Results 1 to 10 of 10

Thread: [SOLVED] Too many "Relay access denied"

  1. #1
    marsobe is offline New Member
    Join Date
    Jul 2010
    Posts
    4
    Rep Power
    5

    Default [SOLVED] Too many "Relay access denied"

    Hello Everybody,
    it's a couple of week i'm receiving a lot of "Relay access denied" from many clients.

    Like this:
    Jul 30 17:42:31 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <harrisondd@larestaurant.com>: Relay access denied; from=<burgled@4felines.freeserve.co.uk> to=<harrisondd@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
    Jul 30 17:42:31 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <hatchernn@larestaurant.com>: Relay access denied; from=<burgled@4felines.freeserve.co.uk> to=<hatchernn@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
    Jul 30 17:42:32 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <haskinsdd@larestaurant.com>: Relay access denied; from=<enamor056@7dealsaweek.com> to=<haskinsdd@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
    Jul 30 17:42:32 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <haskinsi@larestaurant.com>: Relay access denied; from=<enamor056@7dealsaweek.com> to=<haskinsi@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
    Jul 30 17:42:32 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <hastings@larestaurant.com>: Relay access denied; from=<enamor056@7dealsaweek.com> to=<hastings@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
    Jul 30 17:42:32 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <hatch@larestaurant.com>: Relay access denied; from=<enamor056@7dealsaweek.com> to=<hatch@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
    Jul 30 17:42:32 zimbra postfix/smtpd[22231]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <harveynn@larestaurant.com>: Relay access denied; from=<shinning94@91932.com> to=<harveynn@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
    Jul 30 17:42:33 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <hatchd@larestaurant.com>: Relay access denied; from=<enamor056@7dealsaweek.com> to=<hatchd@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
    Jul 30 17:42:33 zimbra postfix/smtpd[22231]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <haskins@larestaurant.com>: Relay access denied; from=<shinning94@91932.com> to=<haskins@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
    Jul 30 17:42:33 zimbra postfix/smtpd[22232]: connect from unknown[196.44.195.138]
    Jul 30 17:42:34 zimbra postfix/smtpd[23611]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <hatchdd@larestaurant.com>: Relay access denied; from=<enamor056@7dealsaweek.com> to=<hatchdd@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>
    Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccawleya@vivia.com>: Relay access denied; from=<bootlegkv5@pantrennwand.com> to=<mccawleya@vivia.com> proto=ESMTP helo=<VXIDRLQ>
    Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccawleya@vivia.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mccawleya@vivia.com> proto=ESMTP helo=<VXIDRLQ>
    Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccord@lbvsd.org>: Relay access denied; from=<orderingb040@tukana.com> to=<mccord@lbvsd.org> proto=ESMTP helo=<VXIDRLQ>
    Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mcclychiari@iwado.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mcclychiari@iwado.com> proto=ESMTP helo=<VXIDRLQ>
    Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mcclydemage@bbsdocumentary.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mcclydemage@bbsdocumentary.com> proto=ESMTP helo=<VXIDRLQ>
    Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccawley@davero.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mccawley@davero.com> proto=ESMTP helo=<VXIDRLQ>
    Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccray@amaerospace.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mccray@amaerospace.com> proto=ESMTP helo=<VXIDRLQ>
    Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccray@alboran.ual.es>: Relay access denied; from=<orderingb040@tukana.com> to=<mccray@alboran.ual.es> proto=ESMTP helo=<VXIDRLQ>
    Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccrayigmccray@alboran.ual.es>: Relay access denied; from=<orderingb040@tukana.com> to=<mccrayigmccray@alboran.ual.es> proto=ESMTP helo=<VXIDRLQ>
    Jul 30 17:42:34 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccray@alldirect.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mccray@alldirect.com> proto=ESMTP helo=<VXIDRLQ>
    Jul 30 17:42:35 zimbra postfix/smtpd[22232]: NOQUEUE: reject: RCPT from unknown[196.44.195.138]: 554 5.7.1 <mccray@altmann.com>: Relay access denied; from=<orderingb040@tukana.com> to=<mccray@altmann.com> proto=ESMTP helo=<VXIDRLQ>
    Jul 30 17:42:37 zimbra postfix/smtpd[22231]: NOQUEUE: reject: RCPT from pro75-1-81-57-58-174.fbx.proxad.net[81.57.58.174]: 554 5.7.1 <hatcher@larestaurant.com>: Relay access denied; from=<ardorby4@3sixtymedia.com> to=<hatcher@larestaurant.com> proto=ESMTP helo=<pro75-1-81-57-58-174.fbx.proxad.net>


    Is it possible to block ip's trying to relay with my server?

    Thanks.

  2. #2
    dalmate is offline Elite Member
    Join Date
    Jan 2009
    Posts
    369
    Rep Power
    6

    Default

    do not need.

  3. #3
    marsobe is offline New Member
    Join Date
    Jul 2010
    Posts
    4
    Rep Power
    5

    Default

    Quote Originally Posted by dalmate View Post
    do not need.
    I'm receiving 10MB of log eatch day, it looks like a DOS attack from a lot of different IP's.

    Blocking definitively this IP's would be mutch better.

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,569
    Rep Power
    57

    Default

    I'd have to ask why you're seeing that many messages in the logs? Have you modified the Kill/Tag percentages, have you modified the anti-spam settings, do you use any RBLs, do you discard mail sent to invalid addresses? All of those will offer you some respite from spme, you need to post further information about your configuration and search the forums and wiki for some additional techniques.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    marsobe is offline New Member
    Join Date
    Jul 2010
    Posts
    4
    Rep Power
    5

    Default

    I've default Anti Spam settings and RBLs activated:

    Code:
    zimbra@zimbra:/root$ zmprov gacf | grep zimbraMtaRestriction                    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_rbl_client dnsbl.njabl.org
    zimbraMtaRestriction: reject_rbl_client cbl.abuseat.org
    zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
    zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
    zimbraMtaRestriction: reject_rbl_client sbl.spamhaus.org
    zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org
    I receive 30 attempt to relay from one IP then :

    Code:
    Jul 31 12:27:12 zimbra postfix/smtpd[16979]: too many errors after RCPT from unknown[174.46.159.50]
    Jul 31 12:27:12 zimbra postfix/smtpd[16979]: disconnect from unknown[174.46.159.50]
    And then another IP starts to try relaying.


    In this situation the mail queue is empty, so I think the server is well configured. I'm worried about the intensive unwanted external activities.

  6. #6
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,569
    Rep Power
    57

    Default

    I'd suggest that the first thing you should look at is your RBL list. I believe you'll get better results if you use the zen.spamhaus.org RBL (it includes all the RBL lists) rather than the one you've got and it should be placed first in your list. I find it strange that some of those IPs don't get rejected (and I don't have an answer as to 'why') when they fail a multi-RBL check, for instance there's one here: MSRBL - Multi RBL Checker - try it for the other IPs and see if they're listed. FWIW I only use the following restrictions:

    Code:
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
    zimbraMtaRestriction: reject_rbl_client psbl.surriel.com
    zimbraMtaRestriction: reject_rbl_client dnsbl.dronebl.org
    zimbraMtaRestriction: reject_rbl_client bl.spameatingmonkey.net
    I see very little spam on my server and almost no relay attempts (that get through) and spamhaus block the vast majority of the spam. As I mentioned earlier I also reject mail sent to invalid addresses - you can find more details in the wiki in the article on improving the anti-spam system.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  7. #7
    imx
    imx is offline Special Member
    Join Date
    Jun 2009
    Posts
    131
    Rep Power
    6

    Default

    The others are missing the point... i use fail2ban, if youre using KiddieOS (Ubuntu) this is fairly easy. Just configure the postfix module as follows and point it at the fail log:


    [postfix]
    enabled = true
    port = smtp,ssmtp
    filter = postfix
    maxretry = 2
    bantime = 86400
    findtime = 600
    action = %(action_mwl)s
    logpath = /var/log/mail.log

    This works perfectly and lowered the load on my server significantly.

  8. #8
    imx
    imx is offline Special Member
    Join Date
    Jun 2009
    Posts
    131
    Rep Power
    6

    Default

    From the postfix filter file in fail2ban, this regex bans via iptables the exact issue youre seeing - excessive 554 error:

    failregex = reject: RCPT from (.*)\[<HOST>\]: 554

  9. #9
    marsobe is offline New Member
    Join Date
    Jul 2010
    Posts
    4
    Rep Power
    5

    Default

    Thanks a lot IMX, using fail2ban solved my roblem, now most of relay attempt has been blocked.

    I think a better solution would be banning addresses using RBL's instead of relay errors, just to prevent attacks.

    Enyway my problem now is solved.

    Thanks again.

  10. #10
    imx
    imx is offline Special Member
    Join Date
    Jun 2009
    Posts
    131
    Rep Power
    6

    Default

    Sure, which is why i took this one step further - and created my own RBL from the ban logs - and then use this on my firewalls (you can use on iptables quite easily with some scripting) so it blocks before the mail server has to even process the connection. When using this across a a decent amount, or even only a couple, of servers you really see the benefits. Even if you didnt want to put this on a firewall, you could put the home-made RBL across your Zimbra servers, so if one sees an attack...they all do and block it.

    Maybe ill write up a how-to when i find a moment

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Restricting external access
    By EiZ in forum Administrators
    Replies: 9
    Last Post: 02-08-2012, 12:01 PM
  2. Access (and success) to ZCS 5.0.2
    By eMHa in forum Administrators
    Replies: 3
    Last Post: 11-04-2008, 01:20 PM
  3. Access Zimbra on port 443 via apache
    By CatiaL in forum Administrators
    Replies: 1
    Last Post: 06-15-2007, 02:11 AM
  4. Update from 4.0.2 to 4.5.0 getting "Relay access denied"
    By lmineiro in forum Administrators
    Replies: 2
    Last Post: 03-12-2007, 12:01 PM
  5. Filtering user access per account
    By PNE in forum Administrators
    Replies: 7
    Last Post: 06-26-2006, 12:40 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •