Even the authentication problem with SMTP persists on Gmail, even after reconfiguring twice or thrice, I was facing errors while sending and receiving emails from other users, could possibly be due to gmail error 007 associated with that of Gmail.

virginmedia.com has always been forced through 465. There is also virgin.net which accepts 25 (and was never forced to 465 for those few days in January)

Ok here are my findings about virginmedia.

smtp.virginmedia.com:25 closed.
smtp.ntlworld.com:25 open
smtp.blueyonder.co.uk open

I have been using smtp.virginmedia.com and have now changed to blueyonder and have no issues what so ever, so if like me you've been having problems and you are using smtp.virginmedia.com change to either ntlworld or blueyonder and you'll be good to go.

VM removed the requirement to use authentication a few days ofter thay imposed it because of customer uproar. However, they say they would still like customers to use authentication. Since I have it set up I can't be bothered to remove it, but if I did not already have it, I doubt if I'd add it.

Hi Nick,
Just thought I'd give an update, still the same problems however, I am able to send mail using virgins SMTP server I have just tested this and it works

Leonard wrote:

Exactly the same!! grr, Im just gonna put virginmedia in the client as the smtp server, it's the only way i can send email when I'm outside the domain.....

That will only work while you are on a VM network. I believe their SMTP server will block relaying from outside its network.

Did you reinstall ClearOS or just Postfix? If just Postfix it may not have overwritten your main.cf. Either way, have a look at your "postconf -n" and see if it has the same problems.

Exactly the same!! grr, Im just gonna put virginmedia in the client as the smtp server, it's the only way i can send email when I'm outside the domain.....



Feb 21 17:50:54 mail postfix/smtpd[18118]: fatal: open dictionary: expecting "type:name" form instead of "smtp_sasl_password_maps"
Feb 21 17:50:55 mail postfix/master[2207]: warning: process /usr/libexec/postfix/smtpd pid 18118 exit status 1
Feb 21 17:50:55 mail postfix/master[2207]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

You're welcome to vi! I've hardly used it and struggle with it. ClearOS also comes with nano which will run in an ssh session. I use that if I can't use WinSCP remotely.

Hi Nick,

I'm editing my files using vi via SSH. I do relay from the outside world as I use my smartphone for work purposes, I've done a fresh install so I'm in the process of setting it all up again, I'll keep you posted...

Regards,

Len.

We have a few differences, but in your output have a look at your "local_recipient" line. It appears to have a few lines of configuration in one which will be messing it up. How are you editing your file? If you are dragging it onto your PC then using notepad it will go wrong because on the Linux end-of-line markers are done differently to notepad. Wordpad can work, but better is to use something like WinSCP and its built-in editor or get WinSCP to use notepad++. Can you try fixing that.

FWIW I notice you are using "smtpd_sasl_auth_enable = yes". If you are only relaying from your LAN I suggest you disable SMTP Authentication and rely on the restricted networks, or, at least keep port 25 closed to the public. If you wanted to relay from outside, I've been making some investigations and it looks like the ClearOS settings allow you to keep SMTP Authentication off but relay through port 587 (STARTTLS) with authentication. At the moment most password cracking is going on through port 25 and not port 587 so it may be a better way to go. I hope to check this out soon as my wife now has a smartphone and as I have my own domain, I will need to relay through it. I really do not want to open port 25 to the public for authenticated relaying.

Hi Nick yeah done all that mate, here is the output of postconf -n

Many Thanks.

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = mailprefilter
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = $alias_maps $virtual_alias_maps smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
luser_relay =
mail_owner = postfix
mailbox_size_limit = 102400000
mailbox_transport = mailpostfilter
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
message_strip_characters = \0
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = mine.co.uk
myhostname = mine.co.uk
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_delimiter = +
relayhost = [127.0.0.1]:10465
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = $alias_maps, $virtual_maps, ldap:/etc/postfix/zarafa-aliases.cf, ldap:/etc/postfix/zarafa-groups.cf

Did you follow the authentication guide to set up the password in /etc/postfix/sasl_passwd? The file should be in the form:

[127.0.0.1]:10465		your_ntlworld_user_name@ntlworld.com:your_password

Then load the file with a:

postmap /etc/postfix/sasl_passwd

If it is not that, then please post the output to:

postconf -n

Hi Nick,

I tried this but I am left with these errors from /var/log/maillog

Feb 20 23:15:57 mail postfix/smtpd[17777]: fatal: open dictionary: expecting "type:name" form instead of "smtp_sasl_password_maps"
Feb 20 23:15:58 mail postfix/master[17631]: warning: process /usr/libexec/postfix/smtpd pid 17777 exit status 1
Feb 20 23:15:58 mail postfix/master[17631]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling

I don't suppose you encountered this error with a fix?




Fresh install clearos 6.5
2.6.32-504.8.1.v6.x86_64

Update and solution:

I mailed the postfix mailing list and they pointed me to stunnel as well and to use a search "postfix stunnel 465". From that I found this solution which had to be modified a bit:

yum -y install stunnel --enablerepo=clearos-core

wget -O /etc/init.d/stunnel https://bugzilla.redhat.com/attachment.cgi?id=325164

Go to /etc/init.d/stunnel and change /var/run/stunnel/stunnel.pid to /var/run/stunnel.pid (twice) and /usr/sbin/stunnel to /usr/bin/stunnel.

Create a file /etc/stunnel/stunnel.conf and put the following in it:

[smtps]

accept  = 10465

client = yes

connect = smtp.ntlworld.com:465

Then

chmod 755 /etc/init.d/stunnel

chkconfig stunnel on

service stunnel start

Then test it works with:

$ telnet localhost 10465

Trying 127.0.0.1...

Connected to localhost.localdomain (127.0.0.1).

Escape character is '^]'.

220 outbound.att.net ESMTP ready

$ quit

221 2.0.0 Bye

Connection closed by foreign host.

Then moving on to postfix and keeping it in line with the ClearOS Authentication User Guide make sure you have the following in your /etc/postfix/main.cf:

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

relayhost = [127.0.0.1]:10465

Some guides also set "smtp_use_tls = yes" and "smtp_sasl_security_options = noanonymous". I am not sure why as you are not using these features with stunnel. I have them anyway as I use sender_dependent_relayhosts where the other sender (gmail) requires them.

Again, in line with the user guide, create a file /etc/postfix/sasl_passwd:

[127.0.0.1]:10465     your_ntlworld_email_address:your_ntlworld_email_password

Then load the password and reload postfix:

postmap /etc/postfix/sasl_passwd

service postfix reload

At this point you can delete the /etc/postfix/sasl_passwd file which contains the plain text password.

You should now be able to relay through smtp.ntlworld.com port 465.

Another good thing happened with the postfix devs. There was a flurry of activity on my thread and a patch has been written to avoid needing to use stunnel. I don't know if the patch is complete and it is against the latest version of postfix which is post 2.11, but we are only on 2.6.6.

[edit]
If you use logwatch, your stunnel entries in the report will will look wrong. I can suggest changes to improve it.
[/edit]

This is getting dire. I don't have, or at least can't see, an obvious configuration error. I can relay via my gmail account but it rewrites the "from" in the mail header so it messes up my email addresses belonging to my domain. If Virginmedia turn on authentication everywhere I am stranded.

I'll try to investigate the stunnel bit as soon as I get time.

I just wish Clear would add an smtp server relay to their mx backup offering. I'd happily pay for that.

[edit]
And, just repeating, it works correctly from directly from Thunderbird.
[/edit]

The [ and ] prevent an MX lookup before an A lookup. In the VM case smtp.virvinmedia.com does not have an MX record. It would be safer to leave them out and with all my testing I finished with them out. Actually VM may have backed down a bit as I left off the :465 and it worked - using port 25 - which was failing before. I really want to get the authentication going again in case it is turned back on!

I use gmail as my relay host (and I thought virginmedia changed over to using gmail!); the only real difference I can see is that the only way I could get it to work was with;

smtp_tls_security_level = may

relayhost = [smtp.gmail.com]:587

and with matching [] in sasl_passwd
without the [] it wouldn't work ..

Thanks. I know I had it working ages ago but they have changed something as I used to use port 587 which is now closed.

Last night just before going to bed I did a "postconf -n" and it showed different settings to what I posted in main.cf so I think I have duplicate entries. I'll check tonight.

I can get by for the moment as smtp.virgin.net is still not authenticated but I don't imagine it will last.

http://doc.coker.com.au/internet/how-to-debug-smtp-with-tlsssl-and-auth/
Following steps here I was able to test the SSL connection against smtp.ntlworld.com using openssl, but it fails to connect if 'STARTTLS' is requested. The resulting connection appears to connect using TLSv1, TLSv1.1 or SSLv3 and authenticates OK... so not sure what Postfix is doing!

[root@leonardo ~]# openssl s_client -CApath /etc/ssl/certs/ -connect smtp.ntlworld.com:465

CONNECTED(00000003)

depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5

verify error:num=20:unable to get local issuer certificate

verify return:0

---

Certificate chain

 0 s:/C=GB/ST=Hampshire/L=Hook/O=Virgin Media Ltd/OU=internet operations/CN=smtp.ntlworld.com

   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3

 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3

   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

...snip...

-----END CERTIFICATE-----

subject=/C=GB/ST=Hampshire/L=Hook/O=Virgin Media Ltd/OU=internet operations/CN=smtp.ntlworld.com

issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3

---

No client certificate CA names sent

---

SSL handshake has read 4276 bytes and written 563 bytes

---

New, TLSv1/SSLv3, Cipher is RC4-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1.1

    Cipher    : RC4-SHA

    Session-ID: DD79AB593xxxxxxxxxxxxxxxxxxx3E5B3F6B82CB5

    Session-ID-ctx:

    Master-Key: 89DED20F9xxxxxxxxxxxxxxxxxxxA38D6A94276719

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1421193871

    Timeout   : 300 (sec)

    Verify return code: 20 (unable to get local issuer certificate)

---

220 know-smtprelay-4-imp bizsmtp ESMTP server ready

ehlo mail.mydomain.com

250-know-smtprelay-4-imp hello [86.2.222.6], pleased to meet you

250-HELP

250-AUTH LOGIN PLAIN

250-SIZE 52000000

250-8BITMIME

250-STARTTLS

250 OK

auth login

334 VXNlcm5hbWU6

xxxxxxxxxxxxxxx

334 UGFzc3dvcmQ6

xxxxxxxxxxxxxxx

235 ... authentication succeeded

quit

221 know-smtprelay-4-imp bizsmtp closing connection

read:errno=0

I got it working once with a wrapper called stunnel, which can tunnel any traffic (in this case SMTP over SSL)

Apparently from other threads on the VM forums it's because Postfix won't do SSL on port 465 but I'm not sure
http://community.virginmedia.com/t5/Forum-Archive/Running-postfix-email-relay-smtp/td-p/66253/page/2

I'm still working without SMTP authentication on port 25...for now!