Connecting to External Mail Server

The HA4i product has the ability to send emails through port 25 which is the standard non secured SMTP port. The problem with this is some servers do not allow connection via this port unless your system is in the same network. We have our mail service provided by Microsoft exchange externally so sending emails directly from our IBM i systems to the MS Exchange server just did not work. (I am sure there is a way to do it but we decided to work through one of our other external mail server which has little traffic).

The set up we used for testing the original mail delivery process involved a Debian VM running Postfix in our local area network, the fact IBM i sat in the same local network as the VM allowed mail to be delivered to that mail server and distributed to local users (users on the Debian VM). What we needed to do was allow the Debian VM to relay mail from it through one of our external mail servers so it could be sent to any email address. When we spoke with the ISP that hosts the mail server they said we should be able to connect directly through port 25, but after a lot of testing we found out that unless the source IP was within their network we could not connect (that makes sense in some ways). We then tested against port 465 and it allowed the connection to be made but it required security information to be exchanged to allow the mail to be received and distributed.

We started to play with the postfix set up on the Debian VM and finally managed to get mail to distribute via the external mail server but only after a lot of trial and error. The steps below explain some of the changes we had to make to allow the process to work.

First of all we needed to set up the postfix server to relay email to other domains. We wanted to secure this as much as possible just in case someone gained access to the server. This meant we would only allow relays to our domain, we could add other domains later but for the moment this is all we needed. This requires the update of a file /etc/postfix/relaydomains with the domain that we want to relay for. Just add the following content to that file.

Now we need to add the user information that we will use to connect to the server. You need to create or update the file /etc/postfix/smtp_sasl_password_map and add the following content, you should adjust to match the server information etc.

These file now need to be converted to db files, run postmap /etc/postfix/relaydomains and postmap /etc/postfix/smtp_sasl_password_map to create the .db files in the same directory. You should verify they are created before moving on. The next file we need to edit is the /etc/postfix/ file. we need to add the following lines to that config file.

relaydomains = $mydestination,hash:/etc/postfix/relaydomains
relayhost =
# enable SASL authentication
smtp_sasl_auth_enable = yes
# disallow methods that allow anonymous authentication.
smtp_sasl_security_options = noanonymous
# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/smtp_sasl_password_map
# Enable STARTTLS encryption
smtp_use_tls = yes
# where to find CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

We already had the certificates installed so before you configure the last line make sure they are installed and set accordingly. Another item we were missing was the libsasl2-modules which needs to be installed before restarting the postfix server.

Once all this was done we restarted the server and tried to send our first emails from the IBM i through the internal mail server. We had a few hiccups along the way mainly because of the set up on the external server which were logged through the mail.log allowing us to figure out the problem and resolve. Couple of things to note which originally caught us.

  1. When we sent using a from address that was not resolvable by the external server (user@myint.domain) the server rejected the email because its sender was not recognized
  2. When we tried to send from a email address that did not exist on the server but used its own domain it failed to send stating the user did not exist on that server
  3. We could send using a name from another domain, however when the mail was forwarded to that domains server, the same problem occurred if the sender was not registered to that domain.

We now have the ability to relay email through our internal main server to the external SMTP server and to the domain we allow. Eventually we can add more domains to the list so the emails to other users can be processed in the same way.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.