Postfix SMTP-Relay ISPConfig 3.2.9p1

Discussion in 'Installation/Configuration' started by Mikeal Wolfe, May 31, 2023.

  1. Mikeal Wolfe

    Mikeal Wolfe New Member

    I have a new ISPConfig 3.2.9p1 virtualbox VM Ubuntu 22.04 server that haves several websites running and accessible, but need to setup the Postfix mail server to relay SMTP mail via Gmail servers using my gmail app user account. The app user is setup, but do not know where to configure this with ISPConfig 3.2.9p1 admin interface. I have read it is not wise to configure any postfix config files manually as this can break the server's functionality causing ISPConfig to lose control over these functions. I can connect to my ISPConfig mail server from an Evolution email client internally without issue. My public DNS host records for the domain(s) are all correct ( A, AAAA, MX, SOA, SPF, etc) and verified. Any help would be appreciated. The main purpose of this feature is for my websites that have custom contact forms using a PHP Mailer or any SMTP function use the 'localhost' SMTP server to relay outbound messages until this site gets a business ISP circuit that doesn't block inbound SMTP connections. I will also be setting up a hosted mail server with some provider in the future to accept inbound email messages but need to be able to relay outbound SMTP mail immediately. Any help or guidance would be MUCH APPRECIATED! Thank you!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    All system settings in ISPConfig are under System > Server config. If you go there, there is just one tab that deals with mail settings and its named 'mail' and there you find it. Enter relay username, relay password and outgoing email server under system > server config > mail and press save. That's all.
     
    Mikeal Wolfe and ahrasis like this.
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Do ask if you got problem with setting up gmail as your relay, as in my experience, its steps at google account settings could be tricky to some.
     
  4. Mikeal Wolfe

    Mikeal Wolfe New Member

    Thank you for that info. It seems a little too easy (which is usually never the case). Will let you you know outcome in a few minutes...
     
  5. Mikeal Wolfe

    Mikeal Wolfe New Member

    I made the changes and when I send the email, the log file gives me these errors. I have verified I am able to ping both IPv4 and IPv6 addresses for smtp.google.com from the server so it's not a DNS resolution problem but maybe a SSL/TLS wrapper issue based on these log entries...

    Jun 1 19:48:09 node01 postfix/qmgr[255349]: 81AAE4774C: from=<[email protected]>, size=745, nrcpt=1 (queue active)
    Jun 1 19:48:09 node01 postfix/smtps/smtpd[255387]: disconnect from unknown[192.168.1.100] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
    Jun 1 19:48:09 node01 postfix/smtp[255394]: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)
    Jun 1 19:48:39 node01 postfix/smtp[255394]: connect to smtp.google.com[64.233.176.27]:465: Connection timed out
    Jun 1 19:48:39 node01 postfix/smtp[255394]: connect to smtp.google.com[2607:f8b0:4002:c05::1a]:465: No route to host
    Jun 1 19:48:39 node01 postfix/smtp[255394]: connect to smtp.google.com[2607:f8b0:4002:c08::1a]:465: No route to host
    Jun 1 19:49:09 node01 postfix/smtp[255394]: connect to smtp.google.com[64.233.177.27]:465: Connection timed out
    Jun 1 19:49:39 node01 postfix/smtp[255394]: connect to smtp.google.com[64.233.176.26]:465: Connection timed out
    Jun 1 19:49:39 node01 postfix/smtp[255394]: 81AAE4774C: to=<[email protected]>, relay=none, delay=90, delays=0.18/0.01/90/0, dsn=4.4.1, status=deferred (connect to smtp.google.com[64.233.176.26]:465: Connection timed out)

    My FW has ports 25, 465, and 587 open to my internal IP but Xfinity residential blocks at least TCP 25 inbound. not sure about 465 and 587. Any thoughts?
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Code:
    Jun 1 19:48:39 node01 postfix/smtp[255394]: connect to smtp.google.com[64.233.176.27]:465: Connection timed out
    I would say that IP 64.233.176.27 is not gmail address. Strange that your host triest that IP when connecting to gmail. Try to find out what is going on.
     
    ahrasis likes this.
  7. Mikeal Wolfe

    Mikeal Wolfe New Member

    SMTP-RELAY still failing. I will setup my Wireshark to monitor/sniff the servers IP traffic and see if there is anything on my side. If anybody else has any thoughts, it would be appreciated. I was hoping to use this function until I install a hosted mail server.

    I understand "smtp.google.com" to be a load-balanced DNS host record probably using my public IP's geo-location for shortest hop when resolving smtp.google.com which is why multiple IPv4/IPv6 addresses are shown in the log file. I have changed my DNS forwarders and still get connection timeouts no matter what SMTP TCP port I use (i.e. smtp.google.com:25, smtp.google.com:465, smtp.google.com:587). I wonder if my residential Xfinity circuit or even Google has a filter blocking residential ISP IP addresses from connecting to their SMTP server(s). It "COULD" be possible using some creative combinations with upper-layer NGFW feature sets on both Xfinity and Google networks in order to restrict people from setting up SMTP servers/services on a cheaper residential circuit but I am just speculating as a Sr. Network Engineer/Architect. Below are my PING/ICMP results from the ISPConfig server showing DNS resolution and replies...

    USER@ISPCONFIG-SVR:~$ ping smtp.google.com
    PING smtp.google.com (172.253.124.26) 56(84) bytes of data.
    64 bytes from ys-in-f26.1e100.net (172.253.124.26): icmp_seq=1 ttl=106 time=32.9 ms
    64 bytes from ys-in-f26.1e100.net (172.253.124.26): icmp_seq=2 ttl=105 time=31.0 ms
    64 bytes from ys-in-f26.1e100.net (172.253.124.26): icmp_seq=3 ttl=105 time=30.2 ms
    64 bytes from ys-in-f26.1e100.net (172.253.124.26): icmp_seq=4 ttl=105 time=29.2 ms
     
  8. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    try using telnet from the command line.. you can find instructions for testing smtp using telnet on google..
    it's not a solution to any configuration issues, but it will at least allow you to confirm if connectivity from your ispconfig mailserver to gmails smtp servers on the requisite ports is the issue.
    anything after that becomes an encryption / authentication issue,

    you can also test authentication using telnet.
    you'll need to have base64 encoded versions of your google login and password to test authenticated access.
     
    Last edited: Jun 3, 2023
    Mikeal Wolfe and ahrasis like this.
  9. Mikeal Wolfe

    Mikeal Wolfe New Member

    Sorry, I didn't mention I tested that out already and it was unsuccessful. With both the newer Next-Gen Firewalls and IPS engine solutions it's possible to block upper-layer applications even when trying to connect on the appropriate tcp/udp ports so I was hoping I misconfigured something within the ISPConfig administration which would explain my issues. I am positive my networking stack is properly configured. Both my IPv4 and IPv6 connectivity tests are successful, DNS is resolving properly, my LE certificate was issued without any problems, my hardware based FW and port forwarding is configured and operating properly along with the IPv4 NAT.

    I am thinking at this point I need to setup a new mail server with a hosting company and relay to it, like mailgun or something. Any suggestions on a smtp-relay hosting company for small amount of emails? It would primarily be for contact form submission.
     
  10. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    if it's for send only.. you only need a really small server..
    if you can currently receive mail on your existing server ok..
    you can setup an aws ec2 ubuntu instance.. and block everything except port 22 and 25... and install postfix.
    simple enough to configure it to relay your home ip if it's a fixed ip.
    assuming your home mailserver is also going to handle any virus checking for outbound mail.. you might even be able to get away with a micro instance eg t3.micro and a small enough drive that it all falls under the free tier allowance for the first year..
    all you'd have to pay is for traffic out to the internet at $0.02 - 0.09 Gb /month.
    and a fixed ip at $0.005/hr for any time where it's not being used.
    and if you're not sending out lots of large emails, the traffic might fit into the free tier usage allowance too.
    (you will need to set up a ptr / remove mail limits to send out directly. it's blocked by default, but is easy to unblock)
     
  11. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am using this in the relayhost field, what about you?
    Code:
    [smtp-relay.gmail.com]:587
     
  12. Mikeal Wolfe

    Mikeal Wolfe New Member

    @ahrasis, I tried using smtp.gmail.com:587 ; smtp.gmail.com:465 ; & smtp.gmail.com and all didn't work, but I was unaware of "smtp-relay.gmail.com and going to try that now. On another note, I have setup a "mailjet.com" account and am in the process of trying to test it, but running into the error (see below) in my logs... i don't see anywhere within ISPConfigs panel and didn't want to touch any config files from the terminal. is this configurable from within the panel or do i need to modify the postfix main.cf & sasl_passwd ??

    SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)
     
  13. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That is because I assumed one would use proper service for gmail relay i.e. google workspace and that was the relay for it that I have been using for years. Free gmail might or might not work because of its limitation.
     
    Mikeal Wolfe likes this.
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    The sasl_passwd file is set up by ISPConfig, so do not alter this. You can try setting:

    smtp_tls_wrappermode = yes
    smtp_tls_security_level = encrypt

    in postfix main.cf and restart postfix to see if this fixes the problem. Relaying through 465 is a bit unusual I guess. So instead try relaying through port 587 without modifying the main.cf as that#s what's normally gets used.
     
    Mikeal Wolfe likes this.

Share This Page