Relay access denied

General eFa discussion
Post Reply
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Relay access denied

Post by BruceLeeRoy »

Been trying to figure this out for a few weeks, I have my Network Firewalled with PfSense, zimbra mail server behind it as well as EFA on a different IP addresses. Everything works fine with zimbra but when I enable EFA I can't send any mail to external domains unless I send from zimbra web client. Any other mail client errors out.

I am basically changing my NAT rule to point port 25 to the EFA server instead of zimbra, when I do that I see mail being filtered and everything seems fine with incoming mail. However, trying to send mail with various clients gives: Message not sent. Server replied:
Temporary authentication failure 454 4.7.1 <user@destination.com>: Relay access denied

I wouldnt think outbound mail would be affected by EFA because its not even supposed to be in the loop for outbound?

I'm guessing the receiving server is trying to do some kind of authentication or communication with zimbra but when it tries accessing it on port 25 its actually connecting to EFA?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Relay access denied

Post by pdwalker »

What are your outbound mail relay settings? That's under
8) Mail Settings
1) Outbound Mail Relay

from the efa configuration menu
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Relay access denied

Post by BruceLeeRoy »

It is the internal IP address of the Zimbra server. I believe during my troubleshooting at one point I changed this to the WAN IP but still had the same results.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Relay access denied

Post by pdwalker »

ok, so which server is giving the relay access denied error message? Can you post some of the raw message details so I can see where the mail is going and where it is getting rejected?

As for my understanding, it'd go something like this:

user mail client/web client -> zimbra mail server -> efa -> outside world via pfsense firewall

To make that work, you need to do a few things

1/ map external smtp traffic to efa (which you've done)
2/ configure efa to transport mail from efa to the zimbra mail server for those domains (which I believe you've done)
3/ configure zimbra to use efa as the "smart host" (don't know - assume you've done this)
4/ configure efa to act as the smart mail host for the zimbra mail server (I'm guessing this is where the issue is)

So first please verify that zimbra is using efa as the smart host.

Next, let's verify your efa configuration menu, item 8) mail settings

check the following two and tell me the settings:
1) outbound mail relay (I've set this to the lan network address - e.g. 192.168.1.0/24)
2) outbound smarthost (disabled - efa will send the mail directly)
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Relay access denied

Post by BruceLeeRoy »

Ok, so zimbra had nothing in MTA so I added the IP of the efa server. at first I didnt think it was working because I couldnt get any mail in or out. Then I noticed the inbound and outbound queues in efa UI was growing. For some reason it got quite backlogged so I disabled everything. I just re-enabled it and things seem to be flowing ok. I guess I assumed it would just filter incoming mail and not affect outgoing. I could swear that is how my old setup was. Although last time I had public IP's on EFA and the mail server. This time they are all behind a firewall.
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Relay access denied

Post by BruceLeeRoy »

So I have people complaining their email isn't reaching some recipients. Is there any way with my setup to bypass efa mail checking on outbound?
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Relay access denied

Post by pdwalker »

When you say that mail isn't reaching the recipients, you need to know what the actual problem is.

Do you know why certain messages are not being delivered, and if not, why not?

Yes, you could whitelist those email addresses, and that would bypass the EFA spam checking - but is that really the problem?

How do your users know the message isn't getting delivered? Are they getting a bounce message - and if so, what is that message? Or are their recipients complaining to them that they didn't receive the message - and can you find this message in the efa logs?

Rather than jump at a solution, let's find the real problem first.
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Relay access denied

Post by BruceLeeRoy »

Yes, you're right, I tend to get frustrated because my understanding of mail flow is limited. I'm still trying to find the messages in the logs that were said aren't getting delivered. Seems like they aren't even getting to EFA. One user said after I "disabled" EFA he immediately got a test message in his gmail account that he sent several minutes ago. Other users reported they didn't get a bounceback, but sent a message to a client, then the client asks them by telephone when they are going to send the Email.

I'm getting a lot of this type of stuff in the efa logs:

Apr 1 04:18:18 efa postfix/smtpd[20902]: NOQUEUE: reject: RCPT from unknown[192.168.30.25]: 4
50 4.7.1 Client host rejected: cannot find your reverse hostname, [192.168.30.25]; from=<user@theirdomain.com> to=<user@gmail.com> proto=ESMTP helo=<zimbra.mydomain.com>

I added "192.168.30.25 zimbra.mydomain.com zimbra" to the efa hosts file. Not sure if that was the right way to fix the reverse hostname issue. I've also noticed today they are tons of bouncebacks coming though efa from the zimbra server for spam emails that got through. I don't remember ever seeing this in the efa UI before. I dont know if this is a result of adding the line to the hosts file?

Was unable to find anything in the zimbra maillog because the emails in question are from over a week ago and seem to be purged from the logs. I may have to get them to test again next week.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Relay access denied

Post by pdwalker »

I think there are other posts in these forums that tell you how to resolve the "cannot find reverse hostname" error. Use google to search the forums rather than using the built in search - you will get better search results.

As for the bouncebacks from the zimbra server, can you share one of them? why is zimbra bouncing them back?

Please test and let us know what you find out.
User avatar
BruceLeeRoy
Posts: 47
Joined: 01 May 2015 13:27

Re: Relay access denied

Post by BruceLeeRoy »

I believe the bouncebacks were from spam that originally got through, I'm thinking Zimbra tried to bounce the messages but EFA wasn't relaying them. Zimbra likely kept them queued, then when I added the zimbra server address to the hosts file in EFA it started allowing them to flow out. Strange thing is the message log in efa UI showed a huge list of them going out all as whitelisted and the "from" field being blank. Here is an example as you requested, actual addresses changed ofc:

The original message received was to an account that hasn't been in my system for 10 years:

Message Headers: Received: from zimbra.mydomain.com (zimbra.mydomain.com [192.168.30.25])
(using TLSv1.2 with cipher EBEHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.mydomain.com (Postfix) with ESMTPS id 673622158A
for <imemories@dajuo.band>; Sat, 7 Apr 2018 07:53:04 -0400 (EDT)
Received: by zimbra.mydomain.com (Postfix)
id 6C04960A9B5B; Mon, 2 Apr 2018 18:14:49 -0400 (EDT)
Date: Mon, 2 Apr 2018 18:14:49 -0400 (EDT)
From: MAILER-DAEMON@zimbra.mydomain.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: imemories@dajuo.band
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="314D960A9B49.1522707289/zimbra.mydomain.com"
Message-Id: <20180402221449.6C04960A9B5B@zimbra.mydomain.com>
From:
[Add to Whitelist | Add to Blacklist]
To: imemories@dajuo.band
Subject: Undelivered Mail Returned to Sender
Size: 4.52kB

Date/Time Relayed by Relayed to Delay Status
04/07/18 15:01:15 efa 07:08:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 13:51:15 efa 05:58:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 12:41:15 efa 04:48:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 11:31:15 efa 03:38:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 10:21:15 efa 02:28:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 09:11:15 efa 01:18:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 08:31:15 efa 00:38:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 08:01:15 efa 00:08:12 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 07:53:28 efa 00:00:24 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)


This is the mail system at host zimbra.mydomain.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<old_user@mydomain.com>: mydomain.com
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Relay access denied

Post by shawniverson »

That's normal when a spammer spoofs an email, the NDR will get deferred and eventually drop from the queue when the maximal queue lifetime expires for the message.
Post Reply