Out of office users cannot send mail

[Kruger81]

I am using 4.5.7
All users are using Outlook

I am hosting mail for our main office and 2 branch offices. They are all different domain names.

From our main site and site 1 I can send and recieve mail just fine.
Their addresses are added to the MTA trusted sites.

When I add the 2nd site to MTA trusted sites it still does not work. I restart the services using zmcontrol stop and than start. I have restarted the zimbra server and still nothing.

From site 1 I can reach the zimbra server on port 25 but from the second site I cannot. I have tested and can ping it just fine.

From site 1 I can add an e-mail address that is supposed to be used on site 2 and it works fine.

Also I would like to know how users that use laptops can send and receive mail when they are away from the office. Right now they can recieve mail when they are away from the office, they just cannot send mail.

Sorry if this has been answered on the forums before, I have looked and just cannot find the answer.

Thank you for any help.

[phoenix]

Quote:

Originally Posted by Kruger81

Also I would like to know how users that use laptops can send and receive mail when they are away from the office. Right now they can recieve mail when they are away from the office, they just cannot send mail.

Authenticated users can send mail from any location, you should not add the remote IPs to the Trusted IP list. All you need in the MyNetworks setting is the LAN ips and the server loopback IP. Check the wiki and for for mynetwork setting and have a search through the forums for it.

[Kruger81]

I believe that document is the one that i read to configure this, it states uneder the "Allowing relaying for a remote network" heading that if you have pop or imap users on a remote network (which is what i have) that you have to add them to mynetworks

when i run the postconf command i get:


postconf mynetworks
mynetworks = 127.0.0.0/8 10.1.1.0/24 142.x.x.0/24 207.x.x.0/24

routing is working for everything except the 207 network

i have done postfix reload and restarted the server

how do these users connect using pop when they are on a network that isnt listed here? like in a hotel?

If they used the webmail i realise that i wouldnt have these issues but that is not an option

thanks

[phoenix]

Unless you absolutely 100% can guarantee that the remote site will never be compromised you can use the IP range in the mynetworks setting, otherwise I'd recommend you leave it out as it's not necessary. I can connect to my server from any IP in the world and send mail through the server without problems, I have only the LAN subnet and the loopback in the mynetworks settings. There are many threads in the forums that describe how to set and check this, I've answered this question a few times..

What settings do you have set on the Global Settings/MTA tab for Authentication? What clients are you using to connect to the server? What settings do they have for the connection to your server? Can you give me a test account to try a connection (it will be tomorrow that I'll try a test), send me a PM with the details if you want me to try.

[Kruger81]

Well i figured out my problem, so sorry, it was all on my end. The router that they have on site 2 blocks ALL outbound 25.

So i configured a firewall rule and now it works...

The other issue I am having is that the server is routing mail even if i dont have "my server requires authentication" turned on but I am sure this is in the forums somewhere.

Thank you so much for your replys and sorry for wasting your time

[C&C]

Quote:

Originally Posted by Kruger81

mynetworks = 127.0.0.0/8 10.1.1.0/24 142.x.x.0/24 207.x.x.0/24
thanks

Do your external sites really have an IP range that big? If not, you're allowing other customers of their ISP to use your email server. If they have just a single static IP, use /32 instead.

[phoenix]

Quote:

Originally Posted by Kruger81

Well i figured out my problem, so sorry, it was all on my end. The router that they have on site 2 blocks ALL outbound 25.

So i configured a firewall rule and now it works...

The other issue I am having is that the server is routing mail even if i dont have "my server requires authentication" turned on but I am sure this is in the forums somewhere.

Thank you so much for your replys and sorry for wasting your time

You're welcome and it's not a waste of time.

You really should investigate the use of Authentication (and how to configure it) for remote users and stop using the remote subnet in your mynetworks setting - it really is a problem waiting to happen. What you're doing is allowing unauthorised connection to your server from those IP addresses and any machine that gets compromised on that LAN can relay mail unhindered through your server (this is why they can relay mail without Authentication). In addition, as C&C has mentioned, you'll need to modify the mynetworks setting for the subnet. As you've mentioned a LAN I'm assuming that you have a single public IP address at the remote sites? If you do then restrict the IP range further as a temporary measure until you use Authentication correctly.

You should also use TCP Port 587 For Mail Submission from remote clients:

Mail clients are usually configured to use Port 25 for sending mail, according to the RFC the correct port should be 587 In Zimbra this port can be enabled by making the following change to /opt/zimbra/postfix/conf/master.cf.in, at the top of that file you'll find the following lines:

#submission inet n - n - - smtpd
# -o smtpd_etrn_restrictions=reject
# -o smtpd_client_restrictions=permit_sasl_authenticate d,reject

uncomment them (leaving the white space at the beginning of the lines 2 & 3) and save the file. You will need to make that change for every upgrade of Zimbra until it's incorporated permanently.

make that change and modify your clients to use that instead of port 25 and obviusly reload postfix and modify your firewall rules.

The Submission Port change is scheduled for the next major release of Zimbra but you could add a vote to this bug if you want.

Any problems or questions then search the forums for some detailed answers, post to this thread if there's anything you don't understand.

[dwmtractor]

Kruger81,

The issues you are having with authentication could very well have to do with how you have your network set up. I encountered this issue myself; my full explanation of what I found and had to do about it is in this post. You might actually want to read through that whole thread as it addresses a number of issues regarding authentication.

I want to reinforce what Bill (phoenix) said earlier--you really should get authentication solved and turn off allowed relay from those external IPs. . .there are too many bots, malware, and all-around bad guys out there that are all too happy to exploit an open relay, which is essentially what you have here.

[Kruger81]

I have changed the settings for mynetworks to only include my loopback and internal ip range.

Also i will be making the change to 587 so i can continue to block 25. On my firewall i have forwarded 587 to 25 internally for now till i can get all the clients changed, change that setting in zimbra, than i will forward 587 to 587. Hope it all works out.

Thank you so much for your help

(edit) I also fixed the issue with authentication. Now clients are required to have a username and password for sending mail