smtpd as a relay

[bceverly]

Hello everyone,

I am trying to solve what I thought would be a simple problem. My goal is to have a cloud-based SMTP host that could receive email and then relay it to another server on a high-numbered port.

I was able to set up the cloud mail host on OpenBSD 5.8-current box and got mail working correctly. I can send to the users on the box in the domain I registered it to via DNS and I can send from the box to other domains successfully.

I set up my internal mail server identically with my listener on a high numbered port. I then added this:

Code:

accept for domain "mydomain.zzz" relay via "smtp://11.11.11.11:1111"

to relay from the cloud host to my internal host on a different port. Unfortunately, when I now try to send email to the cloud host from the outside, I get a 550 Invalid recipient message.

On the cloud host, the log file shows that a new session was started, I started TLS, the client cert verification succeeded and then I get:

Code:

smtp-in:  Failed command on session xxx: "RCPT TO:<user@mydomain.zz"> => 550 Invalid recipient

On both servers, I have identical users configured in /etc/mail/vusers and they are mapped to valid users on the box.

Given the symptoms, I'm thinking that I need to do something like:

Code:

accept for domain <vdomains> virtual <vusers> relay via "smtp:11.11.11.11:1111"

Apparently that is invalid syntax (and yes, I've defined the vdomains and vusers tables earlier in the file).

Any suggestions that someone can provide? I tried my Google foo at this but came up dry.

Thanks in advance to anyone willing to read my "wall of text"(TM).

[TronDD]

Can you post the full smtpd.conf?

Rule order matters, for example. Local vs remote vs authenticated connections matter.

Tim.

[bceverly]

Thanks @TronDD!

Here's the smtpd.conf from the internal server running on the high-numbered port:

Code:

pki mail.rrr.com certificate "/etc/ssl/mail.rrr.com.crt"
pki mail.rrr.com key "/etc/ssl/private/mail.rrr.com.key"

listen on lo0
listen on egress port 1111 tls pki mail.rrr.com auth-optional
listen on egress port submission tls-require pki mail.rrr.com auth

table aliases db:/etc/mail/aliases.db
table secrets db:/etc/mail/secrets.db
table vusers file:/etc/mail/vusers
table vdomains file:/etc/mail/vdomains

accept for local alias <aliases> deliver to mbox
accept for any relay via tls+auth://gmail@smtp.gmail.com:587 auth <secrets>

accept from any for domain <vdomains> virtual <vusers> deliver to mbox
accept from local for any relay

Here's the smtpd.conf for the relay server in the cloud:

Code:

pki mail.rrr.com certificate "/etc/ssl/mail.rrr.com.crt"
pki mail.rrr.com key "/etc/ssl/private/mail.rrr.com.key"

listen on lo0
listen on egress tls pki mail.rrr.com auth-optional
listen on egress port submission tls-require pki mail.rrr.com auth

table aliases db:/etc/mail/aliases.db
table vusers file:/etc/mail/vusers
table vdomains file:/etc/mail/vdomains

#accept for local alias <aliases> deliver to mbox
#accept from any for domain <vdomains> virtual <vusers> deliver to mbox

accept from local for any relay
accept for domain <vdomains> relay via "smtp://11.11.11.11:1111"

If I uncomment the lines from the relay, it gets mail locally just fine.

Thanks in advance for any suggestions.

[TronDD]

Focusing on the cloud server configuration: Note that if you do not specify a "from something" the default is local. This may not be a problem if you are using authentication (you made it optional so I don't know) that connection always matches local.

If it's not that, it's probably the order of the last two rules. Some info and degugging on this problem can be found here:
https://github.com/OpenSMTPD/OpenSMT...ll-applied-%3F

Tim.

[bceverly]

Tim,

Thanks for the pointer (esp the debugging tip). Given that, I have successfully gotten my relay server to relay by adding "from any for vdomain <vdomains>" to my accept statement:

Code:

accept from any for domain <vdomains> relay via "tls://11.11.11.11:1111"

Unfortunately, I'm now getting errors on the relay box in the cloud host like:

Code:

smtp-out: Connecting to tls://11.11.11.11:1111 (c-11-11-11-11.hsd1.in.comcast.net) on session 02d3c3a67b80d68b...
smtp-in: Closing session 02d3c3a3d4ef6bba
smtp-out: Error on session 02d3c3a67b80d68b: Connection timeout
smtp-out: Disabling route [] <-> 11.11.11.11 (c-11-11-11-11.hsd1.in.comcast.net) for 800s
smtp-out: No valid route for [connector:[]->[relay:11.11.11.11,port=1111,starttls,mx],0x0]
smtp-out: No valid route for [connector:[]->[relay:11.11.11.11,port=1111,mx],0x0]
relay: TempFail for 9e59838a2842139f: session=0000000000000000, from=<foo@bar.com>, to=<bceverly@phaseb.com>, rcpt=<->, source=-, relay=11.11.11.11, delay=1d1h31s, stat=Network error on destination MXs
relay: TempFail for d424bc2b40e6c916: session=0000000000000000, from=<foo@bar.com>, to=<asdf@jkl.com>, rcpt=<->, source=-, relay=11.11.11.11, delay=1m21s, stat=Network error on destination MXs
smtp-out: No valid route for [connector:[]->[relay:11.11.11.11,port=1111,starttls,mx],0x0]
relay: TempFail for 618c7f7e5f648055: session=0000000000000000, from=<foo@bar.com>, to=<asdf@jkl.com>, rcpt=<->, source=-, relay=11.11.11.11, delay=26m40s, stat=Network error on destination MXs

From the errors, I'm assuming I need to give the internal server an MX record. That's something I can easily do.

Do I also need to hook up a reverse lookup so that the hostname matches what my ISP is providing? If so, I'm dead in the water because I can't get Comcast to do that.

Any suggestions now?

(Sorry to be so darned needy but I promise I'll write a blog post detailing this for the community if I can get it working - I think it's a pretty slick use-case from a privacy perspective).

[TronDD]

What's in the maillog on the internal system now? Looks like you are probably hitting the relay to gmail rule before the local delivery rule. I am assuming that is not what you want.

Since you are doing something special with mail from the cloud server you might want to restric the rule more with an 'accept from <cloud ip>' instead of 'any'.

Tim.

[bceverly]

Tim,

That did the trick. I can now successfully receive inbound email from the Internet on the cloud server, relay it to my local server on a high-numbered port and have it be delivered.

My new problem (I am turning out to be very needy thanks for the help so far!) is that I now need to deliver mail back to the Internet from that internal server. If I just let smtpd do its normal thing, most mail servers are rejecting it as my internal server's IP address is a residential address from a US ISP which most of them blacklist by default to avoid spammers.

What's the trick to relay outbound mail from my internal server back to the cloud server so that it can deliver it? I'm assuming there is some "accept from local relay via ..." rule that I need to write on the internal configuration and an "accept for any..." rule that I need to write on the cloud server but the experimenting I've done doesn't seem to be working for me.

Any final suggestions and then I'll write this up as a nice blog post for anyone else who wants to store all of their email on a local server they control but are unfortunately sitting behind a US-based residential IP address that blocks inbound port 25 and is blacklisted as a sender by most of the world?

Thanks in advance!

[TronDD]

Yeah, I think you are on the right track. You will likely either need to set up authentication from the internal server to cloud server or create a rule on the cloud server that is specific to the internal server's IP so it can differentiate between mail coming in that is going TO the internal server and mail coming in that is FROM the internal server.

Using authentication will mean that the cloud server will match with "from local" rules and will help prevent you creating an open relay with the cloud server.

Sending mail out as a relay, instead of sending it through your ISP mail server comes with a whole bunch more requirements. That's where you'll need a reverse DNS entry, possibly an MX record, you can't be on any blacklists, no open relays, etc.

[bceverly]

Tim,

I have this half working and have run into a bit of a brick wall. Apparently I cannot communicate OUTBOUND from port 25 on my internal host (love these residential ISPs in the US!).

Is it possible to listen on multiple ports with smtpd on OpenBSD? Or do I have to run a separate server for the outbound relay that is in the cloud?

Thanks in advance.

[bceverly]

Actually, I just went ahead and tried it. I added another "listen on egress..." line that added a high number port on my cloud server and then added that same high numbered port after a colon on my "accept from local for any relay via..." line on my internal server.

Sure enough, once I poked a hole in the pf firewall on my cloud host for that same port, it all worked.

Before I tighten down the security by using specific IP addresses in pf.conf and smtpd.conf, I do want to solve one problem. That is the fact that mail from the sender that is delivered to my gmail account is dumping into the spam folder.

I added an MX record and also set the return lookup on the IP address to match the hostname so I get a clean bill of health from mxtoolbox.com/supertool so I'm not sure what I'm doing wrong.

I'll look into whether or not the IP range from my cloud host might be in a blacklist somewhere but if anyone has any suggestions, I'd appreciate it.

Thanks!

[bceverly]

So I ran the full suite of tools on mxtoolbox.com and did find a couple of more issues. The first was the need to add a DMARC record to my domain (which I did) and the second was to add an SPF record to my domain (did that too). I re-ran the tests on mxtoolbox and everything passed.

I did some detailed tracing sending a message from my internal server, through my relay server and found that I needed to rewrite the sender domain name (the domain on my internal server does not match that of my relay) so I did that in the smtpd.conf on the internal server. Now everything looked correct - the email address that it was coming from had the same domain name as the server that was delivering it (my cloud server).

Unfortunately, I am still getting rejected as spam.

In trying to send to an Office365 mail server, I got some interesting trace information saying:

Code:

relay: PermFail for ffef058a1096f84d: session=80300006915710afb, from=<me@mydomain.com>, to=<you@yourdomain.com>, rcpt=<->, source=11.11.11.11, relay=12.12.12.12 (mail-xxxxxxx.outlook.com), delay=6s, stat=550 5.7.1 Service unavailable; Client host [11.11.11.11] blocked using FBLW15; To request removal from this list please forward this message to delist@messaging.microsoft.com

Any ideas what is going on here? Is there some other configuration I have to do on my server to signal to the recipient that I'm not a spam source? Or would any new domain being stood up have to delist itself like this from the major mail services?

Thanks!

[TronDD]

You may have to actively delist yourself. When I set up an external mail server, new IP (to me) new domain (to me), it was already blacklisted with my own ISP. I had to ask them to remove it.

I also had problems with other places because I had a TOR relay running. After turning it off, it took a week or two to filter down to everyone and autoremove me.

The ways servers are hijacked and used for spam and to spread viruses, it's a pretty good chance you just happened to get an IP that was misused and stuck on a list. I think there are spamlist checking web sites, too.

[bceverly]

Got it working. Turned out that I needed to do some overrides on domain name in the smtpd.conf files on both servers. I checked a bunch of blacklisting tools to see if this IP address was in them (for my cloud server) and they all said it was clean. Not sure why Google and Microsoft are both flagging me as spam (Microsoft just flat out rejects the message).

I'm going to try some more Googling but at least I have mail flowing in both directions.

Thank you Tim!

[bceverly]

OK everyone. As promised, now that I have this working, I wrote up a blog post on it with the details of everything I had to do to get it to where it is.

http://functionallyparanoid.com/2015...s-rings-twice/

If anyone has any suggestions or feedback, I'd very much appreciate it. Hopefully this will help others who are trying to make this particular use-case work.