Recently we had a request to set up a dedicated relay for one of our clients through a third party. On the server we had another client who was using a separate relay. After finding differing takes on the process – neither of which worked properly – we found the perfect combination. For reference, we took some of the advice from here, here and here, if you want to see the various solutions.
This has been tested on Zimbra 8.8 GA only. Use at your own risk.
The problem I found was that the suggested changes were being made directly to /opt/zimbra/common/conf/main.cf. Those changes got overwritten each time postfix was reloaded. So instead of making the changes direct to the file you need to make them via improv.
First, run the following commands and take note of their settings in the event you ever have to undo this. Their expected results are listed below:
zmprov -l gs `zmhostname` | grep -i zimbraMtaSmtpSaslPasswordMaps [empty] zmprov -l gs `zmhostname` | grep -i zimbraMtaSmtpSaslAuthEnable no zmprov -l gs `zmhostname` | grep -i zimbraMtaSmtpCnameOverridesServername no zmprov -l gs `zmhostname` | grep -i zimbraMtaSmtpSaslSecurityOptions noplaintext,noanonymous zmprov -l gs `zmhostname` | grep -i zimbraMtaSmtpSaslMechanismFilter [empty]
Second, the following command to change these settings:
zmprov ms `zmhostname` zimbraMtaSmtpSaslPasswordMaps "lmdb:/opt/zimbra/conf/relay_password" zmprov ms `zmhostname` zimbraMtaSmtpSaslAuthEnable yes zmprov ms `zmhostname` zimbraMtaSmtpCnameOverridesServername no zmprov ms `zmhostname` zimbraMtaSmtpSaslSecurityOptions "noanonymous" zmprov ms `zmhostname` zimbraMtaSmtpSaslMechanismFilter "plain,login" zmprov ms `zmhostname` zimbraMtaSmtpTlsSecurityLevel may
Third, as noted in one of the links above, “Take backup of ‘/opt/zimbra/conf/zmconfigd.cf’ and open it with your favorite editor. Look for the “SECTION mta” and add the following line:”
POSTCONF sender_dependent_relayhost_maps FILE postfix_sender_dependent_relayhost_maps.cf
I found the “SECTION mta” entry and pasted it right above the “RESTART mta” entry around line 276 but this may vary depending on your version.
Fourth, execute this to tell the new config parameter where to look for the relay domain instructions:
cat >> /opt/zimbra/conf/postfix_sender_dependent_relayhost_maps.cf lmdb:/opt/zimbra/common/conf/relay_domain_conf
Fifth, in /opt/zimbra/common/conf/relay_domain_conf add the following:
@domain.com smtp.mailgun.org @domain2.com smtp.mailgun.org @domain3.com smarthost.securence.com
Sixth, run this as the “zimbra” user:
postmap /opt/zimbra/common/conf/relay_domain_conf
And finally:
postfix reload
Now log in as one of those accounts and send a test email to yourself. Once you receive it check the mail headers. You should see something similar to this:
X-Mailgun-Sending-Ip: XXX.XXX.XXX.XXX
X-Mailgun-Sid: WyIz4fgzfiIsICJrQl0aEB3YXZlbAW90a33uZGlnaXRhbC5jb20iLCAiYTFjMmUyIl0=
Sender: user=domain.com@mg.wavemotionmail.com
Received: from mail.originserver.com (Unknown [XXX.XXX.XXX.XXX]) by
mxa.mailgun.org with ESMTP id 5e822697.7fa61bfc2eb0-smtp-out-n03; Mon, 30
Mar 2020 17:04:23 -0000 (UTC)
Which means your mail was relayed through MailGun.
Comments • 1
Bob
writes:June 12, 2020 at 5:43 pm
This was useful, but here are some things that helped me as a novice at this. I would mention you should log in as zimbra at the start, and it helped me to understand that zmhostname was a variable and I didn’t need to put my own hostname in.
Then I had to fill out the /opt/zimbra/conf/relay_password with my credentials. I forgot how I got the format and such for this, I think it was on the Mailgun website somewhere.
Then do the
postmap /opt/zimbra/conf/relay_password to build that LMDB file.
And then the test (from one of those pages you linked)
postmap -q smtp.mailgun.org /opt/zimbra/conf/relay_password
Then I removed this from the relay_domain_conf, not sure about the need of the second instance of smtp.mailgun.org, might be something I don’t understand.
@domain2.com smtp.mailgun.org
@domain3.com smarthost.securence.com
And because I didn’t understand what was going on, I accidentally thought it was supposed to be @domain.com instead of @mydomain.com
I did finally get it working though after that, thanks for the guidance.