Page 1 of 6 123 ... LastLast
Results 1 to 10 of 55

Thread: 8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

  1. #1
    subversionpdx is offline Member
    Join Date
    May 2010
    Posts
    10
    Rep Power
    4

    Default 8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

    I just upgraded from 8.0.0 to 8.0.2 yesterday, since then no external clients (outlook, phones, etc) can send email through Zimbra - we use SMTP AUTH / port 587 submission and it's always worked fine in the past. It appears that the RBL is now blocking my users from sending anything.

    I checked my Admin GUI for the server, checked trusted networks, tried disabling originating IP address, checked host files, postfix main.cf, spamassasing local.cf etc.

    If I disable one of the RBL servers and reload postfix, the next RBL in the config just blocks the send too. Most of my users connect from DSL or Comcast internet connections and remote clients. Sending from the web interface still works fine (albeit slower than it used to be)

    It's acting as if it's a typical "relaying denied" - but SMTP authed users should not be restricted from sending via my email server

    Any thoughts?
    Thanks,
    Joe



    zimbra@mail:~$ zmprov gacf | grep zimbraMtaRestriction
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_unknown_sender_domain
    zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
    zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org
    zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
    zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org

    zmprov mcf -zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"




    Dec 26 13:44:28 mail postfix/smtpd[30047]: connect from 71-219-140-25.slkc.qwest.net[71.219.140.25]
    Dec 26 13:44:28 mail postfix/smtpd[30047]: connect from 71-219-140-25.slkc.qwest.net[71.219.140.25]
    Dec 26 13:44:29 mail saslauthd[23251]: zmauth: authenticating against elected url 'https://mail.nnet.com:7071/service/admin/soap/' ...
    Dec 26 13:44:29 mail saslauthd[23251]: zmpost: url='https://mail.nnet.com:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="393903"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_47ee1439db2 ef4bea25873335858c823ed542d55_69643d33363a33343430 356636642d383761652d346664322d613466302d6162323639 653535326439323b6578703d31333a31333536373237343639 3130303b76763d313a333b747970653d363a7a696d6272613b </authToken><lifetime>172800000</lifetime><skin>lavender</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
    Dec 26 13:44:29 mail saslauthd[23251]: auth_zimbra: joe@nnet.com auth OK
    Dec 26 13:44:29 mail postfix/smtpd[30047]: NOQUEUE: filter: RCPT from 71-219-140-25.slkc.qwest.net[71.219.140.25]: <joe@nnet.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<joe@nnet.com> to=<subversionpdx@gmail.com> proto=ESMTP helo=<[192.168.0.16]>
    Dec 26 13:44:29 mail postfix/smtpd[30047]: NOQUEUE: filter: RCPT from 71-219-140-25.slkc.qwest.net[71.219.140.25]: <joe@nnet.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<joe@nnet.com> to=<subversionpdx@gmail.com> proto=ESMTP helo=<[192.168.0.16]>
    Dec 26 13:44:29 mail postfix/smtpd[30047]: NOQUEUE: reject: RCPT from 71-219-140-25.slkc.qwest.net[71.219.140.25]: 554 5.7.1 Service unavailable; Client host [71.219.140.25] blocked using zen.spamhaus.org; The Spamhaus Project - Blocklist Removal Center Results from=<joe@nnet.com> to=<subversionpdx@gmail.com> proto=ESMTP helo=<[192.168.0.16]>
    Dec 26 13:44:29 mail postfix/smtpd[30047]: NOQUEUE: reject: RCPT from 71-219-140-25.slkc.qwest.net[71.219.140.25]: 554 5.7.1 Service unavailable; Client host [71.219.140.25] blocked using zen.spamhaus.org; The Spamhaus Project - Blocklist Removal Center Results from=<joe@nnet.com> to=<subversionpdx@gmail.com> proto=ESMTP helo=<[192.168.0.16]>
    Dec 26 13:44:29 mail postfix/smtpd[30047]: disconnect from 71-219-140-25.slkc.qwest.net[71.219.140.25]
    Dec 26 13:44:29 mail postfix/smtpd[30047]: disconnect from 71-219-140-25.slkc.qwest.net[71.219.140.25]

  2. #2
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    717
    Rep Power
    9

    Default

    That's not relaying denied, that's an RBL block. You need to tell postfix that authenticated senders skip RBLs. I know how to do this with sendmail. For postfix, read the documentation. These might be relevant:

    postconf -e 'permit_sasl_authenticated = yes'
    postconf -e 'smtpd_delay_reject = yes'

    The first thing to look at, though, is diff -u between your backup of the 8.0.0 version of main.cf (which you have, right?) and your current.

    Bug 78157 &ndash; smtpd_recipient_restrictions changed to smtpd_relay_restrictions might be relevant.

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    In addition to the answer that Rich gave. If you read the Spamhaus link you'll see that it's a PBL, that means that you probably have the 'x-originating-ip' configured to add the users IPs to the headers, that will get rejected by a lot of RBLs as the users ISP specifies the ranges IP that should only send outbound mail via their mail servers. You need to disable this option in the Admin UI and make sure that your users only use port 587 and Authenticate.

    You should also specify the RBLs is descending order of effectiveness otherwise you're doing a lot of unnecessary DNS lookups on your DNS servers and wasted checks against the RBLs, check the daily report to see which ones are most effective then reorganise your list.
    Last edited by phoenix; 12-27-2012 at 07:33 AM.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    subversionpdx is offline Member
    Join Date
    May 2010
    Posts
    10
    Rep Power
    4

    Default

    Thank you for the replies -

    The only change I had made was to update from 8.0.0 to 8.0.2 - in 8.0.0 the system allowed SMTP auth'd users to send fine. I never altered the order of the RBL settings in Zimbra. Users were sending via 587/Submission port. X-Originating-IP was on in my 8.0.0 install but users never had problems sending email.

    After updating to 8.0.2 - inbound email still worked fine, only auth'd users could no longer send (see above) - I disabled X-Originating-IP, turned off RBLs, etc. Authenticated users should not be processed through any RBLs, but they were.

    I tried a diff between my 8.0.0 main.cf and the new one, very little difference there, but I tried the configuration directives in 8.0.0 for Postfix and it still kept blocking sends. I also checked the bug thread listed above (thank you) but this didn't help either.

    I only solved it by rolling back to my backup of 8.0.0 - which, as expected, is working fine.

    Thanks again,
    Joe

  5. #5
    thunder04 is offline Special Member
    Join Date
    Dec 2007
    Location
    At work...Menlo Park, CA
    Posts
    155
    Rep Power
    7

    Default

    I am having the same problem. Any users who attempt to send mail from outside our network using a mail client other than the web interface get blocked via RBL. What can I do to prevent authenticated SMTP users from being checked against RBLs? I've tried the suggested config changes by Rich and no dice.

    Code:
    zimbra@cottontail:~$ zmlocalconfig | grep permit_sasl_authenticated
    postfix_permit_sasl_authenticated = yes
    zimbra@cottontail:~$ zmlocalconfig | grep smtpd_delay_reject       
    postfix_smtpd_delay_reject = yes
    zimbra@cottontail:~$
    Last edited by thunder04; 12-28-2012 at 03:41 PM.

  6. #6
    ccelis5215 is offline Elite Member
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    442
    Rep Power
    3

    Default

    Hello,

    Please yell if you want, Bug 78157 &ndash; smtpd_recipient_restrictions changed to smtpd_relay_restrictions mentions smptd_relay_restrictions for general use, also, set a three default values.

    Digging into Postfix Users - smtpd_relay_restrictions ready for general use states:

    2 - BACKWARDS COMPATIBILITY SAFETY NET: sites that migrate from
    Postfix versions before 2.10 can set smtpd_relay_restrictions
    to the empty value, and use smtpd_recipient_restrictions exactly
    as they used it before.
    I've take a look in my main.cf test server and there diferences...

    smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient, reject_non_fqdn_sender, permit
    smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    Note: I' don't have 8.0 main.cf to compare vs 8.0.2.

    ccelis.

  7. #7
    thunder04 is offline Special Member
    Join Date
    Dec 2007
    Location
    At work...Menlo Park, CA
    Posts
    155
    Rep Power
    7

    Default

    I've done the following which doesn't seem to make a difference.

    Code:
    zimbra@cottontail:~/conf$ zmlocalconfig -e "postfix_smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client psbl.surriel.com, permit"
    zimbra@cottontail:~/conf$ zmlocalconfig -e postfix_smtpd_relay_restrictions=""
    zimbra@cottontail:~/conf$ zmmtactl restart
    Rewriting configuration files...done.
    /postfix-script: refreshing the Postfix mail system
    Stopping saslauthd...done.
    Starting saslauthd...done.
    Stopping opendkim... done.
    Started opendkim: pid 16429
    zimbra@cottontail:~/conf$ zmlocalconfig | grep smtpd_recipient_restrictions
    postfix_smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client psbl.surriel.com, permit
    zimbra@cottontail:~/conf$ zmlocalconfig | grep smtpd_relay_restrictions    
    postfix_smtpd_relay_restrictions =
    When I view the /opt/zimbra/postfix/conf/main.cf file, these changes are not there.

    Code:
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client psbl.surriel.com, permit
    smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

  8. #8
    ccelis5215 is offline Elite Member
    Join Date
    Jun 2011
    Location
    Caracas Venezuela
    Posts
    442
    Rep Power
    3

    Default

    Quote Originally Posted by thunder04 View Post
    I've done the following which doesn't seem to make a difference.

    Code:
    zimbra@cottontail:~/conf$ zmlocalconfig -e "postfix_smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client psbl.surriel.com, permit"
    zimbra@cottontail:~/conf$ zmlocalconfig -e postfix_smtpd_relay_restrictions=""
    zimbra@cottontail:~/conf$ zmmtactl restart
    Rewriting configuration files...done.
    /postfix-script: refreshing the Postfix mail system
    Stopping saslauthd...done.
    Starting saslauthd...done.
    Stopping opendkim... done.
    Started opendkim: pid 16429
    zimbra@cottontail:~/conf$ zmlocalconfig | grep smtpd_recipient_restrictions
    postfix_smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client psbl.surriel.com, permit
    zimbra@cottontail:~/conf$ zmlocalconfig | grep smtpd_relay_restrictions    
    postfix_smtpd_relay_restrictions =
    When I view the /opt/zimbra/postfix/conf/main.cf file, these changes are not there.

    Code:
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client psbl.surriel.com, permit
    smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    Try

    Code:
     zmlocalconfig -e "postfix_smtpd_relay_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain"
    without the RBL's..

    ccelis
    Last edited by ccelis5215; 12-28-2012 at 07:08 PM. Reason: main.cf does'nt modify

  9. #9
    thunder04 is offline Special Member
    Join Date
    Dec 2007
    Location
    At work...Menlo Park, CA
    Posts
    155
    Rep Power
    7

    Default

    No luck. Same behavior.

  10. #10
    thunder04 is offline Special Member
    Join Date
    Dec 2007
    Location
    At work...Menlo Park, CA
    Posts
    155
    Rep Power
    7

    Default

    Are there any other avenues I can take with this issue? It's really starting to cause headache for our users who are outside our network.

Page 1 of 6 123 ... LastLast

Thread Information

Users Browsing this Thread

There are currently 2 users browsing this thread. (0 members and 2 guests)

Similar Threads

  1. force Webmail user to send email with "smtp auth"
    By bonadio in forum Developers
    Replies: 11
    Last Post: 01-26-2012, 10:26 AM
  2. Send blocked attachments from admin users
    By Houston in forum Administrators
    Replies: 0
    Last Post: 09-20-2010, 10:46 AM
  3. Replies: 1
    Last Post: 10-19-2009, 10:32 PM
  4. Enable SMTP Auth to external users
    By VictorMedina in forum Administrators
    Replies: 1
    Last Post: 05-24-2006, 10:06 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •