Outlook with no SMTP authentication, within my_networks = 554 5.7.1 Client host rejec

[adam_lavelle]

Outlook 2003/2007 clients setup with non authenticated SMTP within the my_networks range produce the error of:

Zimbra.log:
Feb 15 01:39:29 mail postfix/smtpd[29573]: connect from unknown[10.0.0.198]
Feb 15 01:39:30 mail postfix/smtpd[29573]: NOQUEUE: reject: RCPT from unknown[10.0.0.198]: 554 5.7.1 <unknown[10.0.0.198]>: Client host rejected: Access denied; from=<user@domain.org> to=<user@domain.com> proto=ESMTP helo=<NCSLP025>

Client:
554 5.7.1 <unknown[10.0.0.198]>: Client host rejected: Access denied

Tried variety of MTA host settings of 10.0.0.0/8 10.0.0.0/24 10.0.0.198/32 ... no effect.
Turned off protocol and dns checks.

For reference:

Version: zcs-NETWORK-6.0.5_GA_2213.UBUNTU8_64

zimbra@mail:/var/log$ zmprov gacf|grep Mta
zimbraMtaAntiSpamLockMethod: flock
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthTarget: FALSE
zimbraMtaBlockedExtensionWarnAdmin: TRUE
zimbraMtaBlockedExtensionWarnRecipient: TRUE
zimbraMtaCommonBlockedExtension: asd
zimbraMtaCommonBlockedExtension: bat
zimbraMtaCommonBlockedExtension: chm
zimbraMtaCommonBlockedExtension: cmd
zimbraMtaCommonBlockedExtension: com
zimbraMtaCommonBlockedExtension: dll
zimbraMtaCommonBlockedExtension: do
zimbraMtaCommonBlockedExtension: exe
zimbraMtaCommonBlockedExtension: hlp
zimbraMtaCommonBlockedExtension: hta
zimbraMtaCommonBlockedExtension: js
zimbraMtaCommonBlockedExtension: jse
zimbraMtaCommonBlockedExtension: lnk
zimbraMtaCommonBlockedExtension: mov
zimbraMtaCommonBlockedExtension: ocx
zimbraMtaCommonBlockedExtension: pif
zimbraMtaCommonBlockedExtension: reg
zimbraMtaCommonBlockedExtension: rm
zimbraMtaCommonBlockedExtension: scr
zimbraMtaCommonBlockedExtension: shb
zimbraMtaCommonBlockedExtension: shm
zimbraMtaCommonBlockedExtension: shs
zimbraMtaCommonBlockedExtension: vbe
zimbraMtaCommonBlockedExtension: vbs
zimbraMtaCommonBlockedExtension: vbx
zimbraMtaCommonBlockedExtension: vxd
zimbraMtaCommonBlockedExtension: wav
zimbraMtaCommonBlockedExtension: wmf
zimbraMtaCommonBlockedExtension: wsf
zimbraMtaCommonBlockedExtension: wsh
zimbraMtaCommonBlockedExtension: xl
zimbraMtaDnsLookupsEnabled: TRUE
zimbraMtaMaxMessageSize: 26214400
zimbraMtaMyDestination: localhost
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaSaslAuthEnable: TRUE
zimbraMtaTlsAuthOnly: FALSE
zimbraMtaTlsSecurityLevel: may



The workaround is to turn on smtp authentication on the client, but this is effecting a new install of 50 laptops where making that change is no small feat.

Thanks,
Adam Lavelle

[phoenix]

Quote:

Originally Posted by adam_lavelle

Tried variety of MTA host settings of 10.0.0.0/8 10.0.0.0/24 10.0.0.198/32 ... no effect.

That should be as follows:

Code:

mynetworks = 127.0.0.0/8 10.10.0.0/23

Post the output of the following commands (run on the Zimbra server):

Code:

cat /etc/hosts
cat /etc/resolv.conf
dig yourdomain.com mx
dig yourdomain.com any
host `hostname` <- use that exact command with backticks not single quotes

[adam_lavelle]

postconf mynetworks
mynetworks = 10.0.0.0/24 127.0.0.0/8

(output modified to remove full domain name)

zimbra@mail:/var/log$ cat /etc/hosts
127.0.0.1 localhost
10.0.0.10 mail.school.org mail

zimbra@mail:/var/log$ cat /etc/resolv.conf
nameserver 10.0.0.2

zimbra@mail:/var/log$ dig school.org mx

; <<>> DiG 9.4.2-P2.1 <<>> school.org mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17226
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;school.org. IN MX

;; ANSWER SECTION:
school.org. 3600 IN MX 10 mail.school.org.

;; ADDITIONAL SECTION:
mail.school.org. 3600 IN A 10.0.0.10

;; Query time: 0 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)


zimbra@mail:/var/log$ dig school.org any

; <<>> DiG 9.4.2-P2.1 <<>> school.org any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43592
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;school.org. IN ANY

;; ANSWER SECTION:
school.org. 3600 IN A 10.0.0.10
school.org. 3600 IN NS main.school.local.
school.org. 3600 IN SOA main.school.local. hostmaster.school.local. 7 900 600 86400 3600
school.org. 3600 IN MX 10 mail.school.org.

;; ADDITIONAL SECTION:
main.school.local. 3600 IN A 10.0.0.2
mail.school.org. 3600 IN A 10.0.0.10

;; Query time: 0 msec
;; SERVER: 10.0.0.2#53(10.0.0.2)

zimbra@mail:/var/log$ host `hostname`
mail.school.org has address 10.0.0.10

[adam_lavelle]

Since changes have been made with postconf at this point, perhaps this will help

zimbra@mail:/var/log$ postconf |grep smtp
content_filter = smtp-amavis:[127.0.0.1]:10024
default_transport = smtp
lmtp_pix_workarounds = disable_esmtp,delay_dotcrlf
non_smtpd_milters =
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,perm it_mx_backup_networks,qmqpd_authorized_clients,rel ay_domains,smtpd_access_maps
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps
proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name
smtp_always_send_ehlo = yes
smtp_bind_address =
smtp_bind_address6 =
smtp_body_checks =
smtp_cname_overrides_servername = no
smtp_connect_timeout = 30s
smtp_connection_cache_destinations =
smtp_connection_cache_on_demand = yes
smtp_connection_cache_time_limit = 2s
smtp_connection_reuse_time_limit = 300s
smtp_data_done_timeout = 600s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 180s
smtp_defer_if_no_mx_address_found = no
smtp_destination_concurrency_failed_cohort_limit = $default_destination_concurrency_failed_cohort_lim it
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_concurrency_negative_feedback = $default_destination_concurrency_negative_feedback
smtp_destination_concurrency_positive_feedback = $default_destination_concurrency_positive_feedback
smtp_destination_rate_delay = $default_destination_rate_delay
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps =
smtp_discard_ehlo_keywords =
smtp_enforce_tls = no
smtp_fallback_relay = $fallback_relay
smtp_generic_maps =
smtp_header_checks =
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_initial_destination_concurrency = $initial_destination_concurrency
smtp_line_length_limit = 990
smtp_mail_timeout = 300s
smtp_mime_header_checks =
smtp_mx_address_limit = 5
smtp_mx_session_limit = 2
smtp_nested_header_checks =
smtp_never_send_ehlo = no
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_maps =
smtp_pix_workaround_threshold_time = 500s
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
smtp_quit_timeout = 300s
smtp_quote_rfc821_envelope = yes
smtp_randomize_addresses = yes
smtp_rcpt_timeout = 300s
smtp_rset_timeout = 20s
smtp_sasl_auth_cache_name =
smtp_sasl_auth_cache_time = 90d
smtp_sasl_auth_enable = no
smtp_sasl_auth_soft_bounce = yes
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_path =
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_sasl_type = cyrus
smtp_send_xforward_command = no
smtp_sender_dependent_authentication = no
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_ciphers = export
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_eccert_file =
smtp_tls_eckey_file = $smtp_tls_eccert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_fingerprint_cert_match =
smtp_tls_fingerprint_digest = md5
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_protocols = !SSLv2
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level =
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtp_xforward_timeout = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts =
smtpd_authorized_xforward_hosts =
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetw orks}
smtpd_client_message_rate_limit = 0
smtpd_client_new_tls_session_rate_limit = 0
smtpd_client_port_logging = no
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions = reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_open_until_valid_rcpt = yes
smtpd_delay_reject = yes
smtpd_discard_ehlo_keyword_address_maps =
smtpd_discard_ehlo_keywords =
smtpd_end_of_data_restrictions =
smtpd_enforce_tls = no
smtpd_error_sleep_time = 1s
smtpd_etrn_restrictions =
smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~
smtpd_forbidden_commands = CONNECT GET POST
smtpd_hard_error_limit = ${stress?1}${stress:20}
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks
smtpd_history_flush_threshold = 100
smtpd_junk_command_limit = ${stress?1}${stress:100}
smtpd_milters =
smtpd_noop_commands =
smtpd_null_access_lookup_key = <>
smtpd_peername_lookup = yes
smtpd_policy_service_max_idle = 300s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 100s
smtpd_proxy_ehlo = $myhostname
smtpd_proxy_filter =
smtpd_proxy_timeout = 100s
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 1000
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, permit
smtpd_reject_unlisted_recipient = no
smtpd_reject_unlisted_sender = no
smtpd_restriction_classes =
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = cyrus
smtpd_sender_login_maps =
smtpd_sender_restrictions =
smtpd_soft_error_limit = 10
smtpd_starttls_timeout = 300s
smtpd_timeout = ${stress?10}${stress:300}s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtpd_tls_ciphers = export
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_eccert_file =
smtpd_tls_eckey_file = $smtpd_tls_eccert_file
smtpd_tls_eecdh_grade = none
smtpd_tls_exclude_ciphers =
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_protocols =
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no

[adam_lavelle]

Well after about 8 hours of troubleshooting, I did a telnet test of SMTP from one of the machines having trouble, and it worked.

After scratching a head for a second, reviewed the client settings for the millionth time to realize they had changed the smtp port from 25 to 587.

Sure enough, telnet to port 587 - after the recpt to: command, it generates the 554 5.7.1 error.

So - I guess my question now becomes is there a way to allow authenticated and non authenticated smtp connections on port 587 as I assume this is the real issue?

Thanks

[adam_lavelle]

In fact I bet it relates to this in the master.cf


submission inet n - n - - smtpd
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticate d,reject
-o smtpd_tls_security_level=may

I suspect if I edit the smtpd_client_restrictions to permit_mynetworks that would solve the problem.

Not sure how to do that, since if I edit the file and do a postfix reload it reverts back.

Thanks

[adam_lavelle]

Hooray!!! A forum search suggested I need to edit the master.cf.in

adjusting "submission" to include permit_mynetworks solved the problem.

I'd almost chalk this up to being a bug, since 587 and 25 should operate the same by default in respect to the allow networks.

Next question becomes, will it stick across version upgrades?

Thanks.

[veronica]

Zimbra dont use submission port so this is customization you have done which needs to be taken care in each upgrade.

[phoenix]

Quote:

Originally Posted by veronica

Zimbra dont use submission port so this is customization you have done which needs to be taken care in each upgrade.

It was changed in version 6 and is now available without modification and will persist over upgrades.