Page 1 of 5 123 ... LastLast
Results 1 to 10 of 44

Thread: SMTP Auth. Failed outside the subnet

  1. #1
    chanck is offline Senior Member
    Join Date
    Oct 2005
    Posts
    56
    Rep Power
    9

    Default SMTP Auth. Failed outside the subnet

    Hi,

    I found I have the same symptom liked somebody here but seems no solutions yet. I got Relay Access Denied error for the receipant address.

    Version: zcs 3.01 GA-160

    =====/var/log/zimbra.log======
    Code:
    Mar 13 21:05:43 mailsrv postfix/smtpd[2788]: NOQUEUE: reject: RCPT from n11z183l68.broadband.ctm.net[202.175.183.68]: 554 <xxxxx@yahoo.com>: Relay access denied; from=<kmchan@yyyyyyyy> to=<xxxxxx@yahoo.com> proto=SMTP helo=<yyyyyy>
    Mar 13 21:44:12 mailsrv postfix/smtpd[20197]: NOQUEUE: reject: RCPT from n19z190l52.broadband.ctm.net[202.175.190.52]: 554 <xxxxx@yahoo.com>: Relay access denied; from=<chikin@xxxxxx> to=<zzzzzzzz@yahoo.com> proto=SMTP helo=<xxxxx>
    ======== Information ========
    IP of the Host: 192.168.x.x
    Enable Authentication: TICK
    TLS authentication only : NOTICK
    Relay MTA for external delivery: IP_of_another_host_in_the_same_subnet of the host:25

    Domains: Only_one_domain_is_setup

    Machines inside the same subnet (For exampe machine@192.168.x.x -- IP inside office) of the Zimbra host can send mail to any mail domain like yahoo.com, hotmail.com, as well as the local domain.

    Machines outside the subnet (for example machine@202.175.x.x -- ISP's IP) connect the Zimbra MTA to send mail to local domain get no problem but there is Relay Access Denied error when sent to other domain like yahoo.com, hotmail.com, etc. I ensure the authentication is passed.

    Any idea?

    Thomas

  2. #2
    bobby is offline Zimbra Employee
    Join Date
    Nov 2005
    Posts
    518
    Rep Power
    10

    Default

    what's output of these:

    zmprov gs mailsrv.whatever | grep Auth
    zmprov gs mailsrv.whatever | grep MailMode

  3. #3
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    Do you see the sasl auth in the log? It should start like this:

    Code:
    Mar 13 09:44:37 dogfood postfix/smtpd[18664]: connect from unknown[10.10.x.x]
    Mar 13 09:44:37 dogfood postfix/smtpd[18664]: setting up TLS connection from unknown[10.10.x.x]
    Mar 13 09:44:37 dogfood postfix/smtpd[18664]: SSL_accept:before/accept initialization
    Mar 13 09:44:37 dogfood postfix/smtpd[18664]: read from 08235638 [0823F1A8] (11 bytes => -1 (0xFFFFFFFF))
    Mar 13 09:44:37 dogfood postfix/smtpd[18664]: SSL_accept:error in SSLv2/v3 read client hello A
    Mar 13 09:44:37 dogfood postfix/smtpd[18664]: read from 08235638 [0823F1A8] (11 bytes => 11 (0xB))
    Mar 13 09:44:37 dogfood postfix/smtpd[18664]: 0000 16 03 01 00 53 01 00 00|4f 03 01                 ....S... O..
    Mar 13 09:44:37 dogfood postfix/smtpd[18664]: read from 08235638 [0823F1B3] (77 bytes => -1 (0xFFFFFFFF))
    Mar 13 09:44:37 dogfood postfix/smtpd[18664]: SSL_accept:error in SSLv3 read client hello B
    Mar 13 09:44:37 dogfood postfix/smtpd[18664]: SSL_accept:error in SSLv3 read client hello B
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  4. #4
    chanck is offline Senior Member
    Join Date
    Oct 2005
    Posts
    56
    Rep Power
    9

    Default

    It happened sometimes but not at the time I was testing the smtp.

    Code:
    Mar 13 09:16:07 mailsrv postfix/smtpd[16806]: connect from unknown[192.168.216.251]
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: setting up TLS connection from unknown[192.168.216.251]
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:before/accept initialization
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA180] (11 bytes => -1 (0xFFFFFFFF))
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:error in SSLv2/v3 read client hello A
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA180] (11 bytes => 11 (0xB))
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: 0000 16 03 01 00 53 01 00 00|4f 03 01                 ....S... O..
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA18B] (77 bytes => -1 (0xFFFFFFFF))
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:error in SSLv3 read client hello B
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:error in SSLv3 read client hello B
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA18B] (77 bytes => 77 (0x4D))
    Thomas

  5. #5
    chanck is offline Senior Member
    Join Date
    Oct 2005
    Posts
    56
    Rep Power
    9

    Default

    Output of the commands

    [zimbra@mailsrv ~]$ zmprov gs my_mail_domain | grep Auth
    zimbraMtaAuthEnabled: TRUE
    zimbraMtaAuthHost: my_mail_domain
    zimbraMtaAuthURL: http://my_mail_domain:80/service/soap/
    zimbraMtaTlsAuthOnly: FALSE

    [zimbra@mailsrv ~]$ zmprov gs my_mail_domain | grep MailMode
    zimbraMailMode: http

    Thomas

  6. #6
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    Quote Originally Posted by chanck
    It happened sometimes but not at the time I was testing the smtp.

    Code:
    Mar 13 09:16:07 mailsrv postfix/smtpd[16806]: connect from unknown[192.168.216.251]
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: setting up TLS connection from unknown[192.168.216.251]
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:before/accept initialization
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA180] (11 bytes => -1 (0xFFFFFFFF))
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:error in SSLv2/v3 read client hello A
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA180] (11 bytes => 11 (0xB))
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: 0000 16 03 01 00 53 01 00 00|4f 03 01                 ....S... O..
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA18B] (77 bytes => -1 (0xFFFFFFFF))
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:error in SSLv3 read client hello B
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:error in SSLv3 read client hello B
    Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA18B] (77 bytes => 77 (0x4D))
    Thomas

    Then your client is not sending auth when trying to send. Can you check the TLS only box in the admin UI, restart tomcat and retest?
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  7. #7
    chanck is offline Senior Member
    Join Date
    Oct 2005
    Posts
    56
    Rep Power
    9

    Default

    Quote Originally Posted by KevinH
    Then your client is not sending auth when trying to send. Can you check the TLS only box in the admin UI, restart tomcat and retest?


    Code:
    Mar 15 10:18:19 safp postfix/smtpd[10449]: warning: 202.175.xx.xx: hostname n40z15l172.broadband.ctm.net verification failed: Name or service not known
    Mar 15 10:18:19 safp postfix/smtpd[10449]: connect from unknown[202.175.xx.xx]
    Mar 15 10:18:19 safp postfix/smtpd[10449]: disconnect from unknown[202.175.xx.xx]
    
    zimbra@mailsrv:~> zmprov gs my_domain | grep Auth
    zimbraMtaAuthEnabled: TRUE
    zimbraMtaAuthHost: my_domain
    zimbraMtaAuthURL: http://my_domain:80/service/soap/
    zimbraMtaTlsAuthOnly: TRUE
    Similar Symptom
    If clients (inside the Subnet) sends it, everything is alright.

    But when I try to do it @Internet, there is error.

    Outlook Express Error "502: Command not implemented".
    Thunderbird Error "Unable to connec to SMTP sever .....via STARTTLS since it doesn't support EHLO ........."

    I wondered why it is not shown inside the same subnet. That's the point. Is it because of Firewall settings? Is that it requireds other port for doing the SMTP auth?

    Thomas

  8. #8
    chanck is offline Senior Member
    Join Date
    Oct 2005
    Posts
    56
    Rep Power
    9

    Default

    One more thing I want to clarify, if I unchecked "Enable authentication". I would get "Access Relay denied" error even inside the same subnet. Is that I need to manually to add the subnet in the "Access" file of postfix to get it relay successfully if I don't want the user to do the SMTP authentication?

    Bind it to the error case I encountered, is that mean the Authentication setting can only control the relay inside the valid subnet. Even I check the Authentication, I still need to add the authorized subnet into the "Access" for the relay?

    Thomas

  9. #9
    marcmac is offline Expert Member
    Join Date
    Sep 2005
    Posts
    2,103
    Rep Power
    13

    Default

    No. To almost everything you asked.

    Postfix sets a default "mynetworks" parameter which is:
    127.0.0.0/8 and your.ip.address.network/netmask where netmask is based on classful subnet rules. If you're on a private address, and you're on the 192.168 .1 net, it'll be /24 - if you're on 10. net, it'll be /8.

    It's pretty rare to need to change this on a home based network or a small office network.

    run postconf mynetworks to get your setting.

    So - how does this work with smtp auth?

    If you connect from within "mynetworks", postfix will relay your mail to anyone.

    If you've got auth enabled (do you?) then postfix will attempt to authenticate your user, and if that succeeds, will also relay mail anywhere.

  10. #10
    chanck is offline Senior Member
    Join Date
    Oct 2005
    Posts
    56
    Rep Power
    9

    Default

    Quote Originally Posted by marcmac
    No. To almost everything you asked.

    Postfix sets a default "mynetworks" parameter which is:
    127.0.0.0/8 and your.ip.address.network/netmask where netmask is based on classful subnet rules. If you're on a private address, and you're on the 192.168 .1 net, it'll be /24 - if you're on 10. net, it'll be /8.

    It's pretty rare to need to change this on a home based network or a small office network.

    run postconf mynetworks to get your setting.

    So - how does this work with smtp auth?

    If you connect from within "mynetworks", postfix will relay your mail to anyone.

    If you've got auth enabled (do you?) then postfix will attempt to authenticate your user, and if that succeeds, will also relay mail anywhere.

    [zimbra@mailsrv ~]$ postconf mynetworks
    mynetworks = 127.0.0.0/8 192.168.212.0/24

    I believe the auth is working. If I tried to put the wrong username or password at the mail client, the client would ask me to input again until I input the correct username and password. That mean the server has verified it.

    I know that a success authentication will get me to relay the mail anywhere (That's the concept) but now I fail on it. Only machines with 192.168.x.x authenticate successfully can send mail (If not authenticated, it can only send to the local domain) . But machines @Internet cannot relay it even it is authenticated. I tried many machines/client for the Internet case. Handheld machines (using GPRS), outlook express, etc are totally failed.

    Thomas
    Last edited by chanck; 03-14-2006 at 09:45 PM.

Page 1 of 5 123 ... LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  2. Lotus migration
    By babou in forum Migration
    Replies: 15
    Last Post: 03-05-2007, 10:33 PM
  3. SMTP auth not working outside of ZCS's subnet
    By dvb in forum Administrators
    Replies: 3
    Last Post: 02-08-2007, 02:34 PM
  4. SMTP Auth error 535
    By FloydWilliams in forum Administrators
    Replies: 0
    Last Post: 01-04-2007, 02:33 PM
  5. Replies: 18
    Last Post: 03-20-2006, 02:22 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •