Topic: How to allow another local host to use qpsmtpd to foreign addresses?

[holck]

I have a box, hosting NextCloud, and running on the same local network. I would like this host be able to send mails via my SME box via smtp. But this results in "relaying denied". I've tried the Qpsmtpd:relay plugin, but with no success.

Any help appreciated 

Code: [Select]

2025-04-18 09:21:58.945271500 19295 Accepted connection 0/40 from 192.168.1.1 / pc-00001.ibsgaarden.dk
2025-04-18 09:21:58.945368500 19295 Connection from pc-00001.ibsgaarden.dk [192.168.1.1]
2025-04-18 09:22:00.179574500 19295 (connect) earlytalker: pass, not spontaneous
2025-04-18 09:22:00.179882500 19295 (connect) whitelist: pass, is a whitelisted host
2025-04-18 09:22:00.179915500 19295 (connect) whitelist: karma 5 (5)
2025-04-18 09:22:00.180084500 19295 220 sme10.ibsgaarden.dk ESMTP
2025-04-18 09:22:00.181095500 19295 dispatching EHLO myserver.ibsgaarden.dk
2025-04-18 09:22:00.181423500 19295 (ehlo) helo: skip, whitelisted host
2025-04-18 09:22:00.181836500 19295 250-ibsgaarden.dk Hi pc-00001.ibsgaarden.dk [192.168.1.1]
2025-04-18 09:22:00.181860500 19295 250-PIPELINING
2025-04-18 09:22:00.181878500 19295 250-8BITMIME
2025-04-18 09:22:00.181897500 19295 250-SIZE 30000000
2025-04-18 09:22:00.181914500 19295 250 STARTTLS
2025-04-18 09:22:00.182779500 19295 dispatching STARTTLS
2025-04-18 09:22:00.182834500 19295 220 Go ahead with TLS
2025-04-18 09:22:00.237866500 19295 (unrecognized_command) tls: TLS setup returning
2025-04-18 09:22:00.240980500 19295 dispatching EHLO myserver.ibsgaarden.dk
2025-04-18 09:22:00.241175500 19295 (ehlo) helo: skip, whitelisted host
2025-04-18 09:22:00.241374500 19295 250-ibsgaarden.dk Hi pc-00001.ibsgaarden.dk [192.168.1.1]
2025-04-18 09:22:00.241394500 19295 250-PIPELINING
2025-04-18 09:22:00.241412500 19295 250-8BITMIME
2025-04-18 09:22:00.241429500 19295 250 SIZE 30000000
2025-04-18 09:22:00.243285500 19295 dispatching MAIL FROM:<myself@ibsgaarden.dk>
2025-04-18 09:22:00.243746500 19295 (mail) resolvable_fromhost: skip, whitelisted host
2025-04-18 09:22:00.243798500 19295 (mail) rhsbl: skip, whitelisted host
2025-04-18 09:22:00.243850500 19295 (mail) sender_permitted_from: skip, whitelisted host
2025-04-18 09:22:00.243899500 19295 (mail) naughty: pass
2025-04-18 09:22:00.243943500 19295 (mail) badmailfrom: skip, whitelisted host
2025-04-18 09:22:00.244004500 19295 250 <myself@ibsgaarden.dk>, sender OK - how exciting to get mail from you!
2025-04-18 09:22:00.244980500 19295 dispatching RCPT TO:<donald.duck@duck.dk>
2025-04-18 09:22:00.245220500 19295 (rcpt) badrcptto: skip, whitelisted host
2025-04-18 09:22:00.245267500 19295 (rcpt) check_goodrcptto: stripping '-' extensions
2025-04-18 09:22:00.247179500 19295 (rcpt) check_goodrcptto: recipient donald.duck@duck.dk denied
2025-04-18 09:22:00.247306500 19295 (deny) logging::logterse: ` 192.168.1.1     pc-00001.ibsgaarden.dk  myserver.ibsgaarden.dk <myself@ibsgaarden.dk>           check_goodrcptto        901
     relaying denied donald.duck@duck.dk    msg denied before queued
2025-04-18 09:22:00.247352500 19295 550 relaying denied donald.duck@duck.dk
2025-04-18 09:22:00.248506500 19295 dispatching RSET
2025-04-18 09:22:00.248594500 19295 250 OK
2025-04-18 09:22:00.298527500 19295 dispatching QUIT
2025-04-18 09:22:00.298657500 19295 221 ibsgaarden.dk closing connection. Have a wonderful day.
2025-04-18 09:22:00.298830500 19295 click, disconnecting


[Jean-Philippe Pialasse]

first solution here
https://wiki.koozali.org/Email#Allow_SMTP_relay_of_mail_without_encryption.2Fauthentication

[holck]

first solution here
https://wiki.koozali.org/Email#Allow_SMTP_relay_of_mail_without_encryption.2Fauthentication

Thanks, as always for a quick reply 

But it didn't work for me. I'm wondering if it has to do with the smtp coming from 192.168.1.1, which is the IP address of the router. I've tried to remove this address from "norelayclients", but that didn't help.

[holck]

I've found out that the problem seems related to TLS.

If I setup NextCloud to connect via SMTP to the local IP-address of the SME-server, I get this in the SME log:

Code: [Select]

2025-04-19 10:10:01.249660500 16987 Accepted connection 0/40 from 192.168.1.179 / pc-00179.ibsgaarden.dk
2025-04-19 10:10:01.249784500 16987 Connection from pc-00179.ibsgaarden.dk [192.168.1.179]
2025-04-19 10:10:01.277469500 16987 (connect) relay: pass, octet match in relayclients (192.168.1.179)
2025-04-19 10:10:01.277637500 16987 220 sme10.ibsgaarden.dk ESMTP
2025-04-19 10:10:01.278468500 16987 dispatching EHLO myserver.ibsgaarden.dk
2025-04-19 10:10:01.279062500 16987 250-ibsgaarden.dk Hi pc-00179.ibsgaarden.dk [192.168.1.179]
2025-04-19 10:10:01.279086500 16987 250-PIPELINING
2025-04-19 10:10:01.279104500 16987 250-8BITMIME
2025-04-19 10:10:01.279122500 16987 250-SIZE 30000000
2025-04-19 10:10:01.279140500 16987 250 STARTTLS
2025-04-19 10:10:01.279803500 16987 dispatching STARTTLS
2025-04-19 10:10:01.279860500 16987 220 Go ahead with TLS
2025-04-19 10:10:01.304825500 16987 (unrecognized_command) tls: TLS setup returning

From the NextCloud server, if I try to connect to the mail-server with SSL/TLS I get this:

Code: [Select]

$ root@myserver:/home/holck/# openssl s_client -state -nbio -connect 192.168.1.11:25
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:error in SSLv3/TLS write client hello
SSL_connect:error in error
4087FE8FA07F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
CONNECTED(00000003)
Turned on non blocking io
write R BLOCK
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 297 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---


[Jean-Philippe Pialasse]

what you show does not help. 

Code: [Select]

(unrecognized_command) tls: TLS setup returningis expected.  unrecognized_command is the qpsmtpd hook where tls is called.

what is interesting is after.

Code: [Select]

openssl s_client -state -nbio -connect 192.168.1.11:25

port 25 will not provide to this command any ssl certificate as it is a clear protocol port.
It allows start ssl but need to first start a clear transaction to get an EXPLICIT ssl connection.
if you want an implicit ssl smtp connexion it will be on 465 port. 


you need to work your nextcloud config,
i suggest you to  use
-  either smtp with start ssl on port 25,
-  either smtps with ssl on port 465


also depending on what cert you use and if you use ip rather than domain you might have a look to
   'verify_peer' => false,
   'verify_peer_name' => false

[holck]

Thanks again, so very much, I spent hours on this!

 ... In NextClouds config.php I added

Code: [Select]

'mail_smtpstreamoptions' =>
  array (
    'ssl' =>
    array (
      'allow_self_signed' => true,
      'verify_peer' => false,
      'verify_peer_name' => false,
    ),
  ),
And now it seems to work 

[Jean-Philippe Pialasse]

great!