Getting Relay Access Denied Errors

[pwalborn]

I am evaluating Zimbra for the possible use for all of our International offices and having some difficulities with setting up Zimbra. I have read through tons of info on the forum and googled everything I can think of, but still having some minor problems. Actually, I am able to login to the mailbox locally and send/recieve email internally and externally. The problem occurs when I try to setup POP3 access from the client computer in our UK office. We get the relay access denied error as well as an error in the zimbra log.

Aug 18 10:16:43 zmail postfix/smtpd[24863]: connect from unknown[77.44.37.200]
Aug 18 10:16:43 zmail postfix/smtpd[24863]: warning: restriction `blacklist_from' after `permit' is ignored
Aug 18 10:16:43 zmail postfix/smtpd[24863]: A72C9BB05AA: client=unknown[77.44.37.200]
Aug 18 10:16:44 zmail postfix/smtpd[24863]: warning: restriction `blacklist_from' after `permit' is ignored
Aug 18 10:16:44 zmail postfix/smtpd[24863]: 790EFBB05AA: client=unknown[77.44.37.200]

I think the problem exists with using virtual domains and how the email header is being read externally. I have the primary domain setup and it works with no problems internally/externally or POP3. I have one virtual domain setup and when you look at the header info, it looks like it is coming from the primary domain. We are so close to getting this to work, but have spent so much time looking at it that I am probably just missing some simple.

Here is the results of the normally asked configs:

cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
192.168.253.55 zmail.simplexityhealth.net zmail

cat /etc/resolv.conf
domain simplexityhealth.net
nameserver 192.168.253.30
nameserver 192.168.252.30

dig simplexityhealth.net mx

; <<>> DiG 9.4.0 <<>> simplexityhealth.net mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8467
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;simplexityhealth.net. IN MX

;; ANSWER SECTION:
simplexityhealth.net. 3600 IN MX 10 zmail.simplexityhealth.net.

;; ADDITIONAL SECTION:
zmail.simplexityhealth.net. 3600 IN A 192.168.253.55

;; Query time: 23 msec
;; SERVER: 192.168.253.30#53(192.168.253.30)
;; WHEN: Thu Aug 13 12:48:27 2009
;; MSG SIZE rcvd: 76

dig simplexityhealth.net any

; <<>> DiG 9.4.0 <<>> simplexityhealth.net any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57770
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 7

;; QUESTION SECTION:
;simplexityhealth.net. IN ANY

;; ANSWER SECTION:
simplexityhealth.net. 3600 IN NS srv2.celltech.local.
simplexityhealth.net. 3600 IN NS srv1.celltech.local.
simplexityhealth.net. 3600 IN SOA srv1.celltech.local. hostmaster.celltech.local. 10 900 600 86400 3600
simplexityhealth.net. 3600 IN MX 10 zmail.simplexityhealth.net.

;; ADDITIONAL SECTION:
srv2.celltech.local. 3600 IN A 192.168.253.7
srv2.celltech.local. 3600 IN A 192.168.253.11
srv2.celltech.local. 3600 IN A 192.168.253.34
srv2.celltech.local. 3600 IN A 192.168.253.15
srv2.celltech.local. 3600 IN A 192.168.252.30
srv1.celltech.local. 3600 IN A 192.168.253.30
zmail.simplexityhealth.net. 3600 IN A 192.168.253.55

;; Query time: 1 msec
;; SERVER: 192.168.253.30#53(192.168.253.30)
;; WHEN: Thu Aug 13 12:48:34 2009
;; MSG SIZE rcvd: 271

[root@zmail zimbra]# host `hostname`
zmail.simplexityhealth.net has address 192.168.253.55


Any assistance would be appreciated and also know that I am extremely new to Linux and Zimbra. This has been a trial by fire experience for me, a little frustrating, but fun.

Thanks,
-Paul-

[cesarflet]

I suggest to test to see if your domains are spam lists. I use Email Blacklist Check - See if your server is blacklisted to start.

Also tested the mx lookup in MX Lookup Tool - Check your DNS MX Records online to corroborate if it is responding adequately

[pwalborn]

Not reported on any blacklists.

I had already checked the MX Toolbox Diags.

RESULT: zmail.simplexityhealth.net ***primary domain***
Banner: 220 zmail.simplexityhealth.net ESMTP Postfix
Connect Time: 0 seconds - Good
Transaction Time: 0.547 seconds - Good
Relay Check: OK - This server is not an open relay.
Rev DNS Check: OK - 208.35.137.64 resolves to zmail.simplexityhealth.net
GeoCode Info: Geocoding server is unavailable
Session Transcript: HELO please-read-policy.mxtoolbox.com
250 zmail.simplexityhealth.n [94 ms]
MAIL FROM:
250 2.1.0 [266 ms]
RCPT TO:
554 5.7.1 : Relay access deni [94 ms]
QUIT
221 2.0.0 B [94 ms]

RESULT: mail.simplexityhealth.co.uk ***virtual domain***
Banner: 220 zmail.simplexityhealth.net ESMTP Postfix
Connect Time: 0 seconds - Good
Transaction Time: 0.406 seconds - Good
Relay Check: OK - This server is not an open relay.
Rev DNS Check: OK - 208.35.137.64 resolves to mail.simplexityhealth.co.uk
GeoCode Info: Geocoding server is unavailable
Session Transcript: HELO please-read-policy.mxtoolbox.com
250 zmail.simplexityhealth.n [109 ms]
MAIL FROM:
250 2.1.0 [94 ms]
RCPT TO:
554 5.7.1 : Relay access deni [94 ms]
QUIT
221 2.0.0 B [109 ms]


I just noticed that I am getting the "relay access denied" error on my primary domain. I could have sworn that it was working outside my network, but after the countless hours working on this I'm not sure anymore.

Thanks for the advice.
-Paul-

[soxfan]

You may want to take a look at the Split DNS wiki entry. Based on the info that you've posted it looks like your internal DNS may be setup correctly. But what about your external (Internet facing) DNS? From this entry that you posted:

Quote:

Aug 18 10:16:43 zmail postfix/smtpd[24863]: connect from unknown[77.44.37.200]

it would seem like your email server is not being resolved on the Internet.

[pwalborn]

Quote:

Originally Posted by soxfan

You may want to take a look at the Split DNS wiki entry. Based on the info that you've posted it looks like your internal DNS may be setup correctly. But what about your external (Internet facing) DNS? From this entry that you posted:

it would seem like your email server is not being resolved on the Internet.

I've ran both of these domains on DNS Stuff and they look good. We are running split DNS and that appears to be working. Like I said, sitting at my desk logging into the accounts, I can email internally and externally with no problems. It's setting up access externally that appears to be the problem.

The part of the log with 77.44.37.200 address is from the UK ISP. It looked to me like it giving an error that we were trying to use their services for relaying,,, weird.

Thanks again for the input.
-Paul-

[soxfan]

Well the "connect from unknown..." definitely indicates that the system with an IP address of 77.44.37.200 is trying to send an email message. What email client is being used externally (Outlook, Thunderbird, Zimbra Web Client, etc.)? Maybe it is just a matter of changing the outgoing SMTP server.

[pwalborn]

Quote:

Originally Posted by soxfan

Well the "connect from unknown..." definitely indicates that the system with an IP address of 77.44.37.200 is trying to send an email message. What email client is being used externally (Outlook, Thunderbird, Zimbra Web Client, etc.)? Maybe it is just a matter of changing the outgoing SMTP server.

They are using Outlook 2007. I am able to get the web client to work fine from their end, but I believe that it isn't using POP3 to send/receive.

I have the "Inbound SMTP Host Name" set to mail.mydomain.co.uk. Without it it gives me an error when I do "Check MX Record" in the admin console. I don't see where you can set the outgoing SMTP server in the console, is that configured somewhere else?

Thanks,
-Paul-

[philpw99]

I am new to Zimbra, so here is just an idea.
The "554 5.7.1 relay access deni" error looks like the recipient address is not in the domain of simplexityhealth.net. Maybe the MX toolbox is trying to send a test email with a wrong recipient name?
But most importantly, you are setting up POP3 clients, which is receiving. So it has nothing to do with the sending error. Since the DNS server resolves correctly, and you can send and receive email from U.S. So the only possible reason is maybe in U.K. some firewall has block the port 110? Did you try port 995 for POPS ?

You don't need to put anything in the inbound SMTP server. Check MX record doesn't really mean anything. If you can receive and send mails in U.S., it's ok.

The outgoing SMTP should be the "Relay MTA for external delivery" in the server MTA settings.

[soxfan]

Quote:

They are using Outlook 2007. I am able to get the web client to work fine from their end, but I believe that it isn't using POP3 to send/receive.

If the external people are using Outlook 2007 with POP3 and the web client works fine from their end then this is really more of an Outlook configuration issue than a problem with Zimbra. You would need to go into Tools --> Accounts (or whatever it is now with 2007) and make sure the outgoing SMTP server is setup properly for the account. Unless you are going to do SMTP authentication or something like that you would be better off having them use their ISP's SMTP server; otherwise you will end up with a lot of relay access denied errors.

[pwalborn]

Quote:

Originally Posted by soxfan

If the external people are using Outlook 2007 with POP3 and the web client works fine from their end then this is really more of an Outlook configuration issue than a problem with Zimbra. You would need to go into Tools --> Accounts (or whatever it is now with 2007) and make sure the outgoing SMTP server is setup properly for the account. Unless you are going to do SMTP authentication or something like that you would be better off having them use their ISP's SMTP server; otherwise you will end up with a lot of relay access denied errors.

I guess I am still unclear as to how Zimbra uses Virtual Domains. Sending email from mydomain.co.uk still looks like it is coming from mydomain.net. Some larger email services, suchsas AOL, do a reverse DNS lookup for the domain the they will see the email coming from mydoman.co.uk, but the sending server will mydomain.net??? I've dealt with AOL quite a bit as most of our distributors are on AOL. They are very picky.

Any thoughts???