Results 1 to 9 of 9

Thread: Outlook with no SMTP authentication, within my_networks = 554 5.7.1 Client host rejec

  1. #1
    adam_lavelle is offline Junior Member
    Join Date
    Feb 2010
    Posts
    6
    Rep Power
    5

    Default Outlook with no SMTP authentication, within my_networks = 554 5.7.1 Client host rejec

    Outlook 2003/2007 clients setup with non authenticated SMTP within the my_networks range produce the error of:

    Zimbra.log:
    Feb 15 01:39:29 mail postfix/smtpd[29573]: connect from unknown[10.0.0.198]
    Feb 15 01:39:30 mail postfix/smtpd[29573]: NOQUEUE: reject: RCPT from unknown[10.0.0.198]: 554 5.7.1 <unknown[10.0.0.198]>: Client host rejected: Access denied; from=<user@domain.org> to=<user@domain.com> proto=ESMTP helo=<NCSLP025>

    Client:
    554 5.7.1 <unknown[10.0.0.198]>: Client host rejected: Access denied

    Tried variety of MTA host settings of 10.0.0.0/8 10.0.0.0/24 10.0.0.198/32 ... no effect.
    Turned off protocol and dns checks.

    For reference:

    Version: zcs-NETWORK-6.0.5_GA_2213.UBUNTU8_64

    zimbra@mail:/var/log$ zmprov gacf|grep Mta
    zimbraMtaAntiSpamLockMethod: flock
    zimbraMtaAuthEnabled: TRUE
    zimbraMtaAuthTarget: FALSE
    zimbraMtaBlockedExtensionWarnAdmin: TRUE
    zimbraMtaBlockedExtensionWarnRecipient: TRUE
    zimbraMtaCommonBlockedExtension: asd
    zimbraMtaCommonBlockedExtension: bat
    zimbraMtaCommonBlockedExtension: chm
    zimbraMtaCommonBlockedExtension: cmd
    zimbraMtaCommonBlockedExtension: com
    zimbraMtaCommonBlockedExtension: dll
    zimbraMtaCommonBlockedExtension: do
    zimbraMtaCommonBlockedExtension: exe
    zimbraMtaCommonBlockedExtension: hlp
    zimbraMtaCommonBlockedExtension: hta
    zimbraMtaCommonBlockedExtension: js
    zimbraMtaCommonBlockedExtension: jse
    zimbraMtaCommonBlockedExtension: lnk
    zimbraMtaCommonBlockedExtension: mov
    zimbraMtaCommonBlockedExtension: ocx
    zimbraMtaCommonBlockedExtension: pif
    zimbraMtaCommonBlockedExtension: reg
    zimbraMtaCommonBlockedExtension: rm
    zimbraMtaCommonBlockedExtension: scr
    zimbraMtaCommonBlockedExtension: shb
    zimbraMtaCommonBlockedExtension: shm
    zimbraMtaCommonBlockedExtension: shs
    zimbraMtaCommonBlockedExtension: vbe
    zimbraMtaCommonBlockedExtension: vbs
    zimbraMtaCommonBlockedExtension: vbx
    zimbraMtaCommonBlockedExtension: vxd
    zimbraMtaCommonBlockedExtension: wav
    zimbraMtaCommonBlockedExtension: wmf
    zimbraMtaCommonBlockedExtension: wsf
    zimbraMtaCommonBlockedExtension: wsh
    zimbraMtaCommonBlockedExtension: xl
    zimbraMtaDnsLookupsEnabled: TRUE
    zimbraMtaMaxMessageSize: 26214400
    zimbraMtaMyDestination: localhost
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaSaslAuthEnable: TRUE
    zimbraMtaTlsAuthOnly: FALSE
    zimbraMtaTlsSecurityLevel: may



    The workaround is to turn on smtp authentication on the client, but this is effecting a new install of 50 laptops where making that change is no small feat.

    Thanks,
    Adam Lavelle

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,586
    Rep Power
    57

    Default

    Quote Originally Posted by adam_lavelle View Post
    Tried variety of MTA host settings of 10.0.0.0/8 10.0.0.0/24 10.0.0.198/32 ... no effect.
    That should be as follows:

    Code:
    mynetworks = 127.0.0.0/8 10.10.0.0/23
    Post the output of the following commands (run on the Zimbra server):

    Code:
    cat /etc/hosts
    cat /etc/resolv.conf
    dig yourdomain.com mx
    dig yourdomain.com any
    host `hostname` <- use that exact command with backticks not single quotes
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    adam_lavelle is offline Junior Member
    Join Date
    Feb 2010
    Posts
    6
    Rep Power
    5

    Default

    postconf mynetworks
    mynetworks = 10.0.0.0/24 127.0.0.0/8

    (output modified to remove full domain name)

    zimbra@mail:/var/log$ cat /etc/hosts
    127.0.0.1 localhost
    10.0.0.10 mail.school.org mail

    zimbra@mail:/var/log$ cat /etc/resolv.conf
    nameserver 10.0.0.2

    zimbra@mail:/var/log$ dig school.org mx

    ; <<>> DiG 9.4.2-P2.1 <<>> school.org mx
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17226
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; QUESTION SECTION:
    ;school.org. IN MX

    ;; ANSWER SECTION:
    school.org. 3600 IN MX 10 mail.school.org.

    ;; ADDITIONAL SECTION:
    mail.school.org. 3600 IN A 10.0.0.10

    ;; Query time: 0 msec
    ;; SERVER: 10.0.0.2#53(10.0.0.2)


    zimbra@mail:/var/log$ dig school.org any

    ; <<>> DiG 9.4.2-P2.1 <<>> school.org any
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43592
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 2

    ;; QUESTION SECTION:
    ;school.org. IN ANY

    ;; ANSWER SECTION:
    school.org. 3600 IN A 10.0.0.10
    school.org. 3600 IN NS main.school.local.
    school.org. 3600 IN SOA main.school.local. hostmaster.school.local. 7 900 600 86400 3600
    school.org. 3600 IN MX 10 mail.school.org.

    ;; ADDITIONAL SECTION:
    main.school.local. 3600 IN A 10.0.0.2
    mail.school.org. 3600 IN A 10.0.0.10

    ;; Query time: 0 msec
    ;; SERVER: 10.0.0.2#53(10.0.0.2)

    zimbra@mail:/var/log$ host `hostname`
    mail.school.org has address 10.0.0.10

  4. #4
    adam_lavelle is offline Junior Member
    Join Date
    Feb 2010
    Posts
    6
    Rep Power
    5

    Default

    Since changes have been made with postconf at this point, perhaps this will help

    zimbra@mail:/var/log$ postconf |grep smtp
    content_filter = smtp-amavis:[127.0.0.1]:10024
    default_transport = smtp
    lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
    non_smtpd_milters =
    parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,perm it_mx_backup_networks,qmqpd_authorized_clients,rel ay_domains,smtpd_access_maps
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
    proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
    smtp_always_send_ehlo = yes
    smtp_bind_address =
    smtp_bind_address6 =
    smtp_body_checks =
    smtp_cname_overrides_servername = no
    smtp_connect_timeout = 30s
    smtp_connection_cache_destinations =
    smtp_connection_cache_on_demand = yes
    smtp_connection_cache_time_limit = 2s
    smtp_connection_reuse_time_limit = 300s
    smtp_data_done_timeout = 600s
    smtp_data_init_timeout = 120s
    smtp_data_xfer_timeout = 180s
    smtp_defer_if_no_mx_address_found = no
    smtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_lim it
    smtp_destination_concurrency_limit = $default_destination_concurrency_limit
    smtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
    smtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
    smtp_destination_rate_delay = $default_destination_rate_delay
    smtp_destination_recipient_limit = $default_destination_recipient_limit
    smtp_discard_ehlo_keyword_address_maps =
    smtp_discard_ehlo_keywords =
    smtp_enforce_tls = no
    smtp_fallback_relay = $fallback_relay
    smtp_generic_maps =
    smtp_header_checks =
    smtp_helo_name = $myhostname
    smtp_helo_timeout = 300s
    smtp_host_lookup = dns
    smtp_initial_destination_concurrency = $initial_destination_concurrency
    smtp_line_length_limit = 990
    smtp_mail_timeout = 300s
    smtp_mime_header_checks =
    smtp_mx_address_limit = 5
    smtp_mx_session_limit = 2
    smtp_nested_header_checks =
    smtp_never_send_ehlo = no
    smtp_pix_workaround_delay_time = 10s
    smtp_pix_workaround_maps =
    smtp_pix_workaround_threshold_time = 500s
    smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
    smtp_quit_timeout = 300s
    smtp_quote_rfc821_envelope = yes
    smtp_randomize_addresses = yes
    smtp_rcpt_timeout = 300s
    smtp_rset_timeout = 20s
    smtp_sasl_auth_cache_name =
    smtp_sasl_auth_cache_time = 90d
    smtp_sasl_auth_enable = no
    smtp_sasl_auth_soft_bounce = yes
    smtp_sasl_mechanism_filter =
    smtp_sasl_password_maps =
    smtp_sasl_path =
    smtp_sasl_security_options = noplaintext, noanonymous
    smtp_sasl_tls_security_options = $smtp_sasl_security_options
    smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
    smtp_sasl_type = cyrus
    smtp_send_xforward_command = no
    smtp_sender_dependent_authentication = no
    smtp_skip_5xx_greeting = yes
    smtp_skip_quit_response = yes
    smtp_starttls_timeout = 300s
    smtp_tls_CAfile =
    smtp_tls_CApath =
    smtp_tls_cert_file =
    smtp_tls_ciphers = export
    smtp_tls_dcert_file =
    smtp_tls_dkey_file = $smtp_tls_dcert_file
    smtp_tls_eccert_file =
    smtp_tls_eckey_file = $smtp_tls_eccert_file
    smtp_tls_enforce_peername = yes
    smtp_tls_exclude_ciphers =
    smtp_tls_fingerprint_cert_match =
    smtp_tls_fingerprint_digest = md5
    smtp_tls_key_file = $smtp_tls_cert_file
    smtp_tls_loglevel = 0
    smtp_tls_mandatory_ciphers = medium
    smtp_tls_mandatory_exclude_ciphers =
    smtp_tls_mandatory_protocols = SSLv3, TLSv1
    smtp_tls_note_starttls_offer = no
    smtp_tls_per_site =
    smtp_tls_policy_maps =
    smtp_tls_protocols = !SSLv2
    smtp_tls_scert_verifydepth = 9
    smtp_tls_secure_cert_match = nexthop, dot-nexthop
    smtp_tls_security_level =
    smtp_tls_session_cache_database =
    smtp_tls_session_cache_timeout = 3600s
    smtp_tls_verify_cert_match = hostname
    smtp_use_tls = no
    smtp_xforward_timeout = 300s
    smtpd_authorized_verp_clients = $authorized_verp_clients
    smtpd_authorized_xclient_hosts =
    smtpd_authorized_xforward_hosts =
    smtpd_banner = $myhostname ESMTP $mail_name
    smtpd_client_connection_count_limit = 50
    smtpd_client_connection_rate_limit = 0
    smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetw orks}
    smtpd_client_message_rate_limit = 0
    smtpd_client_new_tls_session_rate_limit = 0
    smtpd_client_port_logging = no
    smtpd_client_recipient_rate_limit = 0
    smtpd_client_restrictions = reject_unauth_pipelining
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_delay_open_until_valid_rcpt = yes
    smtpd_delay_reject = yes
    smtpd_discard_ehlo_keyword_address_maps =
    smtpd_discard_ehlo_keywords =
    smtpd_end_of_data_restrictions =
    smtpd_enforce_tls = no
    smtpd_error_sleep_time = 1s
    smtpd_etrn_restrictions =
    smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
    smtpd_forbidden_commands = CONNECT GET POST
    smtpd_hard_error_limit = ${stress?1}${stress:20}
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks
    smtpd_history_flush_threshold = 100
    smtpd_junk_command_limit = ${stress?1}${stress:100}
    smtpd_milters =
    smtpd_noop_commands =
    smtpd_null_access_lookup_key = <>
    smtpd_peername_lookup = yes
    smtpd_policy_service_max_idle = 300s
    smtpd_policy_service_max_ttl = 1000s
    smtpd_policy_service_timeout = 100s
    smtpd_proxy_ehlo = $myhostname
    smtpd_proxy_filter =
    smtpd_proxy_timeout = 100s
    smtpd_recipient_limit = 1000
    smtpd_recipient_overshoot_limit = 1000
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, permit
    smtpd_reject_unlisted_recipient = no
    smtpd_reject_unlisted_sender = no
    smtpd_restriction_classes =
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = no
    smtpd_sasl_exceptions_networks =
    smtpd_sasl_local_domain =
    smtpd_sasl_path = smtpd
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
    smtpd_sasl_type = cyrus
    smtpd_sender_login_maps =
    smtpd_sender_restrictions =
    smtpd_soft_error_limit = 10
    smtpd_starttls_timeout = 300s
    smtpd_timeout = ${stress?10}${stress:300}s
    smtpd_tls_CAfile =
    smtpd_tls_CApath =
    smtpd_tls_always_issue_session_ids = yes
    smtpd_tls_ask_ccert = no
    smtpd_tls_auth_only = no
    smtpd_tls_ccert_verifydepth = 9
    smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
    smtpd_tls_ciphers = export
    smtpd_tls_dcert_file =
    smtpd_tls_dh1024_param_file =
    smtpd_tls_dh512_param_file =
    smtpd_tls_dkey_file = $smtpd_tls_dcert_file
    smtpd_tls_eccert_file =
    smtpd_tls_eckey_file = $smtpd_tls_eccert_file
    smtpd_tls_eecdh_grade = none
    smtpd_tls_exclude_ciphers =
    smtpd_tls_fingerprint_digest = md5
    smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
    smtpd_tls_loglevel = 1
    smtpd_tls_mandatory_ciphers = medium
    smtpd_tls_mandatory_exclude_ciphers =
    smtpd_tls_mandatory_protocols = SSLv3, TLSv1
    smtpd_tls_protocols =
    smtpd_tls_received_header = no
    smtpd_tls_req_ccert = no
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database =
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_tls_wrappermode = no
    smtpd_use_tls = no

  5. #5
    adam_lavelle is offline Junior Member
    Join Date
    Feb 2010
    Posts
    6
    Rep Power
    5

    Default

    Well after about 8 hours of troubleshooting, I did a telnet test of SMTP from one of the machines having trouble, and it worked.

    After scratching a head for a second, reviewed the client settings for the millionth time to realize they had changed the smtp port from 25 to 587.

    Sure enough, telnet to port 587 - after the recpt to: command, it generates the 554 5.7.1 error.

    So - I guess my question now becomes is there a way to allow authenticated and non authenticated smtp connections on port 587 as I assume this is the real issue?

    Thanks

  6. #6
    adam_lavelle is offline Junior Member
    Join Date
    Feb 2010
    Posts
    6
    Rep Power
    5

    Default

    In fact I bet it relates to this in the master.cf


    submission inet n - n - - smtpd
    -o smtpd_etrn_restrictions=reject
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticate d,reject
    -o smtpd_tls_security_level=may

    I suspect if I edit the smtpd_client_restrictions to permit_mynetworks that would solve the problem.

    Not sure how to do that, since if I edit the file and do a postfix reload it reverts back.

    Thanks

  7. #7
    adam_lavelle is offline Junior Member
    Join Date
    Feb 2010
    Posts
    6
    Rep Power
    5

    Default

    Hooray!!! A forum search suggested I need to edit the master.cf.in

    adjusting "submission" to include permit_mynetworks solved the problem.

    I'd almost chalk this up to being a bug, since 587 and 25 should operate the same by default in respect to the allow networks.

    Next question becomes, will it stick across version upgrades?

    Thanks.

  8. #8
    veronica is offline Outstanding Member
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    Zimbra dont use submission port so this is customization you have done which needs to be taken care in each upgrade.

  9. #9
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,586
    Rep Power
    57

    Default

    Quote Originally Posted by veronica View Post
    Zimbra dont use submission port so this is customization you have done which needs to be taken care in each upgrade.
    It was changed in version 6 and is now available without modification and will persist over upgrades.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Cannot Send Email Through Outlook Client
    By Dan Rabideau in forum Installation
    Replies: 15
    Last Post: 02-17-2011, 01:34 AM
  2. Replies: 2
    Last Post: 06-18-2010, 09:41 AM
  3. smtp authentication
    By ay4you in forum Installation
    Replies: 13
    Last Post: 07-11-2008, 09:00 AM
  4. Replies: 8
    Last Post: 03-05-2007, 11:26 AM
  5. Migration Client causing Outlook Problems
    By jonfehringer in forum Administrators
    Replies: 4
    Last Post: 10-04-2005, 10:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •