Relay access denied
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Relay access denied
Been trying to figure this out for a few weeks, I have my Network Firewalled with PfSense, zimbra mail server behind it as well as EFA on a different IP addresses. Everything works fine with zimbra but when I enable EFA I can't send any mail to external domains unless I send from zimbra web client. Any other mail client errors out.
I am basically changing my NAT rule to point port 25 to the EFA server instead of zimbra, when I do that I see mail being filtered and everything seems fine with incoming mail. However, trying to send mail with various clients gives: Message not sent. Server replied:
Temporary authentication failure 454 4.7.1 <user@destination.com>: Relay access denied
I wouldnt think outbound mail would be affected by EFA because its not even supposed to be in the loop for outbound?
I'm guessing the receiving server is trying to do some kind of authentication or communication with zimbra but when it tries accessing it on port 25 its actually connecting to EFA?
I am basically changing my NAT rule to point port 25 to the EFA server instead of zimbra, when I do that I see mail being filtered and everything seems fine with incoming mail. However, trying to send mail with various clients gives: Message not sent. Server replied:
Temporary authentication failure 454 4.7.1 <user@destination.com>: Relay access denied
I wouldnt think outbound mail would be affected by EFA because its not even supposed to be in the loop for outbound?
I'm guessing the receiving server is trying to do some kind of authentication or communication with zimbra but when it tries accessing it on port 25 its actually connecting to EFA?
Re: Relay access denied
What are your outbound mail relay settings? That's under
8) Mail Settings
1) Outbound Mail Relay
from the efa configuration menu
8) Mail Settings
1) Outbound Mail Relay
from the efa configuration menu
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Relay access denied
It is the internal IP address of the Zimbra server. I believe during my troubleshooting at one point I changed this to the WAN IP but still had the same results.
Re: Relay access denied
ok, so which server is giving the relay access denied error message? Can you post some of the raw message details so I can see where the mail is going and where it is getting rejected?
As for my understanding, it'd go something like this:
user mail client/web client -> zimbra mail server -> efa -> outside world via pfsense firewall
To make that work, you need to do a few things
1/ map external smtp traffic to efa (which you've done)
2/ configure efa to transport mail from efa to the zimbra mail server for those domains (which I believe you've done)
3/ configure zimbra to use efa as the "smart host" (don't know - assume you've done this)
4/ configure efa to act as the smart mail host for the zimbra mail server (I'm guessing this is where the issue is)
So first please verify that zimbra is using efa as the smart host.
Next, let's verify your efa configuration menu, item 8) mail settings
check the following two and tell me the settings:
1) outbound mail relay (I've set this to the lan network address - e.g. 192.168.1.0/24)
2) outbound smarthost (disabled - efa will send the mail directly)
As for my understanding, it'd go something like this:
user mail client/web client -> zimbra mail server -> efa -> outside world via pfsense firewall
To make that work, you need to do a few things
1/ map external smtp traffic to efa (which you've done)
2/ configure efa to transport mail from efa to the zimbra mail server for those domains (which I believe you've done)
3/ configure zimbra to use efa as the "smart host" (don't know - assume you've done this)
4/ configure efa to act as the smart mail host for the zimbra mail server (I'm guessing this is where the issue is)
So first please verify that zimbra is using efa as the smart host.
Next, let's verify your efa configuration menu, item 8) mail settings
check the following two and tell me the settings:
1) outbound mail relay (I've set this to the lan network address - e.g. 192.168.1.0/24)
2) outbound smarthost (disabled - efa will send the mail directly)
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Relay access denied
Ok, so zimbra had nothing in MTA so I added the IP of the efa server. at first I didnt think it was working because I couldnt get any mail in or out. Then I noticed the inbound and outbound queues in efa UI was growing. For some reason it got quite backlogged so I disabled everything. I just re-enabled it and things seem to be flowing ok. I guess I assumed it would just filter incoming mail and not affect outgoing. I could swear that is how my old setup was. Although last time I had public IP's on EFA and the mail server. This time they are all behind a firewall.
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Relay access denied
So I have people complaining their email isn't reaching some recipients. Is there any way with my setup to bypass efa mail checking on outbound?
Re: Relay access denied
When you say that mail isn't reaching the recipients, you need to know what the actual problem is.
Do you know why certain messages are not being delivered, and if not, why not?
Yes, you could whitelist those email addresses, and that would bypass the EFA spam checking - but is that really the problem?
How do your users know the message isn't getting delivered? Are they getting a bounce message - and if so, what is that message? Or are their recipients complaining to them that they didn't receive the message - and can you find this message in the efa logs?
Rather than jump at a solution, let's find the real problem first.
Do you know why certain messages are not being delivered, and if not, why not?
Yes, you could whitelist those email addresses, and that would bypass the EFA spam checking - but is that really the problem?
How do your users know the message isn't getting delivered? Are they getting a bounce message - and if so, what is that message? Or are their recipients complaining to them that they didn't receive the message - and can you find this message in the efa logs?
Rather than jump at a solution, let's find the real problem first.
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Relay access denied
Yes, you're right, I tend to get frustrated because my understanding of mail flow is limited. I'm still trying to find the messages in the logs that were said aren't getting delivered. Seems like they aren't even getting to EFA. One user said after I "disabled" EFA he immediately got a test message in his gmail account that he sent several minutes ago. Other users reported they didn't get a bounceback, but sent a message to a client, then the client asks them by telephone when they are going to send the Email.
I'm getting a lot of this type of stuff in the efa logs:
Apr 1 04:18:18 efa postfix/smtpd[20902]: NOQUEUE: reject: RCPT from unknown[192.168.30.25]: 4
50 4.7.1 Client host rejected: cannot find your reverse hostname, [192.168.30.25]; from=<user@theirdomain.com> to=<user@gmail.com> proto=ESMTP helo=<zimbra.mydomain.com>
I added "192.168.30.25 zimbra.mydomain.com zimbra" to the efa hosts file. Not sure if that was the right way to fix the reverse hostname issue. I've also noticed today they are tons of bouncebacks coming though efa from the zimbra server for spam emails that got through. I don't remember ever seeing this in the efa UI before. I dont know if this is a result of adding the line to the hosts file?
Was unable to find anything in the zimbra maillog because the emails in question are from over a week ago and seem to be purged from the logs. I may have to get them to test again next week.
I'm getting a lot of this type of stuff in the efa logs:
Apr 1 04:18:18 efa postfix/smtpd[20902]: NOQUEUE: reject: RCPT from unknown[192.168.30.25]: 4
50 4.7.1 Client host rejected: cannot find your reverse hostname, [192.168.30.25]; from=<user@theirdomain.com> to=<user@gmail.com> proto=ESMTP helo=<zimbra.mydomain.com>
I added "192.168.30.25 zimbra.mydomain.com zimbra" to the efa hosts file. Not sure if that was the right way to fix the reverse hostname issue. I've also noticed today they are tons of bouncebacks coming though efa from the zimbra server for spam emails that got through. I don't remember ever seeing this in the efa UI before. I dont know if this is a result of adding the line to the hosts file?
Was unable to find anything in the zimbra maillog because the emails in question are from over a week ago and seem to be purged from the logs. I may have to get them to test again next week.
Re: Relay access denied
I think there are other posts in these forums that tell you how to resolve the "cannot find reverse hostname" error. Use google to search the forums rather than using the built in search - you will get better search results.
As for the bouncebacks from the zimbra server, can you share one of them? why is zimbra bouncing them back?
Please test and let us know what you find out.
As for the bouncebacks from the zimbra server, can you share one of them? why is zimbra bouncing them back?
Please test and let us know what you find out.
- BruceLeeRoy
- Posts: 47
- Joined: 01 May 2015 13:27
Re: Relay access denied
I believe the bouncebacks were from spam that originally got through, I'm thinking Zimbra tried to bounce the messages but EFA wasn't relaying them. Zimbra likely kept them queued, then when I added the zimbra server address to the hosts file in EFA it started allowing them to flow out. Strange thing is the message log in efa UI showed a huge list of them going out all as whitelisted and the "from" field being blank. Here is an example as you requested, actual addresses changed ofc:
The original message received was to an account that hasn't been in my system for 10 years:
Message Headers: Received: from zimbra.mydomain.com (zimbra.mydomain.com [192.168.30.25])
(using TLSv1.2 with cipher EBEHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.mydomain.com (Postfix) with ESMTPS id 673622158A
for <imemories@dajuo.band>; Sat, 7 Apr 2018 07:53:04 -0400 (EDT)
Received: by zimbra.mydomain.com (Postfix)
id 6C04960A9B5B; Mon, 2 Apr 2018 18:14:49 -0400 (EDT)
Date: Mon, 2 Apr 2018 18:14:49 -0400 (EDT)
From: MAILER-DAEMON@zimbra.mydomain.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: imemories@dajuo.band
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="314D960A9B49.1522707289/zimbra.mydomain.com"
Message-Id: <20180402221449.6C04960A9B5B@zimbra.mydomain.com>
From:
[Add to Whitelist | Add to Blacklist]
To: imemories@dajuo.band
Subject: Undelivered Mail Returned to Sender
Size: 4.52kB
Date/Time Relayed by Relayed to Delay Status
04/07/18 15:01:15 efa 07:08:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 13:51:15 efa 05:58:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 12:41:15 efa 04:48:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 11:31:15 efa 03:38:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 10:21:15 efa 02:28:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 09:11:15 efa 01:18:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 08:31:15 efa 00:38:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 08:01:15 efa 00:08:12 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 07:53:28 efa 00:00:24 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
This is the mail system at host zimbra.mydomain.com.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<old_user@mydomain.com>: mydomain.com
The original message received was to an account that hasn't been in my system for 10 years:
Message Headers: Received: from zimbra.mydomain.com (zimbra.mydomain.com [192.168.30.25])
(using TLSv1.2 with cipher EBEHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by efa.mydomain.com (Postfix) with ESMTPS id 673622158A
for <imemories@dajuo.band>; Sat, 7 Apr 2018 07:53:04 -0400 (EDT)
Received: by zimbra.mydomain.com (Postfix)
id 6C04960A9B5B; Mon, 2 Apr 2018 18:14:49 -0400 (EDT)
Date: Mon, 2 Apr 2018 18:14:49 -0400 (EDT)
From: MAILER-DAEMON@zimbra.mydomain.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: imemories@dajuo.band
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="314D960A9B49.1522707289/zimbra.mydomain.com"
Message-Id: <20180402221449.6C04960A9B5B@zimbra.mydomain.com>
From:
[Add to Whitelist | Add to Blacklist]
To: imemories@dajuo.band
Subject: Undelivered Mail Returned to Sender
Size: 4.52kB
Date/Time Relayed by Relayed to Delay Status
04/07/18 15:01:15 efa 07:08:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 13:51:15 efa 05:58:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 12:41:15 efa 04:48:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 11:31:15 efa 03:38:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 10:21:15 efa 02:28:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 09:11:15 efa 01:18:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 08:31:15 efa 00:38:11 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 08:01:15 efa 00:08:12 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
04/07/18 07:53:28 efa 00:00:24 deferred (connect to dajuo.band[173.224.117.155]:25: Connection refused)
This is the mail system at host zimbra.mydomain.com.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<old_user@mydomain.com>: mydomain.com
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Relay access denied
That's normal when a spammer spoofs an email, the NDR will get deferred and eventually drop from the queue when the maximal queue lifetime expires for the message.