OS X Server - Relay outgoing mail through ISP - Operation timed out

Thank you for your help so far!

Here is the dump, exact command you asked for me:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes

07:49:47.358016 IP server.example.com.62607 > mailout.easydns.com.submission: Flags [S], seq 227513062, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 545134578 ecr 0,sackOK,eol], length 0

E..@.K@.@...

..........................

~..........

07:49:47.490355 IP mailout.easydns.com.submission > server.example.com.62607: Flags [S.], seq 1859218684, ack 227513063, win 5392, options [mss 1360,sackOK,TS val 2684869342 ecr 545134578,nop,wscale 7], length 0

E..<.}..+..j@D..

..............P...

.... ~......

07:49:47.490478 IP server.example.com.62607 > mailout.easydns.com.submission: Flags [.], ack 1, win 8256, options [nop,nop,TS val 545134710 ecr 2684869342], length 0

E..4U.@.@...

...n.l... @.......

~.v....

07:49:50.386634 IP mailout.easydns.com.submission > server.example.com.62607: Flags [P.], seq 1:40, ack 1, win 43, options [nop,nop,TS val 2684870066 ecr 545134710], length 39

E..[.J..+..~@D..

......+.......

.... ~.v220 mailout.easydns.com ESMTP Postfix

07:49:50.386765 IP server.example.com.62607 > mailout.easydns.com.submission: Flags [.], ack 40, win 8254, options [nop,nop,TS val 545137552 ecr 2684870066], length 0

E..45K@.@...

...n.m$.. >.......

~#.....

07:49:50.386939 IP server.example.com.62607 > mailout.easydns.com.submission: Flags [P.], seq 1:33, ack 40, win 8254, options [nop,nop,TS val 545137552 ecr 2684870066], length 32

E..T.O@.@...

...n.m$.. >.......

~#.....EHLO server.example.com

07:49:50.520512 IP mailout.easydns.com.submission > server.example.com.62607: Flags [.], ack 33, win 43, options [nop,nop,TS val 2684870100 ecr 545137552], length 0

E..4....+...@D..

......+-l.....

.... ~#.

07:49:50.521060 IP mailout.easydns.com.submission > server.example.com.62607: Flags [P.], seq 40:216, ack 33, win 43, options [nop,nop,TS val 2684870100 ecr 545137552], length 176

E....x..+...@D..

......+.......

.... ~#.250-mailout.easydns.com

250-PIPELINING

250-SIZE 26214400

250-ETRN

250-STARTTLS

250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

07:49:50.521173 IP server.example.com.62607 > mailout.easydns.com.submission: Flags [.], ack 216, win 8243, options [nop,nop,TS val 545137682 ecr 2684870100], length 0

E..4.c@.@...

...n.m... 3.......

~$.....

07:49:50.535503 IP server.example.com.62607 > mailout.easydns.com.submission: Flags [P.], seq 33:39, ack 216, win 8243, options [nop,nop,TS val 545137696 ecr 2684870100], length 6

E..:y.@.@...

...n.m... 3.......

~$ ....QUIT

07:49:50.535511 IP server.example.com.62607 > mailout.easydns.com.submission: Flags [F.], seq 39, ack 216, win 8243, options [nop,nop,TS val 545137696 ecr 2684870100], length 0

E..4..@.@...

n.m... 3.......

~$ ....

07:49:50.667685 IP mailout.easydns.com.submission > server.example.com.62607: Flags [P.], seq 216:231, ack 39, win 43, options [nop,nop,TS val 2684870137 ecr 545137696], length 15

E..C....+.{.@D..

...+.......

.... ~$ 221 2.0.0 Bye

07:49:50.667755 IP mailout.easydns.com.submission > server.example.com.62607: Flags [F.], seq 231, ack 39, win 43, options [nop,nop,TS val 2684870137 ecr 545137696], length 0

E..4.f..+.k.@D..

...++......

.... ~$

07:49:50.667778 IP server.example.com.62607 > mailout.easydns.com.submission: Flags [R], seq 227513101, win 0, length 0

E..(B]..@...

....P.......

07:49:50.667784 IP server.example.com.62607 > mailout.easydns.com.submission: Flags [R], seq 227513101, win 0, length 0

E..(N...@...

....P.......

07:49:50.668098 IP mailout.easydns.com.submission > server.example.com.62607: Flags [.], ack 40, win 43, options [nop,nop,TS val 2684870137 ecr 545137696], length 0

E..4kD..+...@D..

......++......

.... ~$

07:49:50.668199 IP server.example.com.62607 > mailout.easydns.com.submission: Flags [R], seq 227513102, win 0, length 0

E..(Y=..@...

.......P.......

With the verbose flag -v turned on:

tcpdump: listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes

07:58:00.853798 IP (tos 0x0, ttl 64, id 61650, offset 0, flags [DF], proto TCP (6), length 64, bad cksum 0 (->3611)!)

server.example.com.62780 > mailout.easydns.com.submission: Flags [S], cksum 0x1407 (incorrect -> 0x1a09), seq 3293289800, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 545623935 ecr 0,sackOK,eol], length 0

E..@..@.@...

...@D...<.K.K.H.......................

...........

07:58:00.986539 IP (tos 0x0, ttl 43, id 6040, offset 0, flags [none], proto TCP (6), length 60)

mailout.easydns.com.submission > server.example.com.62780: Flags [S.], cksum 0xd7a5 (correct), seq 996714090, ack 3293289801, win 5392, options [mss 1360,sackOK,TS val 2684992715 ecr 545623935,nop,wscale 7], length 0

E..<....+.dP@D..

....K.<;h.j.K.I...........P...

. .. .......

07:58:00.986671 IP (tos 0x0, ttl 64, id 13705, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->f166)!)

server.example.com.62780 > mailout.easydns.com.submission: Flags [.], cksum 0x13fb (incorrect -> 0xfa64), ack 1, win 8256, options [nop,nop,TS val 545624056 ecr 2684992715], length 0

E..45.@.@...

...@D...<.K.K.I;h.k.. @.......

.... ..

07:58:01.121725 IP (tos 0x0, ttl 43, id 9860, offset 0, flags [none], proto TCP (6), length 91)

mailout.easydns.com.submission > server.example.com.62780: Flags [P.], cksum 0xed3b (correct), seq 1:40, ack 1, win 43, options [nop,nop,TS val 2684992748 ecr 545624056], length 39

E..[&...+.UE@D..

....K.<;h.k.K.I...+.;.....

. .. ...220 mailout.easydns.com ESMTP Postfix

07:58:01.121847 IP (tos 0x0, ttl 64, id 38384, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->90ff)!)

server.example.com.62780 > mailout.easydns.com.submission: Flags [.], cksum 0x13fb (incorrect -> 0xf998), ack 40, win 8254, options [nop,nop,TS val 545624190 ecr 2684992748], length 0

E..4..@.@...

...@D...<.K.K.I;h.... >.......

..~. ..

07:58:01.122020 IP (tos 0x0, ttl 64, id 49038, offset 0, flags [DF], proto TCP (6), length 84, bad cksum 0 (->6741)!)

server.example.com.62780 > mailout.easydns.com.submission: Flags [P.], cksum 0x141b (incorrect -> 0x60d1), seq 1:33, ack 40, win 8254, options [nop,nop,TS val 545624190 ecr 2684992748], length 32

E..T..@.@...

...@D...<.K.K.I;h.... >.......

..~. ..EHLO server.example.com

07:58:01.254622 IP (tos 0x0, ttl 43, id 46244, offset 0, flags [none], proto TCP (6), length 52)

mailout.easydns.com.submission > server.example.com.62780: Flags [.], cksum 0x196a (correct), ack 33, win 43, options [nop,nop,TS val 2684992782 ecr 545624190], length 0

E..4....+..K@D..

....K.<;h...K.i...+.j.....

. .. ..~

07:58:01.255017 IP (tos 0x0, ttl 43, id 48330, offset 0, flags [none], proto TCP (6), length 228)

mailout.easydns.com.submission > server.example.com.62780: Flags [P.], cksum 0x8ae8 (correct), seq 40:216, ack 33, win 43, options [nop,nop,TS val 2684992782 ecr 545624190], length 176

E.......+..u@D..

....K.<;h...K.i...+.......

. .. ..~250-mailout.easydns.com

250-PIPELINING

250-SIZE 26214400

250-ETRN

250-STARTTLS

250-AUTH PLAIN LOGIN

250-AUTH=PLAIN LOGIN

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

07:58:01.255106 IP (tos 0x0, ttl 64, id 52726, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->58f9)!)

server.example.com.62780 > mailout.easydns.com.submission: Flags [.], cksum 0x13fb (incorrect -> 0xf82e), ack 216, win 8243, options [nop,nop,TS val 545624321 ecr 2684992782], length 0

E..4..@.@...

...@D...<.K.K.i;h.B.. 3.......

.... ..

07:58:01.269489 IP (tos 0x0, ttl 64, id 45046, offset 0, flags [DF], proto TCP (6), length 58, bad cksum 0 (->76f3)!)

server.example.com.62780 > mailout.easydns.com.submission: Flags [P.], cksum 0x1401 (incorrect -> 0x5060), seq 33:39, ack 216, win 8243, options [nop,nop,TS val 545624334 ecr 2684992782], length 6

E..:..@.@...

...@D...<.K.K.i;h.B.. 3.......

.... ..QUIT

07:58:01.269515 IP (tos 0x0, ttl 64, id 32167, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->a948)!)

server.example.com.62780 > mailout.easydns.com.submission: Flags [F.], cksum 0x13fb (incorrect -> 0xf81a), seq 39, ack 216, win 8243, options [nop,nop,TS val 545624334 ecr 2684992782], length 0

E..4}.@.@...

...@D...<.K.K.o;h.B.. 3.......

.... ..

07:58:01.402133 IP (tos 0x0, ttl 43, id 62865, offset 0, flags [none], proto TCP (6), length 67)

mailout.easydns.com.submission > server.example.com.62780: Flags [P.], cksum 0x7092 (correct), seq 216:231, ack 39, win 43, options [nop,nop,TS val 2684992819 ecr 545624334], length 15

E..C....+..O@D..

....K.<;h.B.K.o...+p......

. .3 ...221 2.0.0 Bye

07:58:01.402257 IP (tos 0x0, ttl 64, id 18386, offset 0, flags [none], proto TCP (6), length 40, bad cksum 0 (->1f2a)!)

server.example.com.62780 > mailout.easydns.com.submission: Flags [R], cksum 0x13ef (incorrect -> 0x42c9), seq 3293289839, win 0, length 0

E..(G...@...

...@D...<.K.K.o....P.......

07:58:01.402405 IP (tos 0x0, ttl 43, id 50603, offset 0, flags [none], proto TCP (6), length 52)

mailout.easydns.com.submission > server.example.com.62780: Flags [F.], cksum 0x17ee (correct), seq 231, ack 40, win 43, options [nop,nop,TS val 2684992819 ecr 545624334], length 0

E..4....+..D@D..

....K.<;h.Q.K.p...+.......

. .3 ...

07:58:01.402468 IP (tos 0x0, ttl 64, id 27815, offset 0, flags [none], proto TCP (6), length 40, bad cksum 0 (->fa54)!)

server.example.com.62780 > mailout.easydns.com.submission: Flags [R], cksum 0x13ef (incorrect -> 0x42c8), seq 3293289840, win 0, length 0

E..(l...@...

...@D...<.K.K.p....P.......

I found a interesting fact... if i execute

sudo postconf -e smtp_sasl_mechanism_filter=login

and then check /Library/Server/Mail/Config/postfix/main.cf to see if it has added the option on the LAST line of the file all i see is

smtp_sasl_mechanism_filter = plain

No matter how many times i execute the command it will not replace that line, even tried

sudo postconf -e smtp_sasl_mechanism_filter=

I did a

sudo postfix reload after each try and then manually viewed the /Library/Server/Mail/Config/postfix/main.cf in Textedit

PS.

Also found this thread that is remarcably similar to my issues. This http://www.zimbra.com/forums/installation/1240-cannot-sasl-authenticate-server.h tml and i think it's the solution to my problem but because of the above i can't seem to apply it. I remember reading something about OS X Server will not allow somekind of almost cleartext logins but it had to do with changing passwords when not under a SSL connection.

EUREKA!!!

It works!

I'm using 587.

What i've learned:

1. Postfix relay does not work on 465 unless you add some kind of add-on. (i don't know what this means but i was advised to try 587)

So SSL in a no go.

2. On 587 i'll give you my GUT feeling about the issue. I'm using OS X Server Mountain Lion and it has many out of the box limitations, when you are trying to authenticate it OR to it. In short, unless you are using SSL, authenticating in cleartext is banned, as long as you use their interface. To do this they use "smtp_sasl_mechanism_filter=" to ban certain auth mechanisms.

CONCLUSION: 1 + 2 means postfix can't use SSL for relay (out of the box) AND since you are not using SSL all cleartext auth mechanisms get banned.

To get around this you have to:

sudo postconf -c /Library/Server/Mail/Config/postfix/ -e "smtp_sasl_mechanism_filter="

sudo postconf -c /Library/Server/Mail/Config/postfix/ -e "smtp_sasl_security_filter=" (this second one might not be needed since i think it's an old setting and is no longer in use)

then

sudo postfix reload

sudo postsuper -r ALL

SO the fix is not actually a fix, you just disable all the filters to let postfix try the "normal" auth methods first.

Hope i'm making sense here since i lost Screenshare connection with the server and i'm out of the office right now.

PS. From my experience in the OS X Server interface under Mail -> Authentication - when you use OpenDirectory out of the box you have the authentication options enabled: Kerberos, Digest (CRAM-MD5) and Digest-MD5

My issue is that OS X Server security is doing what is supposed to do, essentially not letting shoot your own foot off, and expose passwords in cleartext to sniffers, as long as you use their interface.

The two others Cleartext, is used for compatibility with Active Directory (if you use one in the network) and APOP (which is for POP) and come disabled.

Not only that, but purposefully written here in there in certain configuration files so the setting is system wide. My guess is that once you set the inbound authentication mechanisms, the interface just propagates this as a system wide choice, and all outbound postfix (in this case relay authentication get the same treatment, on second throught this might just pe postfix doing its thing)

I recently reDID the entire OS X Server install and found out the answer is incomplete. Luckily there were others on the same path as I.

https://discussions.apple.com/thread/3341871?start=0&tstart=0

The corrent commands are:

sudo postconf -c /Library/Server/Mail/Config/postfix/ -e "smtp_sasl_security_options = noanonymous"

then

sudo postfix reload

sudo postsuper -r ALL

More details in this thread

https://discussions.apple.com/thread/3341871?start=0&tstart=0

Anyone know how i can mark the new reply as the correct answer?

I recently reDID the entire OS X Server install and found out the answer is incomplete. Luckily there were others on the same path as I.

https://discussions.apple.com/thread/3341871?start=0&tstart=0

The corrent commands are:

sudo postconf -c /Library/Server/Mail/Config/postfix/ -e "smtp_sasl_security_options = noanonymous"

then

sudo postfix reload

sudo postsuper -r ALL

More details in this thread

https://discussions.apple.com/thread/3341871?start=0&tstart=0