Text only | Text with Images

OPNsense Forum

Archive => 22.1 Legacy Series => Topic started by: norbo80 on March 07, 2022, 03:47:11 PM

Title: OPNSense with Postfix Plugin as smarthost/relay
Post by: norbo80 on March 07, 2022, 03:47:11 PM
Hello OPNsense Users,

I would like use the OPNSense as Smarthost or Relay for my internal network devices. All devices should send their mails to the OPNsence and the OPNSense via smarthost outside. I found following topic:

https://forum.opnsense.org/index.php?topic=7538.0 (https://forum.opnsense.org/index.php?topic=7538.0)

but I have no idea how may I configure this on OPNSense.

My config:

on client - set smtp_url = "smtp://user@domain.net@opnsenseIP:25"
on OPN Sense:
Postfix - General:
- ListenPort:  25
- Smart Host - externalSMTPserverIP:465
- Authentication Username: user@domain.net
- Authentication Password: UserPW

I created FW Rule - allow Host to FW on port 25

I receive following error:
SMTP session failed: 502 5.5.1 Error: command not implemented

Many thanks for your help.
Title: Re: OPNSense with Postfix Plugin as smarthost/relay
Post by: mimugmail on March 08, 2022, 02:02:27 PM
Some more logs needed please
Title: Re: OPNSense with Postfix Plugin as smarthost/relay
Post by: Patrick M. Hausen on March 08, 2022, 02:41:00 PM
Depending on the external SMTP server you want to use authentication might be broken:
https://github.com/opnsense/plugins/issues/2830

But this is not your first and current issue - check the syntax for that smtp_url parameter in whatever your application is. Check the postfix log for more info on that error. Once you have your local submit issue worked out, you might still hit the one above when postfix tries to forward to your external server.
Title: Re: OPNSense with Postfix Plugin as smarthost/relay
Post by: norbo80 on March 08, 2022, 02:55:48 PM
 
Quote from: mimugmail on March 08, 2022, 02:02:27 PM
Some more logs needed please
Thank you!

LOGs:

Code Select
2022-03-08T14:53:37 Informational postfix/smtpd disconnect from unknown[192.168.100.10] ehlo=1 starttls=0/1 commands=1/2
2022-03-08T14:53:37 Informational postfix/smtpd lost connection after STARTTLS from unknown[192.168.100.10]
2022-03-08T14:53:37 Error postfix/smtpd OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied
2022-03-08T14:53:37 Informational postfix/smtpd connect from unknown[192.168.100.10]

UPDATE: after I deactivated : "Permit SASL Authenticated" the erron not appear in LOGs, but the errror still persist.

Code Select
2022-03-08T15:00:03 Informational postfix/smtpd disconnect from unknown[192.168.100.10] ehlo=1 starttls=0/1 commands=1/2
2022-03-08T15:00:03 Informational postfix/smtpd lost connection after STARTTLS from unknown[192.168.100.10]
2022-03-08T15:00:03 Informational postfix/smtpd connect from unknown[192.168.100.10]
2022-03-08T14:59:55 Informational postfix/master daemon started -- version 3.5.12, configuration /usr/local/etc/postfix
2022-03-08T14:59:55 Informational postfix/postfix-script starting the Postfix mail system
2022-03-08T14:59:50 Informational postfix/master terminating on signal 15
2022-03-08T14:59:50 Informational postfix/postfix-script stopping the Postfix mail system

Quote from: pmhausen on March 08, 2022, 02:41:00 PM
Depending on the external SMTP server you want to use authentication might be broken:
https://github.com/opnsense/plugins/issues/2830

But this is not your first and current issue - check the syntax for that smtp_url parameter in whatever your application is. Check the postfix log for more info on that error. Once you have your local submit issue worked out, you might still hit the one above when postfix tries to forward to your external server.
client mutt config:

set smtp_url = "smtp://user@domain.net@192.168.10.1:25"

Mutt error:

Code Select
SMTP session failed: 502 5.5.1 Error: command not implemented

Maybe I'm missing something in Postfix config? Like I said I changed only:
Trusted Networks,
Enable SMTP Authentication
Authentication Username
Authentication Password
Title: Re: OPNSense with Postfix Plugin as smarthost/relay
Post by: norbo80 on March 27, 2022, 11:50:33 AM
Unfortunately it still not working, I tried now configure mutt with direct connection to the extern mail server (without opnsense proxy):

Quoteset smtp_url = "smtp://login:Npassword@server:587/"
set from = "mail@server.net
set ssl_force_tls = no # Require encrypted connection
set ssl_starttls=no

and it works.

I got any idea anymore why is not working with postfix as smarthost.

my postfix config:

Code Select
<postfix>
      <headerchecks version="1.0.0">
        <headerchecks/>
      </headerchecks>
      <recipient version="1.0.0">
        <recipients/>
      </recipient>
      <address version="1.0.0">
        <addresses/>
      </address>
      <antispam version="1.0.2">
        <enable_rspamd>0</enable_rspamd>
        <default_action>accept</default_action>
      </antispam>
      <domain version="1.0.1">
        <domains/>
      </domain>
      <sender version="1.0.0">
        <senders/>
      </sender>
      <general version="1.2.6">
        <enabled>1</enabled>
        <myhostname/>
        <mydomain/>
        <myorigin/>
        <inet_interfaces>all</inet_interfaces>
        <inet_port>25</inet_port>
        <ip_version>all</ip_version>
        <bind_address/>
        <bind_address6/>
        <mynetworks>127.0.0.0/8,[::ffff:127.0.0.0]/104,[::1]/128,192.168.100.0/24</mynetworks>
        <banner/>
        <message_size_limit>51200000</message_size_limit>
        <masquerade_domains/>
        <tls_server_compatibility>intermediate</tls_server_compatibility>
        <tls_client_compatibility>intermediate</tls_client_compatibility>
        <tlswrappermode>0</tlswrappermode>
        <certificate/>
        <ca/>
        <smtpclient_security>may</smtpclient_security>
        <relayhost>server:587</relayhost>
        <smtpauth_enabled>1</smtpauth_enabled>
        <smtpauth_user>login</smtpauth_user>
        <smtpauth_password>password</smtpauth_password>
        <enforce_recipient_check>0</enforce_recipient_check>
        <extensive_helo_restrictions>0</extensive_helo_restrictions>
        <extensive_sender_restrictions>0</extensive_sender_restrictions>
        <reject_unknown_client_hostname>0</reject_unknown_client_hostname>
        <reject_non_fqdn_helo_hostname>0</reject_non_fqdn_helo_hostname>
        <reject_invalid_helo_hostname>0</reject_invalid_helo_hostname>
        <reject_unknown_helo_hostname>0</reject_unknown_helo_hostname>
        <reject_unauth_pipelining>1</reject_unauth_pipelining>
        <reject_unknown_sender_domain>0</reject_unknown_sender_domain>
        <reject_unknown_recipient_domain>0</reject_unknown_recipient_domain>
        <reject_non_fqdn_sender>0</reject_non_fqdn_sender>
        <reject_non_fqdn_recipient>0</reject_non_fqdn_recipient>
        <permit_sasl_authenticated>0</permit_sasl_authenticated>
        <permit_tls_clientcerts>1</permit_tls_clientcerts>
        <permit_mynetworks>1</permit_mynetworks>
        <reject_unauth_destination>1</reject_unauth_destination>
        <reject_unverified_recipient>0</reject_unverified_recipient>
        <delay_warning_time>0</delay_warning_time>
      </general>
      <recipientbcc version="1.0.0">
        <recipientbccs/>
      </recipientbcc>
      <senderbcc version="1.0.0">
        <senderbccs/>
      </senderbcc>
      <sendercanonical version="1.0.0">
        <sendercanonicals/>
      </sendercanonical>
    </postfix>

@mimugmail @pmhausen I will be grateful for any help
Text only | Text with Images