User profile for user: gregveres
gregveres Author
User level: Level 1
0 points

relay server requires authentication - stopped working recently

Hi


I believe that everything was working fine up to Feb 23rd 2014. I do not recall making any changes with my Mavericks Server based system. However, my ISP may have made some change.


I have Server 3.1.1 installed on 10.9.2.


I have mail running locally and for sending, I am relaying through my ISP mail server. (SMTP.broadband.rogers.com)

When I send mail from my local mail client, it connects to the mac server and the mac server relays through rogers' server. I had this working fine and it stopped in feburary or early march.


Looking at the logs I see this when I try to send an email.


Apr 12 09:56:01 mail.veresfamily.me postfix/smtp[65471]: B45B64CD5A99: to=<greg.veres@exinda.com>, relay=smtp.broadband.rogers.com[98.139.221.125]:587, delay=0.29, delays=0/0.02/0.23/0.04, dsn=5.7.1, status=bounced (host smtp.broadband.rogers.com[98.139.221.125] said: 530 5.7.1 Authentication required (in reply to MAIL FROM command))



Note the Authentication required message. In Server, I have mail configured and I have Relay outgoing mail through ISP checked. The underlying settings are:

smtp.broadband.rogers.com:587 (i originally had it without the :587 and it made no difference).

I have my user name and password entered, I believe properly.


All the other issues that I have read in these forums show it getting past the authentication and failing to negotiate TLS.


Any suggestions here?


Thanks

Greg

Posted on Apr 12, 2014 7:22 AM

Reply
2 replies
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,739 points

Apr 12, 2014 9:17 AM in response to gregveres

Take the following steps to configure Postfix to relay mail to a remote SMTP server with password authentication over SSL. Substitute as required for strings in italics below. Address is the fully-qualified domain name of the relay host. The value of port is usually either 25, 465, or 587. Username and password refer to your credentials on the relay host.

Be very careful with these steps. If you make a mistake, your outgoing mail could be relayed to the wrong server.


Update the existing relayhost directive in

/Library/Server/Mail/Config/postfix/main.cf

if necessary:

relayhost = [address]:port


Add the lines:

smtp_sasl_security_options =

smtp_tls_CAfile = /etc/certificates/relayhost.pem

smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache

smtp_use_tls = yes


Create the file

/Library/Server/Mail/Config/postfix/sasl/passwd

with this content:

[address]:port username:password


Here address must match $relayhost.

Then create the password database:

sudo postmap /Library/Server/Mail/Config/postfix/sasl/passwd


This action creates the file

/Library/Server/Mail/Config/postfix/sasl/passwd.db

The password database files should be readable by root only.

Create the file

/etc/certificates/relayhost.pem

with the CA certificate(s) to be trusted for authentication of the remote host. You get those certificates from the service provider. If you can't find a link to download them, try this:

openssl s_client -connect address:port -showcerts < /dev/null | sed -n '/-BEGIN /,/-END /p' | sudo sh -c 'cat > /etc/certificates/relayhost.pem'


The command may produce an error message that isn't necessarily significant.

Finally, restart the Mail service.

Reply
User profile for user: gregveres
gregveres Author
User level: Level 1
0 points

Apr 12, 2014 1:31 PM in response to Linc Davis

Thank you very much Linc. This solved my problems. There was one thing I had to do differently for the CA certificates and I didn't have to do the database steps because the Server app did it for me.


So the final steps became:

  • User the Server App to setup mail relaying for outgoing email.
    • this gets you the right password file created
    • this gets you the right relayhost line in the right config file.
    • I am sticking with using the Server App for hopefully better future compatibility
  • edit /Library/Server/Mail/Config/postfix/main.cf to add the commands to use STARTTLS for the communication with the server

    Add the lines that Linc suggested


smtp_sasl_security_options =

smtp_tls_CAfile = /etc/certificates/relayhost.pem

smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache

smtp_use_tls = yes

  • I put these in the main.cf file just above the line that divides the normal postfix conf file from the part that apple adds denoted with

  • #======================================================================


    • download the CA certs from my ISP's SMTP server.


    openssl s_client -starttls smtp -crlf -connect -connect address:port -showcerts < /dev/null | sed -n '/-BEGIN /,/-END /p' | sudo sh -c 'cat > /etc/certificates/relayhost.pem'

    restart the mail server and send a test email while watching the log file.


    So in summary, it seems that Apple's Server App doesn't configure postfix to handle the ISP SMTP server requiring STARTTLS but does allow for auth. Doing the steps above will configure postfix properly to issue the STARTTLS command and negotiation the encrypted communication channel.


    Thank you very much for your post Linc!

    Greg

    Reply

    This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

    relay server requires authentication - stopped working recently

    Welcome to Apple Support Community
    A forum where Apple customers help each other with their products. Get started with your Apple Account.
    Learn more Sign up