I can not send mail via EFA

Questions and answers about how to do stuff
Post Reply
omer
Posts: 39
Joined: 11 Oct 2017 15:23

I can not send mail via EFA

Post by omer »

Hello;

I just got acquainted with EFA. I'm trying to do a test.

There does not seem to be a problem for the incoming mails. Filtering viruses and spam mails are blocked.

But I want to check in the mails I send. I set the smarthost on the mail server for this. All outgoing mail leads to the EFA server. But all the mails I send are waiting in the queue. He's coming back for a while. I have done everything that comes to mind but I have not managed to control the outgoing mails with EFA.

Mail Server: Kerio Connect
Smart Host Conf: http://prntscr.com/gw4d0u
Mail Queue: http://prntscr.com/gw4fym

I'm very happy if you can help me with what I need to do.

Note: I translated this text using Google Translate.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: I can not send mail via EFA

Post by pdwalker »

The key error message is "Relay Access Denied".

This means that EFA is not accepting messages from your mail host, "Relaying denied".

You should be able to see something in your /var/log/maillog which might explain why EFA is not relaying your mail for you.

Is your EFA box on the same network as your Kerio server? or different networks?

I think you may have to edit your efa:/etc/postfix/main.cf file and add your kerio host ip address into the mynetworks parameter. Look towards the bottom of the config file where many of the parameters are defined. Line 678 in my file.
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: I can not send mail via EFA

Post by omer »

Hello,

Thank you for the answer.

Both servers are on the same network.

If you would like me to send you your config file. I do not know which area in Main.cf I should look at.

On the last line, there is such a phrase: relayhost = 31.6.xx.xx

This is the record in the EFA Log file:

Code: Select all

Oct 12 13:22:35 gw postfix/smtpd[18629]: connect from mail.xxxxxx.com[31.6.xx.xx]
Oct 12 13:22:35 gw postfix/smtpd[18629]: Anonymous TLS connection established from mail.xxxxxx.com[31.6.xx.xx]: TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Oct 12 13:22:36 gw postfix/smtpd[18629]: NOQUEUE: reject: RCPT from mail.xxxxxx.com[31.6.xx.xx]: 454 4.7.1 <omerxxxx@gmail.com>: Relay access denied; from=<omer@xxxxxxx.net> to=<omerxxxxx@gmail.com> proto=ESMTP helo=<mail>
Oct 12 13:22:36 gw postfix/smtpd[18629]: disconnect from mail.xxxxx.com[31.6.xx.xx] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6
Thank you.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: I can not send mail via EFA

Post by pdwalker »

Code: Select all

678 mynetworks = 127.0.0.0/8 10.10.1.0/24
the 678 is the line number in my file.

both my EFA box and my mail server are on the 10.10.1.0 network. Thus efa will accept mail from any machine on the network.

Hmm, now that I think about it, I should restrict it not to the network, but only to my mail server since no one should be sending mail directly to anyone outside the network.

Give that a try - put in the ip address of your mail server into mynetworks and restart postfix or mailscanner and see if it works.
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: I can not send mail via EFA

Post by omer »

Hello

I made the changes you said, but the mails are back again.

Error code returned on Kerio side:

Code: Select all

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                  The mail system

<omerxxxx@gmail.com>: host 31.6.xx.39[31.6.xx.39] said: 550 5.7.1 Relaying to
   <omerxxxx@gmail.com> denied (authentication required) (in reply to RCPT TO
   command) 
/etc/postfix/main.cf

Code: Select all

685: meta_directory = /etc/postfix
686: shlib_directory = no
[b]687: mynetworks = 31.6.xx.39/26[/b]
688: header_checks = regexp:/etc/postfix/header_checks
689: myorigin = $mydomain
690: relay_domains = hash:/etc/postfix/transport
691: transport_maps = hash:/etc/postfix/transport
EFA Maillog:
Log 1: 687: mynetworks = 31.6.xx.39/26
Oct 12 21:35:33 gw postfix/anvil[28463]: statistics: max connection rate 1/60s for (smtp:31.6.xx.39) at Oct 12 21:32:13
Oct 12 21:35:33 gw postfix/anvil[28463]: statistics: max connection count 1 for (smtp:31.6.xx.39) at Oct 12 21:32:13
Oct 12 21:35:33 gw postfix/anvil[28463]: statistics: max cache size 1 at Oct 12 21:32:13
Oct 12 21:35:48 gw postfix/smtpd[29224]: connect from mail.domain.com[31.6.xx.39]
Oct 12 21:35:48 gw postfix/smtpd[29224]: warning: smtpd_client_event_limit_exceptions: non-null host address bits in "31.6.xx.39/26", perhaps you should use "31.6.86.0/26" instead
Oct 12 21:35:48 gw postfix/smtpd[29224]: Anonymous TLS connection established from mail.domain.com[31.6.xx.39]: TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Oct 12 21:35:49 gw postfix/smtpd[29224]: warning: mynetworks: non-null host address bits in "31.6.xx.39/26", perhaps you should use "31.6.86.0/26" instead
Oct 12 21:35:49 gw postfix/smtpd[29224]: NOQUEUE: reject: RCPT from mail.domain.com[31.6.xx.39]: 451 4.3.0 <omerxxxx@gmail.com>: Temporary lookup failure; from=<omer@domain.net> to=<omerxxxx@gmail.com> proto=ESMTP helo=<mail>
Oct 12 21:35:49 gw postfix/smtpd[29224]: warning: smtpd_client_event_limit_exceptions: non-null host address bits in "31.6.xx.39/26", perhaps you should use "31.6.86.0/26" instead
Oct 12 21:35:49 gw postfix/smtpd[29224]: disconnect from mail.domain.com[31.6.xx.39] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6


Log 2: 687: mynetworks = 31.6.xx.39

Code: Select all

Oct 12 21:25:22 gw postfix/smtpd[25921]: connect from mail.domain.com[31.6.xx.39]
Oct 12 21:25:22 gw postfix/smtpd[25921]: Anonymous TLS connection established from mail.domain.com[31.6.xx.39]: TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Oct 12 21:25:22 gw postfix/smtpd[25921]: 853812007F: client=mail.domain.com[31.6.xx.39]
Oct 12 21:25:22 gw postfix/cleanup[25904]: 853812007F: hold: header Received: from mail (mail.domain.com [31.6.xx.39])??(using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))??(No client certificate requested)??by gw.domain.com (Postfix) with ES from mail.domain.com[31.6.xx.39]; from=<omer@domain.net> to=<omerxxxx@gmail.com> proto=ESMTP helo=<mail>
Oct 12 21:25:22 gw postfix/cleanup[25904]: 853812007F: message-id=<252526571-1296@mail>
Oct 12 21:25:22 gw postfix/smtpd[25921]: disconnect from mail.domain.com[31.6.xx.39] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Oct 12 21:25:26 gw MailScanner[7694]: New Batch: Scanning 1 messages, 9585 bytes
Oct 12 21:25:26 gw MailScanner[7694]: Virus and Content Scanning: Starting
Oct 12 21:25:27 gw MailScanner[7694]: <A> tag found in message 853812007F.A3132 from omer@domain.net
Oct 12 21:25:27 gw MailScanner[7694]: HTML Img tag found in message 853812007F.A3132 from omer@domain.net
Oct 12 21:25:27 gw MailScanner[7694]: Spam Checks: Starting
Oct 12 21:25:32 gw MailScanner[7694]: Requeue: 853812007F.A3132 to 2B07B200AA
Oct 12 21:25:32 gw MailScanner[7694]: Uninfected: Delivered 1 messages
Oct 12 21:25:32 gw postfix/qmgr[25862]: 2B07B200AA: from=<omer@domain.net>, size=8895, nrcpt=1 (queue active)
Oct 12 21:25:32 gw MailScanner[7694]: Deleted 1 messages from processing-database
Oct 12 21:25:32 gw MailScanner[7694]: MailWatch: Logging message 853812007F.A3132 to SQL
Oct 12 21:25:32 gw MailScanner[25911]: MailWatch: 853812007F.A3132: Logged to MailWatch SQL
Oct 12 21:25:32 gw postfix/smtp[25897]: 2B07B200AA: to=<omerxxxx@gmail.com>, relay=31.6.xx.39[31.6.xx.39]:25, delay=10, delays=10/0/0.24/0.01, dsn=5.7.1, status=bounced (host 31.6.xx.39[31.6.xx.39] said: 550 5.7.1 Relaying to <omerxxxx@gmail.com> denied (authentication required) (in reply to RCPT TO command))
Oct 12 21:25:32 gw postfix/cleanup[25904]: D6653200AB: message-id=<20171012182532.D6653200AB@gw.domain.com>
Oct 12 21:25:32 gw postfix/qmgr[25862]: D6653200AB: from=<>, size=11229, nrcpt=1 (queue active)
Oct 12 21:25:32 gw postfix/bounce[25903]: 2B07B200AA: sender non-delivery notification: D6653200AB
Oct 12 21:25:32 gw postfix/qmgr[25862]: 2B07B200AA: removed
Oct 12 21:25:33 gw postfix/smtp[25897]: D6653200AB: to=<omer@domain.net>, relay=31.6.xx.39[31.6.xx.39]:25, delay=0.23, delays=0.01/0/0.21/0, dsn=2.0.0, status=sent (250 2.0.0 59dfb3b5-00000068 Message accepted for delivery)
Oct 12 21:25:33 gw postfix/qmgr[25862]: D6653200AB: removed
Note: I tried both ways.
31.6.xx.39/26
31.6.xx.0/26
Last edited by omer on 12 Oct 2017 19:29, edited 1 time in total.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: I can not send mail via EFA

Post by pdwalker »

try 31.6.xx.0/24 and tell me if that works. (we don't want to keep it as this setting).
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: I can not send mail via EFA

Post by omer »

That did not work either.
Oct 12 22:03:02 gw postfix/smtpd[2451]: connect from mail.domain.com[31.6.xx.39]
Oct 12 22:03:02 gw postfix/smtpd[2451]: Anonymous TLS connection established from mail.domain.com[31.6.xx.39]: TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Oct 12 22:03:02 gw postfix/smtpd[2451]: E4A832007F: client=mail.domain.com[31.6.xx.39]
Oct 12 22:03:02 gw postfix/cleanup[2454]: E4A832007F: hold: header Received: from mail (mail.domain.com [31.6.xx.39])??(using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))??(No client certificate requested)??by gw.domain.com (Postfix) with ES from mail.domain.com[31.6.xx.39]; from=<omer@domain.net> to=<omerxxxxx@gmail.com> proto=ESMTP helo=<mail>
Oct 12 22:03:02 gw postfix/cleanup[2454]: E4A832007F: message-id=<254787540-1296@mail>
Oct 12 22:03:02 gw postfix/smtpd[2451]: disconnect from mail.domain.com[31.6.xx.39] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Oct 12 22:03:07 gw MailScanner[7694]: New Batch: Scanning 1 messages, 9513 bytes
Oct 12 22:03:07 gw MailScanner[7694]: Virus and Content Scanning: Starting
Oct 12 22:03:07 gw MailScanner[7694]: <A> tag found in message E4A832007F.A5B87 from omer@domain.net
Oct 12 22:03:07 gw MailScanner[7694]: HTML Img tag found in message E4A832007F.A5B87 from omer@domain.net
Oct 12 22:03:07 gw MailScanner[7694]: Spam Checks: Starting
Oct 12 22:03:14 gw MailScanner[7694]: Requeue: E4A832007F.A5B87 to C7E7F200B1
Oct 12 22:03:14 gw postfix/qmgr[2287]: C7E7F200B1: from=<omer@domain.net>, size=8826, nrcpt=1 (queue active)
Oct 12 22:03:14 gw MailScanner[7694]: Uninfected: Delivered 1 messages
Oct 12 22:03:14 gw MailScanner[7694]: Deleted 1 messages from processing-database
Oct 12 22:03:14 gw MailScanner[7694]: MailWatch: Logging message E4A832007F.A5B87 to SQL
Oct 12 22:03:14 gw MailScanner[25911]: MailWatch: E4A832007F.A5B87: Logged to MailWatch SQL
Oct 12 22:03:14 gw postfix/smtp[2480]: C7E7F200B1: to=<omerxxxxx@gmail.com>, relay=31.6.xx.39[31.6.xx.39]:25, delay=12, delays=11/0/0.25/0.05, dsn=5.7.1, status=bounced (host 31.6.xx.39[31.6.xx.39] said: 550 5.7.1 Relaying to <omerxxxxx@gmail.com> denied (authentication required) (in reply to RCPT TO command))
Oct 12 22:03:14 gw postfix/cleanup[2454]: 6FF7F200B2: message-id=<20171012190314.6FF7F200B2@gw.domain.com>
Oct 12 22:03:14 gw postfix/bounce[2481]: C7E7F200B1: sender non-delivery notification: 6FF7F200B2
Oct 12 22:03:14 gw postfix/qmgr[2287]: 6FF7F200B2: from=<>, size=11155, nrcpt=1 (queue active)
Oct 12 22:03:14 gw postfix/qmgr[2287]: C7E7F200B1: removed
Oct 12 22:03:14 gw postfix/smtp[2480]: 6FF7F200B2: to=<omer@domain.net>, relay=31.6.xx.39[31.6.xx.39]:25, delay=0.34, delays=0.01/0/0.32/0, dsn=2.0.0, status=sent (250 2.0.0 59dfbc8a-0000007e Message accepted for delivery)
Oct 12 22:03:14 gw postfix/qmgr[2287]: 6FF7F200B2: removed
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: I can not send mail via EFA

Post by pdwalker »

This is the problem.
Oct 12 22:03:14 gw postfix/smtp[2480]: C7E7F200B1: to=<omerxxxxx@gmail.com>, relay=31.6.xx.39[31.6.xx.39]:25, delay=12, delays=11/0/0.25/0.05, dsn=5.7.1, status=bounced (host 31.6.xx.39[31.6.xx.39] said: 550 5.7.1 Relaying to <omerxxxxx@gmail.com> denied (authentication required) (in reply to RCPT TO command))
Let me find out what that means exactly.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: I can not send mail via EFA

Post by pdwalker »

Can you post the results of "postconf -n" from your efa box here for us please?

edit: also /etc/postfix/sender_access
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: I can not send mail via EFA

Post by omer »

Of course

Code: Select all

[root@gw omer]# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
default_destination_recipient_limit = 1
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps =
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
masquerade_domains = $mydomain
meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 31.6.xx.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-3.1.3/README_FILES
relay_domains = hash:/etc/postfix/transport
relayhost = 31.6.xxx.39
sample_directory = /usr/share/doc/postfix-3.1.3/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = no
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_tls_CAfile = /etc/postfix/ssl/rsa_smtpd.pem
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_unknown_reverse_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/recipient_access, check_policy_service inet:127.0.0.1:2501
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/postfix/ssl/rsa_smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/rsa_smtpd.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dhparam.pem
smtpd_tls_key_file = /etc/postfix/ssl/rsa_smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
smtputf8_enable = no
tls_medium_cipherlist = ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: I can not send mail via EFA

Post by pdwalker »

omer was kind enough to trust me long enough to log into his system and fix the problem.

I compared his configuration to mine and saw that he had this whereas I did not
relayhost = 31.6.xxx.xx
why is a relay host defined?

I ran the efa configuration program and went to 8) mail settings, 2) outbound smarhost. His was set to 31.6.xxx.xx. Since EFA is the smarthost and doesn't send mail to a smarthost to deliver the mail on EFA's behalf, I cleared this setting

Next I check option 1) Outbound Mail Relay and I set this to his network.

(Note: omer it is currently 31.6.xx.0/24 which is larger than your network. Please reduce this to the size of only the ip addresses of the network you own so that someone else on that network range outside of your own cannot use your machine to send mail)

Now his postconf -n resembles mine and mail is now sending correctly.
Last edited by pdwalker on 12 Oct 2017 21:17, edited 1 time in total.
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: I can not send mail via EFA

Post by omer »

Dear Paul, thank you so much for your help.

I can filter out the mail that you sent me.

Thank you again for your help. I am thankful to you.
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: I can not send mail via EFA

Post by omer »

Hello,

Years later I'm having the same problem again :)

The only thing I do is I no longer use private ip addresses instead of public.

I defined the IP addresses and port numbers over the firewall. Both servers are on 172.17.52.0/24 network.

When an e-mail comes from outside, this e-mail reaches the mail server.
But when I want to send an e-mail via the mail server with smarthost, EFA does not allow it. It gives an output as below.

What can I do. Do you have any advice on this subject?
https://prnt.sc/M1moYvLQRmrz

<omer@gmail.com> (172.17.52.54: 550 5.7.1 Relaying to <omer@gmail.
com> denied (authentication required))

Verison: MailWatch for MailScanner v1.2.18 running on eFa-4.0.4 - © 2006-2022
freyuh
Posts: 62
Joined: 04 Oct 2018 11:21

Re: I can not send mail via EFA

Post by freyuh »

Have you changed 'mynetworks =' in the postfix 'main.cf'?
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: I can not send mail via EFA

Post by omer »

User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: I can not send mail via EFA

Post by pdwalker »

Hi Omer,

What changed between when it worked and when it stopped working?

I could try logging in again to debug it for you.
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: I can not send mail via EFA

Post by omer »

Hi pdwalker,
All I did was change the string. In the past, I used a real ip address of 31.6.86.0/24, now I'm doing NAT using a private ip of 172.17.52.54.
pdwalker wrote: 03 May 2022 05:45 Hi Omer,

What changed between when it worked and when it stopped working?

I could try logging in again to debug it for you.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: I can not send mail via EFA

Post by pdwalker »

Hi Omer,

My apologies for the questions, but I'm having a hard time picturing this in my head.

So, is your mail flow like this?

[internet] <-> [firewall/nat mapping/internal ip.254] <-> [eFa/internal ip.55] <-> [internal mail server/internal ip.54] <-> [mail clients]

How about /etc/postfix/transport on your eFa box? Do you have an entry in that file with /internal ip .54/ - e.g.
example.com smtp:[internal ip.54] ?
freyuh
Posts: 62
Joined: 04 Oct 2018 11:21

Re: I can not send mail via EFA

Post by freyuh »

If I understood it correctly it's the other way: eFa is rejecting outbound mails from the EXCHANGE server.
omer
Posts: 39
Joined: 11 Oct 2017 15:23

Re: I can not send mail via EFA

Post by omer »

Hello,

I finally found what the problem was :)

Strangely enough, I realized that it was a dns problem.

The server used to run on a public ip and there were no problems.
Now it works on a private ip address.
I am using public dns servers but it was not resolving. I just realized this, I thought the problem was always refusing to connect.
I added public dns server to resolv.conf file and the problem was suddenly solved.

Special thanks to @pdwalker for his help.
Post Reply