[Zimbra] Configuring the e-securemail SMTP Relay for Zimbra Collaboration Suite

📌 Compatibility: Zimbra Collaboration Suite (all versions)

Objective

Instead of sending emails directly to the Internet, this procedure allows you to route all outbound messages from your organization through the e-securemail antispam gateways using a secure SMTP relay.

🔑 Important Information

SMTP relay server to configure:
smtp.security-mail.net

This is the address you must configure to route your outbound mail flow through the e-securemail filtering gateways.

🔒 Security Recommendation

For optimal protection of your Zimbra infrastructure, restrict inbound connections by allowing only the IP addresses of the e-securemail servers in your MTA (Postfix) settings.

📥 View the list of e-securemail IP ranges


📋 Configuration Procedure

Configure Outbound SMTP Routing

Method 1: Using the Zimbra Administration Console (GUI)

Step 1: Access MTA Settings

  1. Sign in to the Zimbra Administration Console
  2. Go to:
    Configuration > Servers
  3. Select your MTA server
  4. Click the MTA tab

Step 2: Configure the SMTP Relay

  1. Locate the Relayhost or Relay Host setting
  2. In the corresponding field, enter:
smtp.security-mail.net:25

(or use the port provided by e-securemail, such as 587)

  1. Click Save

Step 3: Restart Services

Restart the MTA service to apply the changes.

Via the interface:

Home > Monitor > Services > Restart MTA


Method 2: Using the Command Line (CLI)

Step 1: Connect via SSH

Connect to your Zimbra server over SSH as the zimbra user:

su - zimbra

Step 2: Configure the Relay Host

Run the following command to define the SMTP relay:

zmprov ms `zmhostname` zimbraMtaRelayHost smtp.security-mail.net:25

Step 3: Verify the Configuration

Verify that the parameter has been applied correctly:

zmprov gs `zmhostname` zimbraMtaRelayHost

Step 4: Apply the Changes

Regenerate the Postfix configuration and restart services:

zmmtactl restart

🔧 Advanced Configuration (Optional)

SMTP Authentication (If Required)

If e-securemail requires SMTP authentication, create a password file:

# As the zimbra user
echo "smtp.security-mail.net username:password" > /opt/zimbra/conf/relay_password

# Secure the file
chmod 600 /opt/zimbra/conf/relay_password

# Generate the database
postmap /opt/zimbra/conf/relay_password

# Configure Postfix
zmprov mcf +zimbraMtaSmtpSaslPasswordMaps lmdb:/opt/zimbra/conf/relay_password
zmprov mcf zimbraMtaSmtpSaslAuthEnable TRUE

# Restart MTA
zmmtactl restart

Enable TLS Encryption

zmprov mcf zimbraMtaSmtpTlsSecurityLevel may
zmmtactl restart

Restrict Inbound Connections by IP

Edit the file:

/opt/zimbra/conf/postfix_rbl_override

Add the e-securemail IP addresses:

192.0.2.10 OK
192.0.2.11 OK

Then reload Postfix:

zmmtactl reload

✅ Verify the Configuration

To confirm that your emails are routed through e-securemail:

Send a Test Email

echo "e-securemail relay test" | mail -s "SMTP Test" recipient@example.com

Check Postfix Logs

tail -f /var/log/zimbra.log | grep smtp.security-mail.net

Verify Email Headers

Inspect the headers of the received message and confirm that smtp.security-mail.net appears in the routing path.


ℹ️ Additional Help

For more details about MTA configuration in Zimbra, refer to the Official Zimbra Documentation or the Zimbra community forums.

Tags