OPNSense with Postfix Plugin as smarthost/relay

[norbo80]

Hello OPNsense Users,

I would like use the OPNSense as Smarthost or Relay for my internal network devices. All devices should send their mails to the OPNsence and the OPNSense via smarthost outside. I found following topic:

https://forum.opnsense.org/index.php?topic=7538.0

but I have no idea how may I configure this on OPNSense.

My config:

on client - set smtp_url = "smtp://user@domain.net@opnsenseIP:25"
on OPN Sense:
Postfix - General:
- ListenPort:  25
- Smart Host - externalSMTPserverIP:465
- Authentication Username: user@domain.net
- Authentication Password: UserPW

I created FW Rule - allow Host to FW on port 25

I receive following error:
SMTP session failed: 502 5.5.1 Error: command not implemented

Many thanks for your help.

[mimugmail]

Some more logs needed please

[Patrick M. Hausen]

Depending on the external SMTP server you want to use authentication might be broken:
https://github.com/opnsense/plugins/issues/2830

But this is not your first and current issue - check the syntax for that smtp_url parameter in whatever your application is. Check the postfix log for more info on that error. Once you have your local submit issue worked out, you might still hit the one above when postfix tries to forward to your external server.

[norbo80]

 

Some more logs needed please

Thank you!

LOGs:

Code: [Select]

2022-03-08T14:53:37 Informational postfix/smtpd disconnect from unknown[192.168.100.10] ehlo=1 starttls=0/1 commands=1/2
2022-03-08T14:53:37 Informational postfix/smtpd lost connection after STARTTLS from unknown[192.168.100.10]
2022-03-08T14:53:37 Error postfix/smtpd OTP unavailable because can't read/write key database /etc/opiekeys: Permission denied
2022-03-08T14:53:37 Informational postfix/smtpd connect from unknown[192.168.100.10]
UPDATE: after I deactivated : "Permit SASL Authenticated" the erron not appear in LOGs, but the errror still persist.

Code: [Select]

2022-03-08T15:00:03 Informational postfix/smtpd disconnect from unknown[192.168.100.10] ehlo=1 starttls=0/1 commands=1/2
2022-03-08T15:00:03 Informational postfix/smtpd lost connection after STARTTLS from unknown[192.168.100.10]
2022-03-08T15:00:03 Informational postfix/smtpd connect from unknown[192.168.100.10]
2022-03-08T14:59:55 Informational postfix/master daemon started -- version 3.5.12, configuration /usr/local/etc/postfix
2022-03-08T14:59:55 Informational postfix/postfix-script starting the Postfix mail system
2022-03-08T14:59:50 Informational postfix/master terminating on signal 15
2022-03-08T14:59:50 Informational postfix/postfix-script stopping the Postfix mail system

Depending on the external SMTP server you want to use authentication might be broken:
https://github.com/opnsense/plugins/issues/2830

But this is not your first and current issue - check the syntax for that smtp_url parameter in whatever your application is. Check the postfix log for more info on that error. Once you have your local submit issue worked out, you might still hit the one above when postfix tries to forward to your external server.

client mutt config:

set smtp_url = "smtp://user@domain.net@192.168.10.1:25"

Mutt error:

Code: [Select]

SMTP session failed: 502 5.5.1 Error: command not implemented
Maybe I'm missing something in Postfix config? Like I said I changed only:
 Trusted Networks,
 Enable SMTP Authentication
 Authentication Username
 Authentication Password

[norbo80]

Unfortunately it still not working, I tried now configure mutt with direct connection to the extern mail server (without opnsense proxy):

set smtp_url = "smtp://login:Npassword@server:587/"
set from = "mail@server.net
set ssl_force_tls = no # Require encrypted connection
set ssl_starttls=no

and it works.

I got any idea anymore why is not working with postfix as smarthost.

my postfix config:

Code: [Select]

<postfix>
      <headerchecks version="1.0.0">
        <headerchecks/>
      </headerchecks>
      <recipient version="1.0.0">
        <recipients/>
      </recipient>
      <address version="1.0.0">
        <addresses/>
      </address>
      <antispam version="1.0.2">
        <enable_rspamd>0</enable_rspamd>
        <default_action>accept</default_action>
      </antispam>
      <domain version="1.0.1">
        <domains/>
      </domain>
      <sender version="1.0.0">
        <senders/>
      </sender>
      <general version="1.2.6">
        <enabled>1</enabled>
        <myhostname/>
        <mydomain/>
        <myorigin/>
        <inet_interfaces>all</inet_interfaces>
        <inet_port>25</inet_port>
        <ip_version>all</ip_version>
        <bind_address/>
        <bind_address6/>
        <mynetworks>127.0.0.0/8,[::ffff:127.0.0.0]/104,[::1]/128,192.168.100.0/24</mynetworks>
        <banner/>
        <message_size_limit>51200000</message_size_limit>
        <masquerade_domains/>
        <tls_server_compatibility>intermediate</tls_server_compatibility>
        <tls_client_compatibility>intermediate</tls_client_compatibility>
        <tlswrappermode>0</tlswrappermode>
        <certificate/>
        <ca/>
        <smtpclient_security>may</smtpclient_security>
        <relayhost>server:587</relayhost>
        <smtpauth_enabled>1</smtpauth_enabled>
        <smtpauth_user>login</smtpauth_user>
        <smtpauth_password>password</smtpauth_password>
        <enforce_recipient_check>0</enforce_recipient_check>
        <extensive_helo_restrictions>0</extensive_helo_restrictions>
        <extensive_sender_restrictions>0</extensive_sender_restrictions>
        <reject_unknown_client_hostname>0</reject_unknown_client_hostname>
        <reject_non_fqdn_helo_hostname>0</reject_non_fqdn_helo_hostname>
        <reject_invalid_helo_hostname>0</reject_invalid_helo_hostname>
        <reject_unknown_helo_hostname>0</reject_unknown_helo_hostname>
        <reject_unauth_pipelining>1</reject_unauth_pipelining>
        <reject_unknown_sender_domain>0</reject_unknown_sender_domain>
        <reject_unknown_recipient_domain>0</reject_unknown_recipient_domain>
        <reject_non_fqdn_sender>0</reject_non_fqdn_sender>
        <reject_non_fqdn_recipient>0</reject_non_fqdn_recipient>
        <permit_sasl_authenticated>0</permit_sasl_authenticated>
        <permit_tls_clientcerts>1</permit_tls_clientcerts>
        <permit_mynetworks>1</permit_mynetworks>
        <reject_unauth_destination>1</reject_unauth_destination>
        <reject_unverified_recipient>0</reject_unverified_recipient>
        <delay_warning_time>0</delay_warning_time>
      </general>
      <recipientbcc version="1.0.0">
        <recipientbccs/>
      </recipientbcc>
      <senderbcc version="1.0.0">
        <senderbccs/>
      </senderbcc>
      <sendercanonical version="1.0.0">
        <sendercanonicals/>
      </sendercanonical>
    </postfix>
@mimugmail @pmhausen I will be grateful for any help