amavis thinks my server is an openrelay when I use it to send mail while roaming

[tiger]

I connect to my Zimbra server from my mobile phone when I roam (off the LAN, on the cellular network, from some 'random' dynamically assigned IP), for both sending (SMTP) and receiving (IMAP). The connections are TLS encrypted and Authenticated. Pretty typical.

Each time I send a message from my roaming connected phone, I get in the logs

Code:

May  3 08:30:26 cheetah amavis[27180]: (27180-02) Open relay? Nonlocal recips but not originating: ###@###.com

I tested my server, and it's not an OpenRelay, but amavis thinks it is anyway.

I only get this message from a roaming connection.

I need to configure something I guess. How can I fix this?

[tiger]

This same question keeps getting asked, but not answered for this case -- roaming authenticated users

https://www.zimbra.com/forums/admini...bra-log-2.html
https://www.zimbra.com/forums/admini...iginating.html
https://www.zimbra.com/forums/admini...inating-2.html

Does anyone from Zimbra have an answer? What do we do in Zimbra server to fix this?

[phoenix]

I see no such behaviour on my server when I send a message via a mobile phone, I've just sent a message and see nothing in the /var/log/zimbra.log other than the expected conversation about the mail being sent to an external account (in this case, my gmail account).

You haven't really given much information about the problem such as log file entries (one line out-of-context doesn't really tell us much) - try a "tail -f" of the log when you send an email, which version and release of Zimbra, has this always happened, are your DNS records correct, does this happen for external wired connections or just mobile?

What about the setting mentioned in one of your quoted threads:

Earlier I'd also noticed in the Admin GUI that Configuration > Servers > servername >MTA > Web Mail MTA Hostnames was set to the fully qualified domain name of Zimbra, but there was a button to "reset to COS"

Have you reset it back to the COS default, does that make any difference. What entries do you have in your Trusted Network setting?

[tiger]

I see no such behaviour on my server when I send a message via a mobile phone, I've just sent a message and see nothing in the /var/log/zimbra.log other than the expected conversation about the mail being sent to an external account (in this case, my gmail account).

Certainly other people do, as they have repeatedly reported.

You haven't really given much information about the problem such as log file entries (one line out-of-context doesn't really tell us much) - try a "tail -f" of the log when you send an email

Code:

May  4 08:14:22 cheetah postfix/smtpd[27601]: connect from unknown[107.36.180.3]
May  4 08:14:23 cheetah postfix/smtpd[27601]: setting up TLS connection from unknown[107.36.180.3]
May  4 08:14:23 cheetah postfix/smtpd[27601]: Anonymous TLS connection established from unknown[107.36.180.3]: TLSv1 with cipher RC4-MD5 (128/128 bits)
May  4 08:14:24 cheetah saslauthd[22385]: zmauth: authenticating against elected url 'https://cheetah.###.com:7071/service/admin/soap/' ...
May  4 08:14:24 cheetah saslauthd[22385]: zmpost: url='https://cheetah.###.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="8146"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_ff6cabdeb5f8e315c17800d8ad447b5113486ab0_69643d33363a356436316566303433633b747913131622d376332303232d346435372d343662312d643238353a3133326236636262373b6578703d3133332303338370653d363a7a696d6272613b</authToken><lifetime>172799999</lifetime><skin>carbon</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
May  4 08:14:24 cheetah saslauthd[22385]: auth_zimbra: tiger@###.com auth OK
May  4 08:14:24 cheetah postfix/smtpd[27601]: 78ED3600E1: client=unknown[107.36.180.3], sasl_method=LOGIN, sasl_username=tiger@###.com
May  4 08:14:24 cheetah postfix/cleanup[26986]: 78ED3600E1: message-id=<915461b3-5c6e-4bb8-a6f7-bcd9754e64cc.maildroid@localhost>
May  4 08:14:24 cheetah postfix/qmgr[26976]: 78ED3600E1: from=<tiger@###.com>, size=949, nrcpt=1 (queue active)
May  4 08:14:24 cheetah amavis[22127]: (22127-02) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20120504T061558-22127: <tiger@###.com> -> <###@gmail.com> SIZE=949 Received: from cheetah.###.com ([127.0.0.1]) by localhost (cheetah.###.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <###@gmail.com>; Fri,  4 May 2012 08:14:24 -0700 (PDT)
May  4 08:14:24 cheetah amavis[22127]: (22127-02) Checking: 3oFLdrAncVjU [107.36.180.3] <tiger@###.com> -> <###@gmail.com>
May  4 08:14:24 cheetah amavis[22127]: (22127-02) Open relay? Nonlocal recips but not originating: ###@gmail.com
May  4 08:14:24 cheetah postfix/smtpd[27601]: disconnect from unknown[107.36.180.3]
May  4 08:14:29 cheetah postfix/smtpd[27002]: connect from localhost.localdomain[127.0.0.1]
May  4 08:14:29 cheetah postfix/smtpd[27002]: 9029460278: client=localhost.localdomain[127.0.0.1]
May  4 08:14:29 cheetah postfix/cleanup[26986]: 9029460278: message-id=<915461b3-5c6e-4bb8-a6f7-bcd9754e64cc.maildroid@localhost>
May  4 08:14:29 cheetah postfix/qmgr[26976]: 9029460278: from=<tiger@###.com>, size=1467, nrcpt=1 (queue active)
May  4 08:14:29 cheetah postfix/smtpd[27002]: disconnect from localhost.localdomain[127.0.0.1]

, which version and release of Zimbra

Code:

zmcontrol -v
 Release 7.2.0_GA_2669.UBUNTU10_64 UBUNTU10_64 FOSS edition.

has this always happened

Yes

are your DNS records correct

Yes. Everything else on my server is fine.

does this happen for external wired connections or just mobile?

I've only tested it from mobile. I don't connect from any other external device.

What about the setting mentioned in one of your quoted threads:
Have you reset it back to the COS default,

Yes.

does that make any difference.

No.

What entries do you have in your Trusted Network setting?

Code:

https://###.com:7071/zimbraAdmin/
	MTA Trusted Networks:
		192.168.1.0/24 ##.##.##.##/29

"##.##.##.##/29" is my Real IP range assigned from my ISP.

[phoenix]

Certainly other people do, as they have repeatedly reported.

I don't dispute that, I was merely telling you that I didn't.

Code:

https://###.com:7071/zimbraAdmin/
	MTA Trusted Networks:
		192.168.1.0/24 ##.##.##.##/29

"##.##.##.##/29" is my Real IP range assigned from my ISP.

That configuration is incorrect, it should have the loopback entry and your LAN in there:

Code:

127.0.0.0/8 192.168.1.0/24

Change that value and restart ZCS and see if there's any change. Are you using port 587 to Submit the mail from your mobile?

[tiger]

That configuration is incorrect, it should have the loopback entry and your LAN in there:

In Zimbra's salocal.cf.in I see,

Code:

%%uncomment VAR:zimbraMtaMyNetworks%%trusted_networks %%zimbraMtaMyNetworks%%

Is Zimbra's "trusted networks" different than that used by spamassassin? For SA, 127/8 is included by default.

Code:

https://spamassassin.apache.org/full...ssin_Conf.html
Note: 127/8 and ::1 are always included in trusted_networks, regardless of your config.

Code:

127.0.0.0/8 192.168.1.0/24

Change that value and restart ZCS

I did

and see if there's any change.

There isn't. I still get the OpenRelay message.

Are you using port 587 to Submit the mail from your mobile?

Yes.

[phoenix]

Have you also changed the setting at Global Settings/MTA to 'localhost'?

[tiger]

Have you also changed the setting at Global Settings/MTA to 'localhost'?

Yes.

I have posted in the other related threads trying to consolidate them and point people here on the same topic, and nicely inviting other users to join the conversation here.

Why are you removing those comments with no notice or communication?

[msmcknight]

I'm having the same problem...

The "Open relay? Nonlocal recips but not originating: recipient@externaldomain.com" messages come up whenever a remote user tries to send an email via imap/submission (587). These errors do not appear when users on the LAN send messages.

I just upgraded from 606 to 7.2.0_GA_2669.RHEL5_20120410001957 RHEL5 FOSS edition, Patch 7.2.0_P1 and I did not have this problem before the upgrade.

From what I've gathered, I need to set the Web mail MTA hostname on the Global Settings screen and the Server Settings screen both to 'localhost.' Right now my Global Setting = localhost and my Server Setting = zimbra.mydomain.com

But... when I try to change the Server Setting to localhost, I get an error:

Invalid Value!
Message: Error! [::1]/128 is not a valid subnet value in CIDR notation!
Additional information about MTA Trusted Networks configuration can be
found at ZimbraMtaMyNetworks - Zimbra :: Wiki

Which tells me nothing useful.

postconf mynetworks
mynetworks = 127.0.0.0/8 10.1.1.0/24 [::1]/128

zmprov getServer zimbra.mydomain.com | grep zimbraMtaMyNetworks
zimbraMtaMyNetworks: 127.0.0.0/8 10.1.1.0/24 [::1]/128

My host file is pretty straight forward:
127.0.0.1 localhost.localdomain localhost

And my DNS is fine... nothing else is having any trouble, and even Zimbra didn't trouble until I upgraded.

I'm not sure if it's the right value, but I tried to set zimbraMtaAuthHost from the command line and got the following:

zmprov ms zimbra.mydomain.com zimbraMtaAuthHost localhost
ERROR: service.INVALID_REQUEST (invalid request: specified zimbraMtaAuthHost does not correspond to a valid service hostname: localhost)

The web administration interface wont let me change the value. It breaks no matter what browser I use.

Is there a way to set the value via the command line? Is there a way to fix the web error?

Thanks,
-Michael

[phoenix]

But... when I try to change the Server Setting to localhost, I get an error:

Which tells me nothing useful

It actually does tell you something useful, there's an IPv6 address in there and ZCS doesn't (currently) support IPv6.