Issues setting up mail relay

I have a webserver that I want to route all outgoing email through my mailinabox server.
I have tried following this post and guide but am getting errors:
discourse .mailinabox.email/t/how-to-send-email-from-miab-using-an-external-smtp-relay/4248
www.linode .com/docs/guides/postfix-smtp-debian7/

I setup my postfix in Satellite mode, created a user on mailinabox and am trying to connect using that.

Using port 25 I am getting “Relay access denied”, using port 587 I am getting “Must issue a STARTTLS command first”.

I am testing using the following command:

echo  "body of your email" | mail -s "This is a subject" -a "From:you@example.com" recipient@elsewhere.com

All configuration changes are done on the mailserver postfix side.
Is there something I need to do on the mailinabox side?
Should I be using port 25 or 587?
This seems like a pretty basic thing to setup but it just isnt working for me.
Can someone please assist?

You should be using port 465 with TLS, not STARTTLS on 587 and especially not 25. It sounds like your MIAB might be outdated, it switched away from STARTTLS on 587 a while ago.

1 Like

Thanks that is really helpful. I am running the latest version of MiaB (v70) and the error I am getting now is: “certificate verification failed” “untrusted issuer”.
I tried following these steps:

If your Mail-in-a-Box is using self-signed certificates, the remote machine will not trust the connection.

  • Copy /home/user-data/ssl/ssl_certificate.pem from your Mail-in-a-Box to the remote machine.
  • Add it to the trusted certificates store (distribution specific). On Debian/Ubuntu, move the certificate to /usr/local/share/ca-certificates/ and rename it so its extension is crt. Run sudo update-ca-certificates to add it to the trusted certificate store.
    =====================

The MiaB server’s postfix was in fact using a self signed cert, which I copied over and added to the webserver but it still doesnt trust the certificate.

Any ideas?

This shouldn’t be related, the mail server’s certificates are being handled directly. Maybe try running management/ssl_certificates.py and see if it errors?

where is this command? is it part of MiaB?

Yes it should be part of your install, not sure what the default folder is since I use it a bit differently.

This command resides in the mailinabox clone under the /root directory. It needs to be run as root, so you can try with these commands:

sudo su -
cd /root/mailinabox
management/ssl_certificates.py

thanks, I was able to locate the command and run it.
it says that all certificates are valid and they were all created and managed by letsencrypt.
I would expect that postfix would recognize any certificates from letsencrypt, is that not necessarily the case?
I supposed I could manually try to add the certificates to the web server postfix unless anyone has any other suggestions.

The letsencrypt certificates are used by the webserver. They do nothing for postfix.
I think a good guide to follow for what you want is this one: Mail-in-a-Box Advanced Configuration Guide (I have never used it, but trying to think with you)

When you try this, what commands are you running on which machine?

Hi @zimm01

There should be absolutely no need to copy, create, install or configure any certificates on the server you want to send the messages from.

All you need to do is install an MTA (e.g. Postfix) in a satellite configuration, which basically means that the MTA acts as an SMTP client and then authenticates via port 587 or 465 to an account/mailbox on MiaB (just like a desktop client would) and then sends the emails through that mailbox/account.

Edit:
The ca-certificates package must of course be installed on the sending server in order for Postfix, or whatever MTA/smtp client you are using to be able to use TLS/SSL when connecting to MiaB.

Also, you might consider using msmtp instead of Postfix, which is lighter and should be easier to configure, although the instructions for Postfix @KiekerJan’s linked to should work as well.

Btw, here’s my cheat sheet, on how to configure msmtp. It’s been a while since I’ve tested it, but maybe it helps, otherwise see the docs in my link above:

Good luck. :slight_smile:

Install packages:

sudo -i
apt install msmtp msmtp-mta mailutils bsd-mailx

Configure /etc/aliases:

nano /etc/aliases
mailer-daemon: postmaster
postmaster: root
nobody: root
hostmaster: root
usenet: root
news: root
webmaster: root
www: root
ftp: root
abuse: root
noc: root
security: root
yourusername: notifications@yourdomain.tld
root: notifications@yourdomain.tld

or:

nano /etc/aliases
default: notifications@yourdomain.tld
newaliases

Configure msmtp:

nano /etc/msmtprc
# Default values for all accounts
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
syslog LOG_MAIL

# Accounts
account notifications@yourdomain.net
host mail.yourdomain.net
port 587
set_from_header on
from webserver@yourdomain.net
user notifications@yourdomain.net
password Sup3rs3cr3tPa$$w0rd

# Default account
account default: notifications@yourdomain.net

# Include /etc/aliases
aliases /etc/aliases
1 Like

Thanks I will try out msmtp.

I tried msmtp but am now getting the following error when trying a test:

sendmail: the server sent an empty reply
sendmail: could not send mail (account default from etc msmtprc)
Can’t send mail: sendmail process failed with error code 76

I am using the following line to test with:
echo “relay test” | mail -s “relay test” testemail @ home net

I was setup a notifications account and was able to easily connect to it using outlook pop.

any suggestions?

In case you’re using the configuration from my example, try changing the port to 465 instead of 587 and add the following line:

tls_starttls off

See also here: https://wiki.archlinux.org/title/Msmtp#Server_sent_empty_reply

my mailinabox server definitely doesnt have 587 open. the mail-guide page only shows port 465 and including tls on the instructions. this is what I am seeing when I connect with outlook. when I change outlook to port 587 it wont connect.
is there any way to check which ssl cert is being received and processed during the connection?

could this be an IPv6 issue? I am seeing the connection hang and the MiaB side is showing the IPv6 address of the server I am trying to relay from. is there a way to force the connection as IPv4 or configure MiaB to trust the IPv6 address?

Nov 7 10:46:56 box postfix/submission/smtpd[2540997]: connect from unknown[]

Why would port 587 be closed?
Try connecting via telnet from the other machine like this to test the ports:

telnet [yourserverip ipv4 or ipv6] 587
telnet [yourserverip ipv4 or ipv6] 465
telnet [yourserverip ipv4 or ipv6] 25

and see if the ports are open. Successful connection would show:

Escape character is '^]'.
220 yourMIABmachineName Hello this is  Mail-in-a-Box ESMTP Ready, (Ubuntu/Postfix)

And read here how to prefer v4 name resolution in ubuntu.

To set postfix to prefer IPV4 outbound connections insert this in main.cf smtp_address_preference = ipv4

sudo nano /etc/postfix/main.cf

sudo systemctl restart postfix

To make MIAB ipv4 only. Insert this line in /etc/postfix/main.cf
inet_protocols = ipv4

Restart postfix