Home / server / Questions / 632964
Accepted
Broco
Asked: 2014-10-02 23:07:26 +0800 CST

Zimbra doesn't send mail via smtp relay anmore

  • 772

our Zimbra-Server isn't working for outgoing external mail since yesterday. Friday I installed some updates (for shell shock and Kernel updates), restarted and it worked fine. But since yesterday sending mail to external recipients stopped working. Internal mail (which doesn't use the relay-MTA) works.

Since I didn't change any settings I checked the remote server (Strato) with swaks and it worked: swaks -s smtp.strato.de -tls -p 587 -f [email protected] -t [email protected] -a -au [email protected] -ap xxxxxx

The same credentials as listed with -au and -ap are listed in /opt/zimbra/conf/relay_password

When sending a mail via Zimbra I get the following from /var/log/zimbra.log:

Oct 2 09:00:10 server postfix/smtp[8144]: 3952465A24A: to=<[email protected]>, relay=smtp.strato.de[81.169.145.133]:587, delay=0.55, delays=0.27/0.01/0.26/0, dsn=4.7.0, status=deferred (SASL authentication failed; cannot authenticate to server smtp.strato.de[81.169.145.133]: bad protocol / cancel)

Zimbra main.cf

mail_owner = postfix
bounce_notice_recipient = postmaster
content_filter = smtp-amavis:[127.0.0.1]:10024
smtp_sasl_security_options = noanonymous
relayhost = smtp.strato.de:587
virtual_alias_expansion_limit = 10000
smtpd_sasl_authenticated_header = no
smtp_helo_name = $myhostname
broken_sasl_auth_clients = yes
minimal_backoff_time = 300s
sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
always_add_missing_headers = yes
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
smtpd_helo_required = yes
virtual_transport = error
sendmail_path = /opt/zimbra/postfix/sbin/sendmail
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, reject_unlisted_recipient, reject_non_fqdn_sender, permit
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = no
bounce_queue_lifetime = 5d
smtp_sasl_mechanism_filter = 
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_milters = 
smtpd_tls_security_level = may
smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
lmtp_host_lookup = dns
delay_warning_time = 0h
header_checks = 
queue_run_delay = 300s
virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
notify_classes = resource,software
command_directory = /opt/zimbra/postfix/sbin
smtpd_client_restrictions = reject_unauth_pipelining
smtpd_tls_auth_only = yes
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
mailq_path = /opt/zimbra/postfix/sbin/mailq
smtpd_banner = $myhostname ESMTP $mail_name
mynetworks = 127.0.0.0/8 192.168.117.0/24 [::1]/128 [fe80::]/64
lmtp_connection_cache_time_limit = 4s
transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
smtpd_sasl_auth_enable = yes
smtpd_tls_loglevel = 1
maximal_backoff_time = 4000s
virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
inet_protocols = ipv4
non_smtpd_milters = 
daemon_directory = /opt/zimbra/postfix/libexec
smtp_tls_security_level = 
alias_maps = hash:/etc/aliases
setgid_group = postdrop
smtp_cname_overrides_servername = no
mydestination = localhost
smtpd_end_of_data_restrictions = 
import_environment = 
myhostname = mail.example.com
message_size_limit = 1048576000
recipient_delimiter = 
in_flow_delay = 1s
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
queue_directory = /opt/zimbra/data/postfix/spool
propagate_unmatched_extensions = canonical
manpage_directory = /opt/zimbra/postfix/man
smtp_fallback_relay = 
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtp_sasl_password_maps = hash:/opt/zimbra/conf/relay_password
lmtp_connection_cache_destinations = 
newaliases_path = /opt/zimbra/postfix/sbin/newaliases
smtp_sasl_auth_enable = yes
mailbox_size_limit = 0
disable_dns_lookups = no

It's Zimbra 8.04. Any hints?

Edit: With higher loglevel after sending a Mail this is what I get from zimbra.log:

Oct  2 09:26:51 server postfix/smtp[21000]: warning: SASL authentication failure: ServerSignature expected in SCRAM-SHA-1 input
postfix

1 Answers

  1. Best Answer

    As others pointed out your SMTP relay has probably changed something. Looks like they chagned their advertised authentication mechanisms.

    I don't know if swaks tells you which authentication mechanism it used in it's output, but you could try specifying an auth-type and see if you get through.

    The parameter for digest-md5 would be:

    swaks -s smtp.strato.de -tls -p 587 -f [email protected] -t [email protected] -a digest-md5 -au [email protected] -ap xxxxxx

    See swaks man page for other auth-types (like SCRAM-SHA1).

    In the Zimbra main.cf you can specify the auth-type by setting the following parameter (which is empty in your config):

    smtp_sasl_mechanism_filter = digest-md5

    If that doesn't help, maybe you are missing a package on your system.

    • 4