smtp to use the certificate.

Reply
User profile for user: COWegner
COWegner Author
User level: Level 1
0 points

Oct 2, 2012 8:36 AM in response to Mark23

Hello Mark23,


I think we talk about different things here. But probably I make an erroneous assumption, so please correct me if I'm wrong:


I assume that you are talking about the connection between a client (e.g. Apple's Mail app) and my mailserver (dovecot/postfix running on OS X Server 2.1). For this connection to be secured, I have to setup my SSL certificate (I have one which is properly signed by a well known CA) on the OS X Server. I have done this and both IMAP and SMTP between Mail app and server are working well using SSL.


What I talk about in my question is my OS X Server (the postfix daemon!), after getting my mail, trying to route (relay) this mail to its internet destination!


This routing has to go through my ISP's mail server (relay), for I am behind a dynamic IP address and most mail servers on the Internet will refuse to accept mail from my postfix daemon to avoid spam. Even my provider would refuse to be used as a relay, except for an authenticated session. Additionally my ISP's will use SSL to secure this connection.


This way my postfix daemon will open a SMTP connection to my ISP's mail server and use the STARTTLS verb to initiate the use of SMTP over TLS (SSL). After the connection is secured, my postfix daemon uses a username and password to authenticate and make my ISP accept mails to relay.


In this scenario, my certificates are totally irrelevant. My ISP's mail server will present its own SSL certificate for the connection to be secured. I do not have to present a certificate to secure anything (like you don't have to have a certificate to use Amazon's web shop; Amazon is the one to have a certificate) or to *authenticate*. My postfix will authenticate through username and password. This username and password is what you can configure in Server app, using the option to send all outgoing mails through your ISP under mail server options.


But as I said: maybe I am wrong. Please don't hesitate to give feedback.


Kind regards,

Carsten

Reply
User profile for user: John Lockwood
John Lockwood
User level: Level 6
13,697 points

Oct 2, 2012 9:24 AM in response to COWegner

If your ISP is treating you as a 'consumer' rather than 'business' customer, they may be expecting you to use their mail server as your mail server and to use an email account (or accounts) on their server. In this scenario you would be using an email client such as Mail or Outlook to send emails via their server and it would indeed be common for such a setup to require an SSL encrypted session to their server.


You however are running your own server and as you have found running a server really needs you to have a static IP address, have you asked your ISP if it is possible for you to be assigned a static IP address? On business spec connections this is often a standard feature and even on consumer spec Internet links it is often an option you can pay for. Doing so would in the long run make your life far easier.


Due to the way email evolved server to server links for email via SMTP are always unencrypted on port 25. Due to this a way to encrypt the content of emails so the contents are still protected even when being sent over an unencrypted link between servers (using standard SMTP) was developed many years ago called PGP and a similar newer scheme called S/MIME (Secure MIME) was later developed. This will not help here though.

Reply
User profile for user: COWegner
COWegner Author
User level: Level 1
0 points

Oct 2, 2012 9:48 AM in response to John Lockwood

John,


thank you for the reply. Your are right concerning the server to server connections. But it's not that I am setting up a business mail server and you know, static IP addresses are hard to get.


For this is a "family server" I don't think I will go for a static address. Everyone can mail directly through the ISP using a secured and authenticated connection as described in my previous post. It's just convenient to have the internal family server do this as well. BTW: I#d still prefer Linux for business puposes, because I can configure all postfix related things there without Apple specialities - in fact I used to have this, so I know it can work!


Apple has recognised, that there are many families (or technical nerds) that just love to have their own mail server - even this is not really true, for the MX entries are always pointing to the ISP...would be a really bad idea to point to a dynamic IP address, though it is working for 98% of the time ;-)


No, the settings for mail server to relay through an ISP offered in Server app are just for this: building an internal server (calendar, address book, mail) behind a dynamic consumer IP address, which is capable to relay through the ISP by means, which are "normally" used by mail clients. And it is not working.


I have filed a support case with Apple.


Kind regards,

Carsten

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Mail server: ISP requires SSL for SMTP

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up