Introduction
A very common way of transmitting email messages in server systems is by sending them directly to other mail servers on the Internet using the SMTP protocol. However, many networks filter outgoing SMTP connections (TCP port 25 outbound). Since our default RHEL, CentOS, and APS installations will try to send email messages this way, email based alert notifications might not go through as expected in all environments.
This issue is often resolved by making sure that the local mail server (e.g. the Postfix daemon running at the Monitor server) sends its outgoing mail through a relaying mail server (one often located within your internal network, or one belonging to your ISP).
If you are using AWS
We strongly recommend following the official AWS documentation located here. This documentation will take you through how to configure postfix for use with AWS smtp relays.
Prerequisites
Before we can start configuring the system, please confirm:
- That the OP5 Monitor server is running the Postfix daemon (confirm using either
"service postfix status"in EL6 or"systemctl status postfix"in EL7) - Basic details for the necessary relay server: IP address, hostname, and any required authentication details
Configuring Postfix
Using an open relay server (no authentication)
OP5 Appliance System (APS)
The APS lets you configure the relay server using the web based configuration tool (Portal).
CentOS & RHEL
- Log on to your
rootaccount at your Monitor server using SSH. - Edit the Postfix main configuration file
/etc/postfix/main.cf - Insert an option such as this:
relayhost = [domain.name.of.relay.server] -
Restart the Postfix daemon by running the following command as root:
service postfix restart
Using a relay server with authentication
Depending on the configuration of the relaying mail server, different authentication mechanisms are required. In this case, the basic plain authentication mode will be used.
- Log on to your
rootaccount at your op5 Monitor server using SSH. - Create a new SASL authentication file unless one already exists.
- Run the following commands:
[ -e /etc/postfix/sasl_passwd ] || : > /etc/postfix/sasl_passwdchown root: /etc/postfix/sasl_passwdchmod 600 /etc/postfix/sasl_passwd
- Edit the file and insert your user details, like this:
your.relay.server.host.name email.account@relay.server:password
- Any changes to this file requires an update of its corresponding binary lookup table file. The plain text file will be processed using this command:
postmap hash:/etc/postfix/sasl_passwd
- The file /etc/postfix/sasl_passwd.db should now have been created or updated. The following command will verify that your changes have been inserted:
postmap -s hash:/etc/postfix/sasl_passwd
- Run the following commands:
- Optionally, use address rewriting to transform the sender address in outgoing email messages. For example, if your server running Monitor is set up with a system host name such as op5-system.localdomain, the sender address in outgoing email notifications from Monitor will be set to monitor@op5-system.localdomain. Restrictive relay servers might reject email messages with invalid (e.g. non-external) sender addresses from getting through and the message will just bounce back. One way of handling this is by rewriting the address.
- Edit Postfix's generic configuration file,
'/etc/postfix/generic', to insert the address rewrite. In this example, the latter address represents a fully valid email address or account:monitor@op5-system.localdomain monitor@your.company.domain.name
- Any changes to this file requires an update of its corresponding binary lookup table file. The plain text file will be processed using this command:
postmap /etc/postfix/generic
- Make sure to add the
smtp_generic_mapssetting into'/etc/postfix/main.cf'and then restart Postfix as described in step 8 below.
- Edit Postfix's generic configuration file,
- Edit Postfix's main configuration file,
'/etc/postfix/main.cf'to insert the following options:smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain, loginsmtp_sasl_security_options = noanonymoussmtp_sasl_password_maps = hash:/etc/postfix/sasl_passwdsmtp_generic_maps = hash:/etc/postfix/generic
relayhost = [domain.name.of.relay.server]
NOTE:smtp_generic_mapsis only needed if step 3 above was performed. - If the SMTP server requires TLS authentication (as does Office365), then also add the following option:
smtp_tls_security_level = encrypt
- If using Office365, set Postfix to use only IPv4 by adding the following option:
inet_protocols = ipv4
- To make this work with Office 365 accounts that have not been opened for SMTP relays, please also add the following, substituting 'newsender@address.com' for the desired new address:
- Add the following to
'/etc/postfix/main.cf':
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical_maps
smtp_header_checks = regexp:/etc/postfix/header_checks
- Rewrite the envelope address from email originating from the server itself via this change in '/etc/postfix/sender_canonical_maps':
/.+/ newsender@address.com
- Rewrite the "from" address in SMTP relayed e-mail using this change in '/etc/postfix/header_checks':
/From:.*/ REPLACE From: newsender@address.com
- Add the following to
- Finally, restart the local Postfix server daemon by running the following command:
service postfix restart
Verifying that it works
Sending a test message
OP5 Appliance System (APS)
Enter the Email Settings page in the Portal and send a test message.
CentOS & RHEL
- Log on to your Monitor server using SSH.
- Send a test message by running the following command (make sure to substitute the email address!):
echo testbody | mail -s testsubject your@mail.address
Is themailcommand missing? Make sure to install themailxpackage in the system:yum install mailx
Troubleshooting
Finding (error) log messages
- SSH onto your OP5 Monitor server and get root.
- Monitor the system mail log file by running the following command:
tail -n0 -F /var/log/maillog
- Meanwhile, send a test message using one of the methods outlined above.
- You should now see information about your email delivery. If the message fails sending, an error message will appear. This error message could be generated by either the local mail server (Postfix) or the remote relay system, or both. Please find the Postfix documentation for more information.
- If you receive the message "Client was not authenticated to send anonymous mail during MAIL FROM" your smtp might require TLS authentication.
- Several error messages, such as the ones below, are related to the SASL settings in the Postfix configuration; especially the
smtp_sasl_mechanism_filteroption. It could also be related to missing libraries, see section regarding missing software packages below.
- warning: SASL authentication failure: No worthy mechs found
- warning: mail.relay.server[192.0.2.10]:25 offered no supported AUTH mechanisms: 'PLAIN LOGIN'
- status=deferred (SASL authentication failed; cannot authenticate to server relay.mail.server[192.0.2.10]: no mechanism available)
- status=deferred (SASL authentication failed: server mail.relay.server[192.0.2.10] offered no compatible authentication mechanisms for this type of connection security)
Missing software packages
Using the SASL authentication methods in Postfix requires that the corresponding Cyrus SASL libraries have been installed in the system. Verify this by running the following command:
rpm -q cyrus-sasl cyrus-sasl-plain cyrus-sasl-md5
Several different packages exists for different types of authentication methods. Find out which ones that are available by running the following command:
yum search cyrus-sasl
Installing any of those is just a matter of e.g. yum install cyrus-sasl-ntlm
Note: If configuring this for Office365, you need to use a regular mailbox account rather than a shared Office365 mailbox.
Comments
0 comments
Please sign in to leave a comment.