SMTP Auth. Failed outside the subnet

[chanck]

Hi,

I found I have the same symptom liked somebody here but seems no solutions yet. I got Relay Access Denied error for the receipant address.

Version: zcs 3.01 GA-160

=====/var/log/zimbra.log======

Code:

Mar 13 21:05:43 mailsrv postfix/smtpd[2788]: NOQUEUE: reject: RCPT from n11z183l68.broadband.ctm.net[202.175.183.68]: 554 <xxxxx@yahoo.com>: Relay access denied; from=<kmchan@yyyyyyyy> to=<xxxxxx@yahoo.com> proto=SMTP helo=<yyyyyy>
Mar 13 21:44:12 mailsrv postfix/smtpd[20197]: NOQUEUE: reject: RCPT from n19z190l52.broadband.ctm.net[202.175.190.52]: 554 <xxxxx@yahoo.com>: Relay access denied; from=<chikin@xxxxxx> to=<zzzzzzzz@yahoo.com> proto=SMTP helo=<xxxxx>

======== Information ========
IP of the Host: 192.168.x.x
Enable Authentication: TICK
TLS authentication only : NOTICK
Relay MTA for external delivery: IP_of_another_host_in_the_same_subnet of the host:25

Domains: Only_one_domain_is_setup

Machines inside the same subnet (For exampe machine@192.168.x.x -- IP inside office) of the Zimbra host can send mail to any mail domain like yahoo.com, hotmail.com, as well as the local domain.

Machines outside the subnet (for example machine@202.175.x.x -- ISP's IP) connect the Zimbra MTA to send mail to local domain get no problem but there is Relay Access Denied error when sent to other domain like yahoo.com, hotmail.com, etc. I ensure the authentication is passed.

Any idea?

Thomas

[bobby]

what's output of these:

zmprov gs mailsrv.whatever | grep Auth
zmprov gs mailsrv.whatever | grep MailMode

[KevinH]

Do you see the sasl auth in the log? It should start like this:

Code:

Mar 13 09:44:37 dogfood postfix/smtpd[18664]: connect from unknown[10.10.x.x]
Mar 13 09:44:37 dogfood postfix/smtpd[18664]: setting up TLS connection from unknown[10.10.x.x]
Mar 13 09:44:37 dogfood postfix/smtpd[18664]: SSL_accept:before/accept initialization
Mar 13 09:44:37 dogfood postfix/smtpd[18664]: read from 08235638 [0823F1A8] (11 bytes => -1 (0xFFFFFFFF))
Mar 13 09:44:37 dogfood postfix/smtpd[18664]: SSL_accept:error in SSLv2/v3 read client hello A
Mar 13 09:44:37 dogfood postfix/smtpd[18664]: read from 08235638 [0823F1A8] (11 bytes => 11 (0xB))
Mar 13 09:44:37 dogfood postfix/smtpd[18664]: 0000 16 03 01 00 53 01 00 00|4f 03 01                 ....S... O..
Mar 13 09:44:37 dogfood postfix/smtpd[18664]: read from 08235638 [0823F1B3] (77 bytes => -1 (0xFFFFFFFF))
Mar 13 09:44:37 dogfood postfix/smtpd[18664]: SSL_accept:error in SSLv3 read client hello B
Mar 13 09:44:37 dogfood postfix/smtpd[18664]: SSL_accept:error in SSLv3 read client hello B

[chanck]

It happened sometimes but not at the time I was testing the smtp.

Code:

Mar 13 09:16:07 mailsrv postfix/smtpd[16806]: connect from unknown[192.168.216.251]
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: setting up TLS connection from unknown[192.168.216.251]
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:before/accept initialization
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA180] (11 bytes => -1 (0xFFFFFFFF))
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:error in SSLv2/v3 read client hello A
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA180] (11 bytes => 11 (0xB))
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: 0000 16 03 01 00 53 01 00 00|4f 03 01                 ....S... O..
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA18B] (77 bytes => -1 (0xFFFFFFFF))
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:error in SSLv3 read client hello B
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:error in SSLv3 read client hello B
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA18B] (77 bytes => 77 (0x4D))

Thomas

[chanck]

Output of the commands

[zimbra@mailsrv ~]$ zmprov gs my_mail_domain | grep Auth
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: my_mail_domain
zimbraMtaAuthURL: http://my_mail_domain:80/service/soap/
zimbraMtaTlsAuthOnly: FALSE

[zimbra@mailsrv ~]$ zmprov gs my_mail_domain | grep MailMode
zimbraMailMode: http

Thomas

[KevinH]

Quote:

Originally Posted by chanck

It happened sometimes but not at the time I was testing the smtp.

Code:

Mar 13 09:16:07 mailsrv postfix/smtpd[16806]: connect from unknown[192.168.216.251]
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: setting up TLS connection from unknown[192.168.216.251]
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:before/accept initialization
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA180] (11 bytes => -1 (0xFFFFFFFF))
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:error in SSLv2/v3 read client hello A
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA180] (11 bytes => 11 (0xB))
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: 0000 16 03 01 00 53 01 00 00|4f 03 01                 ....S... O..
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA18B] (77 bytes => -1 (0xFFFFFFFF))
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:error in SSLv3 read client hello B
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: SSL_accept:error in SSLv3 read client hello B
Mar 13 09:16:08 mailsrv postfix/smtpd[16806]: read from 0A0E9F80 [0A0FA18B] (77 bytes => 77 (0x4D))

Thomas

Then your client is not sending auth when trying to send. Can you check the TLS only box in the admin UI, restart tomcat and retest?

[chanck]

Quote:

Originally Posted by KevinH

Then your client is not sending auth when trying to send. Can you check the TLS only box in the admin UI, restart tomcat and retest?

Code:

Mar 15 10:18:19 safp postfix/smtpd[10449]: warning: 202.175.xx.xx: hostname n40z15l172.broadband.ctm.net verification failed: Name or service not known
Mar 15 10:18:19 safp postfix/smtpd[10449]: connect from unknown[202.175.xx.xx]
Mar 15 10:18:19 safp postfix/smtpd[10449]: disconnect from unknown[202.175.xx.xx]

zimbra@mailsrv:~> zmprov gs my_domain | grep Auth
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: my_domain
zimbraMtaAuthURL: http://my_domain:80/service/soap/
zimbraMtaTlsAuthOnly: TRUE

Similar Symptom
If clients (inside the Subnet) sends it, everything is alright.

But when I try to do it @Internet, there is error.

Outlook Express Error "502: Command not implemented".
Thunderbird Error "Unable to connec to SMTP sever .....via STARTTLS since it doesn't support EHLO ........."

I wondered why it is not shown inside the same subnet. That's the point. Is it because of Firewall settings? Is that it requireds other port for doing the SMTP auth?

Thomas

[chanck]

One more thing I want to clarify, if I unchecked "Enable authentication". I would get "Access Relay denied" error even inside the same subnet. Is that I need to manually to add the subnet in the "Access" file of postfix to get it relay successfully if I don't want the user to do the SMTP authentication?

Bind it to the error case I encountered, is that mean the Authentication setting can only control the relay inside the valid subnet. Even I check the Authentication, I still need to add the authorized subnet into the "Access" for the relay?

Thomas

[marcmac]

No. To almost everything you asked.

Postfix sets a default "mynetworks" parameter which is:
127.0.0.0/8 and your.ip.address.network/netmask where netmask is based on classful subnet rules. If you're on a private address, and you're on the 192.168 .1 net, it'll be /24 - if you're on 10. net, it'll be /8.

It's pretty rare to need to change this on a home based network or a small office network.

run postconf mynetworks to get your setting.

So - how does this work with smtp auth?

If you connect from within "mynetworks", postfix will relay your mail to anyone.

If you've got auth enabled (do you?) then postfix will attempt to authenticate your user, and if that succeeds, will also relay mail anywhere.

[chanck]

Quote:

Originally Posted by marcmac

No. To almost everything you asked.

Postfix sets a default "mynetworks" parameter which is:
127.0.0.0/8 and your.ip.address.network/netmask where netmask is based on classful subnet rules. If you're on a private address, and you're on the 192.168 .1 net, it'll be /24 - if you're on 10. net, it'll be /8.

It's pretty rare to need to change this on a home based network or a small office network.

run postconf mynetworks to get your setting.

So - how does this work with smtp auth?

If you connect from within "mynetworks", postfix will relay your mail to anyone.

If you've got auth enabled (do you?) then postfix will attempt to authenticate your user, and if that succeeds, will also relay mail anywhere.

[zimbra@mailsrv ~]$ postconf mynetworks
mynetworks = 127.0.0.0/8 192.168.212.0/24

I believe the auth is working. If I tried to put the wrong username or password at the mail client, the client would ask me to input again until I input the correct username and password. That mean the server has verified it.

I know that a success authentication will get me to relay the mail anywhere (That's the concept) but now I fail on it. Only machines with 192.168.x.x authenticate successfully can send mail (If not authenticated, it can only send to the local domain) . But machines @Internet cannot relay it even it is authenticated. I tried many machines/client for the Internet case. Handheld machines (using GPRS), outlook express, etc are totally failed.

Thomas