Zimbra Multi Domain SMTP auth/relay problem

Similar Messages

• Smtp auth access problems

  All, I've got everything working and authenticating properly (i.e. pop/imap/http) except smtp auth.
  I keep getting the following error after a valid transaction:
  220 hoth -- Server ESMTP (iPlanet Messaging Server 5.2 (built Feb 21 2002)).
  EHLO xxx.xxx.xxx.
  250-hoth.
  250-8BITMIME.
  250-PIPELINING.
  250-DSN.
  250-XDFLG.
  250-ENHANCEDSTATUSCODES.
  250-EXPN.
  250-HELP.
  250-SAML.
  250-SEND.
  250-SOML.
  250-TURN.
  250-XADR.
  250-XSTA.
  250-XCIR.
  250-XGEN.
  250-XLOOP 18C258074D1B9D38536174313EC7E040.
  250-AUTH LOGIN PLAIN.
  250-AUTH=LOGIN.
  250-ETRN.
  250-RELAY.
  250 SIZE 0.
  AUTH PLAIN AG1tY211cnIAZnIwZ2wzZ3M=.
  535 5.7.8 Authorization failure (Not authorized to login as specified user)..
  Does anyone have any idea why or where authorization is set on a per user basis, or is there maybe a config key to allow all users from a specific domain?
  Thanks in advance for your help.
  --Mike                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

  You never told us how you get it to work.
  I am having the same authentication problem and am pulling my hair out. Could you explain how you figured it out?
  Thanks

• Smtp auth - relay

  Hi!
  We are running GWIA novell-groupwise-gwia-12.0.1-103731.
  Relaying is denied in the GWIA-settings.
  We tested the GWIA behavior.
  If we do an SMTP-Auth against the GWIA and the authentication is
  successful, relaying is allowed.
  In the GWIA "Access-Control Settings" -> "Default Class of service"
  there is "Prevent outgoing messages" defined in the "SMTP Outgoing" section.
  It seems, that it has no effect, what is defined in the Access Control
  Settings; Gwia will always allow relaying, if the user is authenticated
  against the GWIA.
  Does this work as designed, or do we have a chance that we will allow
  only specified users to relay, if they are authenticated?
  thanks in advance
  Wolfgang

  On 06.11.2012 11:12, wpolster wrote:
  > Hi!
  >
  > We are running GWIA novell-groupwise-gwia-12.0.1-103731.
  > Relaying is denied in the GWIA-settings.
  >
  > We tested the GWIA behavior.
  > If we do an SMTP-Auth against the GWIA and the authentication is
  > successful, relaying is allowed.
  > In the GWIA "Access-Control Settings" -> "Default Class of service"
  > there is "Prevent outgoing messages" defined in the "SMTP Outgoing"
  > section.
  That's a bad idea, and should result in nobody using groupwise
  internally being able to send email out. You can't remove restrictions
  in the default class of service with more specific classes.
  > It seems, that it has no effect, what is defined in the Access Control
  > Settings; Gwia will always allow relaying, if the user is authenticated
  > against the GWIA.
  Correct. The class of service restrcitions only apply to *internal*
  users, e.g everything that come from or goes to groupwise. relaying
  happens totally on the SMTP side of GWIA only, and there's no restrictions.
  > Does this work as designed, or do we have a chance that we will allow
  > only specified users to relay, if they are authenticated?
  Unfortunately not.
  CU,
  Massimo Rosen
  Novell Knowledge Partner
  No emails please!
  http://www.cfc-it.de

• SMTP Auth / Relay Allow Map

  For my testing I would like to enable SMTP AUTH or a relay MAP so that a user I have can relay through the Messaging Server (with out allowing the whole world to relay).
  Does anyone have any experence with this?
  Thanks

  Authenticated smtp is turned on by default. It works fine for me. . .

• LDAP Multi Domain (organization) auth

  Hello everybody,
  Actually, I have the following working configuration:
  LDAP server (SUN DS) with the following schema for user:
  ou=People,o=aOrgName,ou=People,dc=...
  I have multiple organization sharing the same servers, it's working fine, but each users need to been unique "cross organization wide".
  I mean, I can't have a user name userA in ou=People,o=orgA,... and an other user named userA in ou=People,o=orgB...
  No problem with uid (I mean uidNumber LDAP and unix user id), I can make them unique accross organization.
  But for the user name, it's a bit tricky, because I can't make it unique. (until now I can, but soon it will be hard, and user don't want to have userA2 as a username).
  So, I thought of the following solutions:
  - Configuring solaris LDAP client in such way, he will append the orgName to the username. (like userA-orgA) Would be the cleanest solution, but I really don't think it's possible without rewrite on ldap client layer of solaris.
  - Having ldap server automaticaly create a fqun (fully qualified user name) of the form: userA-orgA and having solaris use this in place of uid. But I don't know if we can create entries based on other entries, like we can on SQL db.
  - Manualy add an fqun field.
  For the last two, I really don't know how to configure solaris 10 ldap client to user fqun in place of uid. I'm sure it is possible somehow using SSD, but after reading the documentation, I'm not sure how.
  Finaly, no I can't change the uid to user-orgname because the uid is used by many other services, like email, web application... And in those application you add a @orgName after your username to do the trick.
  Any idea, experience are really appreciated.
  Regards
  Kuon

  Microsoft releases new license terms for Windows 10: Biggest surprise? No gotchasEd Bott has Just published an article on ZDNet which reviews in detail the just-released Windows 10 license agreementFirst published on ZDNet By Ed Bott for The Ed Bott Report | July 15, 2015 -- 18:30 GMT (19:30 BST) | Topic: Windows 10 "Two weeks ahead of the global launch of Windows 10, Microsoft has finalized the terms of its license agreements for the new operating system. I've had several days to study the documents in detail, and I can report that there are no surprises, no gotchas, and no hidden subscription traps waiting to be sprung in two or three or four years.""In fact, the new license agreement is simpler and written more clearly than any similar document I've reviewed in 20 years of examining Windows license agreements. There are a few...

• How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)

  Good morning everybody,
  I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
  What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
  What I have successfully managed to get to work so far is this:
  1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
  Interface  MAC Address     Method   Domain   Status         Session ID          
  Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
  Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
  2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
  show authentication sessions:
  Interface  MAC Address     Method   Domain   Status         Session ID          
  Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
  Fa0/23     b888.e3eb.ebac   dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
  Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
  However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
  What I want to get is an output like this:
  Interface  MAC Address     Method   Domain   Status         Session ID          
  Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
  Fa0/23     b888.e3eb.ebac dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
  Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
  I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
  The configuration of the interface connected to the Dumb switch is as follows.
  interface FastEthernet0/x                                                      
   description Connection to DUMBswitch                                            
   switchport mode access                                                         
   switchport voice vlan XXX                                                      
   switchport port-security maximum 10                                            
   switchport port-security                                                       
   switchport port-security violation protect                                     
   authentication host-mode multi-auth                                            
   authentication priority dot1x                                                  
   authentication port-control auto                                               
   authentication timer reauthenticate 4000                                       
   authentication violation replace                                               
   dot1x pae authenticator                                                        
   dot1x timeout tx-period 10                                                     
   spanning-tree portfast                                                         
  The way I see it is explained in the following steps:
  - PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
  - When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
  Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
  Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
  Thank you
  Stoimen Hristov

  Hi Stoimen,
  I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
  From what I can see, you have 2 options available to you:
  1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
  2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
  Hopefully someone else will chime in with another option.
  Xavier

• Same SMTP Relay problem but new reasons. Works with most but not with few

  I am writing a mail server. My applications sends mail directly to the SMTP server of recipient using MX Record. I find out the MX Record of the recipients and then using Java Mail send mail to that MX Record.This application is working fine and it has worked for thousand or so SMTP Server successfully.
  There are couple of servers (SMTP of recipients) those reject the mail saying SMTP Relaying Prohibited by the Administrator and further says Invalid Mail Address Destination. I am wondering that the recipients belong to that same domain (MX record). I am able to mail them from yahoo or hotmail. I am not trying to use that SMTP for relaying, infact that mail account is registered in that particular SMTP Server.If that server is using SMTP Authentication, how come yahoo or hotmail authenticate for sending mail to their user.
  I am sending all genunine parameters like senders mail address etc. I have tried setting various. Can anyone help me where I am missing?

  My applications sends mail directly to the SMTPserver of recipient
  using MX RecordYou don't send mail to the SMTP server you send it to
  the pop3 server, anyway...
  Nopes, you do send mail to the POP3 server. POP (Post Office Protocol) is used for fetching mails. Se RFC 1939 http://www.faqs.org/rfcs/rfc1939.html for more detailed information. Usually the mail agent contacts the local SMTP server and it queues it for delivery to other SMTP server that it can find via the MX record, trying the one with the highest priority first which incendently is the one with the lowest number.
  If that server is using SMTP Authentication, howcome yahoo or
  hotmail authenticate for sending mail to theiruser.
  Hotmails' SMTP server will let you send to anybody,
  most other private SMTP servers generally will
  restrict the domains you can send to.
  I'm a little confused as to what your problem is you
  are connection to SMTP servers to send individuals
  emails? why not just use on SMTP server to send to all
  He is making a SMTP server.
  Back to the original question:
  Since you are checking the MX record for the address it should not be considered to be a relay of mail. The only reason this should happen is if the RCPT is set to something wierd like
  <@HOSTA.ARPA,@HOSTB.ARPA:[email protected]>See RFC 0821 for more information. I am not sure if RFC 0821 is obsoleted, but this should still apply.
  Regards,
  Peter Norell

• Relay Problem, Relay Prohibited, mappings file look fine

  Hello Everybody.
  I am suffering from a relay problem.
  I can'not send mail to for example hotmail.com from Messenger express and outlook express.
  I can send from outlook express where i activate AUTH.
  I check mappings file and i see allright.
  The local network is enabled, and the localhost too.
  I also check all the posts in the forum and i didn't find the answer.
  My mappings file looks like:
  ! MTA mappings file
  ! for access control and other table lookups
  PORT_ACCESS
  *|*|*|*|* $C$|INTERNAL_IP;$3|$Y$E
  * $YEXTERNAL
  INTERNAL_IP
  $(10.11.0.0/16) $Y
  $(10.31.0.0/24) $Y
  $(200.68.91.33/32) $Y
  127.0.0.1 $Y
  * $N
  ORIG_SEND_ACCESS
  tcp_local|*|tcp_local|* $N$D30|Relaying$ not$ allowed
  tcp_*|*|native|* $N
  tcp_*|*|hold|* $N
  tcp_*|*|pipe|* $N
  tcp_*|*|ims-ms|* $N
  ! Block "external" submissions of explicitly source-routed "internal" addresses
  tcp_local|*|tcp_intranet|@*:*.* $N$D30|Explicit$ routing$ not$ allowed
  tcp_local|*|tcp_intranet|*$%*@* $N$D30|Explicit$ routing$ not$ allowed
  tcp_local|*|tcp_intranet|*.*!*@* $N$D30|Explicit$ routing$ not$ allowed
  tcp_local|*|tcp_intranet|"*@*"@* $N$D30|Explicit$ routing$ not$ allowed
  Does anybody has answer for this problem?
  Thanks very much,
  Andres

  I also put imta.cnf:
  ! IMTA configuration file
  ! part I : rewrite rules
  ! Domain Rewrite Rules.
  ! Uncomment this line to use domain rewrite rules
  ! from the configuration file instead of the domain database.
  ! Please refer to the iMS documentation for details.
  !<IMTA_TABLE:domains.rules
  ! Rules to select local users
  $* $A$E$F$U%[email protected]
  acafipri.acasalud.com.ar $U%[email protected]
  acasalud.com.ar $U%[email protected]
  ! ims-ms
  .ims-ms-daemon $U%$H.ims-ms-daemon@ims-ms-daemon
  ! lmtp
  !.lmtp $U%$H@lmtpcs-daemon
  ! native
  .native-daemon $U%$H.native-daemon@native-daemon
  ! pipe
  .pipe-daemon $U%$H.pipe-daemon@pipe-daemon
  ! tcp_local
  ! Rules for top level internet domains
  <IMTA_TABLE:internet.rules
  ! tcp_intranet
  ! Do mapping lookup for internal IP addresses
  [] $E$R${INTERNAL_IP,$L}$U%[$L]@tcp_intranet-daemon
  .acasalud.com.ar $U%$H.acasalud.com.ar@tcp_intranet-daemon
  * $U%$&0.acasalud.com.ar
  ! reprocess
  reprocess $U%reprocess.acafipri.acasalud.com.ar@reprocess-daemon
  reprocess.acafipri.acasalud.com.ar $U%reprocess.acafipri.acasalud.com.ar@reproce
  ss-daemon
  ! process
  process $U%process.acafipri.acasalud.com.ar@process-daemon
  process.acafipri.acasalud.com.ar $U%process.acafipri.acasalud.com.ar@process-dae
  mon
  ! defragment
  defragment $U%defragment.acafipri.acasalud.com.ar@defragment-daemon
  defragment.acafipri.acasalud.com.ar $U%defragment.acafipri.acasalud.com.ar@defra
  gment-daemon
  ! conversion
  conversion $U%conversion.acafipri.acasalud.com.ar@conversion-daemon
  conversion.acafipri.acasalud.com.ar $U%conversion.acafipri.acasalud.com.ar@conve
  rsion-daemon
  ! bitbucket
  bitbucket $U%bitbucket.acafipri.acasalud.com.ar@bitbucket-daemon
  bitbucket.acafipri.acasalud.com.ar $U%bitbucket.acafipri.acasalud.com.ar@bitbuck
  et-daemon
  ! deleted
  deleted-daemon $U%$H@deleted-daemon
  .deleted-daemon $U%$H@deleted-daemon
  ! inactive
  inactive-daemon $U%$H@inactive-daemon
  .inactive-daemon $U%$H@inactive-daemon
  ! hold
  hold-daemon $U%$H@hold-daemon
  .hold-daemon $U%$H@hold-daemon
  !tcp_scanner
  [] $E$R${tcp_scanner,$L}$U%[$L]@tcp_scanner-daemon
  ! part II : channel blocks
  defaults notices 1 2 3 copywarnpost copysendpost postheadonly noswitchchannel im
  mnonurgent maxjobs 7 defaulthost acasalud.com.ar acasalud.com.ar
  ! delivery channel to local /var/mail store
  l subdirs 20 viaaliasrequired maxjobs 7 pool LOCAL_POOL
  acafipri.acasalud.com.ar
  ! ims-ms
  ims-ms defragment subdirs 20 notices 1 7 14 21 28 backoff "pt5m" "pt10m" "pt30m"
  "pt1h" "pt2h" "pt4h" maxjobs 2 pool IMS_POOL fileinto $U+$S@$D destinationbrigh
  tmailoptin spam
  ims-ms-daemon
  ! native
  native defragment subdirs 20 maxjobs 1
  native-daemon
  ! pipe
  pipe single defragment subdirs 20
  pipe-daemon
  ! tcp_local
  tcp_local smtp mx single_sys identtcpnumeric subdirs 20 dequeue_removeroute maxj
  obs 7 pool SMTP_POOL maytlsserver maysaslserver allowswitchchannel saslswitchcha
  nnel tcp_auth missingrecipientpolicy 4 aliasdetourhost tcp_scanner-daemon
  tcp-daemon
  ! tcp_scanner
  tcp_scanner smtp single_sys subdirs 5 notices 1 backoff "pt2h" "pt4h" "pt8h" deq
  ueue_removeroute maxjobs 7 pool SMTP_POOL daemon [127.0.0.1] port 10024
  tcp_scanner-daemon
  ! tcp_intranet
  tcp_intranet smtp mx single_sys subdirs 20 dequeue_removeroute maxjobs 7 pool SM
  TP_POOL maytlsserver maysaslserver allowswitchchannel saslswitchchannel tcp_auth
  missingrecipientpolicy 4 aliasdetourhost tcp_scanner-daemon
  tcp_intranet-daemon
  ! tcp_submit
  tcp_submit submit smtp mx single_sys mustsaslserver maytlsserver missingrecipien
  tpolicy 4 aliasdetourhost tcp_scanner
  tcp_submit-daemon
  ! tcp_auth
  tcp_auth smtp mx single_sys mustsaslserver missingrecipientpolicy 4
  tcp_auth-daemon
  ! tcp_tas
  tcp_tas smtp mx single_sys allowswitchchannel mustsaslserver maytlsserver delive
  ryflags 2
  tcp_tas-daemon
  ! tcp_lmtpss (LMTP server - store)
  !tcp_lmtpss lmtp subdirs 20
  !tcp_lmtpss-daemon
  ! tcp_lmtpsn (LMTP server - native)
  !tcp_lmtpsn lmtp subdirs 20
  !tcp_lmtpsn-daemon
  ! tcp_lmtpcs (LMTP client - store)
  !tcp_lmtpcs defragment lmtp port 225 nomx single_sys subdirs 20 maxjobs 7 pool S
  MTP_POOL dequeue_removeroute
  !lmtpcs-daemon
  ! tcp_lmtpcn (LMTP client - native)
  !tcp_lmtpcn defragment lmtp port 226 nomx single_sys subdirs 20 maxjobs 7 pool S
  MTP_POOL dequeue_removeroute
  !lmtpcn-daemon
  ! reprocess
  reprocess
  reprocess-daemon
  ! process
  process
  process-daemon
  ! defragment
  defragment
  defragment-daemon
  ! conversion
  conversion
  conversion-daemon
  ! bitbucket
  bitbucket
  bitbucket-daemon
  ! deleted
  deleted
  deleted-daemon
  ! inactive
  inactive
  inactive-daemon
  ! hold
  hold slave
  hold-daemon

• OS X's Mail app and SMTP auth

  We're having a problem with OS X's Mail app connecting to Tiger Server's mail server. We have the server set up to not always require SMTP auth (all SMTP auth settings unchecked in Settings > Advanced > Security), and to allow relay from only a given set of networks (Settings > Relay). In theory, this means that if you're on one of the specified networks, you're not required to authenticate, otherwise you are. This according to Apple's documentation.
  From a bit of packet sniffing, it looks like:
  1. If a user on an allowed network tries to send mail through the server, the server does not return authorization as an option.
  2. If the user has password authentication specified in Mail's SMTP Server settings, it refuses to send. If they set SMTP auth to None, the Mail app will send.
  IOW, Mail doesn't send if Authorization is enabled in the Mail app, but not given as an option by the mail server. Has anyone else seen this? Is this a bug in Mail or Postfix?

  If you have networks entered in
  'Accept SMTP relay only from these hosts and
  networks'
  Clients on these networks don't need to authenticate
  for local delivery or relay.
  So it does what you are looking for.
  Jeff
  Well, goddarn it - so it does!
  I was testing various permutation (10.3.4) just recently and it just wouldn't relay without auth if any of them was selected (honest!). That was with the trusted relay....
  ...but I just tried it again and it's fine!
  I had put it down to just another 'glitch' in the documentation.
  Oh well - glad you were there to point it out Jeff!
  Whilst we are on the subject - do you know of any way to tie authentication (outwith trusted network) to specified users? I was thinking there might be a Postfix parameter for this (sorry, I should just look them all up but maybe someone knows it already)?
  Thank, and sorry for any earlier confusion!
  -david.

• DIsable smtp auth only for an ip

  Dear gurus,
  I have sun messaging server 6 running perfectly alright and only new thing which I would like to incorporate is to disable smtp auth only for one ip address.I am new to this system and have gathered following information from sun messaging docs, the steps which I followed..
  1) Create a table DISABLE_SMTPAUTH_IP similar to INTERNAL_IP mapping table in mapping file
  INTERNAL_IP
  10.18.18.19 $Y
  10.18.18.38 $Y
  10.18.18.30 $Y
  127.0.0.1 $Y
  * $N
  ! Added on 01092008 for disabling smtp_auth
  DISABLE_SMTPAUTH_IP
  external.ip.addres $Y
  *$N
  2) ALLOW PORT ACCESS
  *PORT_ACCESS
  *|*|*|*|* $C$|DISABLE_SMTPAUTH_IP;$3|$Y$E
  *|*|*|*|* $C$|INTERNAL_IP;$3|$Y$E
  3) Then right after the current rewrite rule in imta.cnf file Created new TCP CHANNEL
  ! Do mapping lookup for internal IP addresses
  [] $E$R${INTERNAL_IP,$L}$U%[$L]@tcp_intranet-daemon
  added a new rewrite rule:
  ! Do mapping lookup for "no smtp auth", non-internal IP addresses
  [] $E$R${DISABLE_SMTPAUTH_IP,$L}$U%[$L]@tcp_nosmtpauth-daemon
  ! ttcp_nosmtpauth-daemon
  tcp_nosmtpauth-daemon smtp mx single_sys subdirs 20 maxjobs 7 pool SMTP_POOL nosasl nosaslserver
  tcp_nosmtpauth-daemon
  ! tcp_local
  tcp_local smtp mx single_sys remotehost inner switchchannel subdirs 20 maxjobs 30 pool SMTP_POOL maytlsserver maysaslserver s
  aslswitchchannel tcp_auth loopcheck threaddepth 32 blocklimit 5120 notices 1 2 backoff "pt5m" "pt1h" "pt2h" "pt4h" destinati
  onspamfilter1optin spam
  tcp-daemon mumbbmr1.dataone.in
  ! tcp_intranet
  !tcp_intranet smtp mx single_sys subdirs 20 dequeue_removeroute maxjobs 7 pool SMTP_POOL maytlsserver allowswitchchannel sasl
  switchchannel tcp_auth blocklimit 2500
  !tcp_intranet smtp mx single_sys subdirs 20 dequeue_removeroute maxjobs 7 pool SMTP_POOL maytlsserver allowswitchchannel sasl
  switchchannel
  !tcp_intranet-daemon
  run /opt/SUNWmsgr/sbin/imsimta refresh
  alternatively tried imsimta cnbuild and imsimta restart
  but still i get Mail rely denied when I try sending messages from the same trusted IP without doing AUTH.
  I would like to know...
  1) If there is something mising or wrong in above steps
  2) HOw do i check if the messages from that IP(for which smtp auth is disabled) is passing from the tcp_nosmtpauth channel...
  THanks for giving your valuable time...

  thanks very much shane for giving time...
  Please always provide the exact version of Messaging Server (./imsimta version).
  mumxxxx1 # ./imsimta version
  Sun Java(tm) System Messaging Server 6.2-6.01 (built Apr 3 2006)
  libimta.so 6.2-6.01 (built 11:20:35, Apr 3 2006)
  SunOS mumxxxx1-a-fixed 5.9 Generic_118558-28 sun4u sparc SUNW,Sun-Fire-V440
  mumxxxx1#
  Why would you want to disable SMTP Authentication? What are you attempting to achieve by doing this -- what is the problem you are trying to solve?
  We are an ISP and therefore sometimes required to send bulk mail, for which we are currently using perl bulk mail module script and there we specify the users in text file to send message, everytime this module try sending it get Mail Relaying denied as it doesnot supply user and passwd required for smtp auth in base64.
  Therefore I wanted to disable smtp auth for an ip address using which smtp auth is not reqauired and mails should be openly relayed.
  Why are all of the above entries commented out? Did you intend to disable (break) the tcp_intranet channel?
  no it is not commented in config files.
  +./imsimta refresh is no longer a valid comment, you need to use ./imsimta cnbuild;./imsimta restart+
  as per sun mesaging server 6 admin guide it is given to be working. Alterntively I tried ./imsimta cnbuild;./imsimta restart.
  Please provide the mail.log_current line that matches the attempted email delivery which was rejected.
  mumxxxx /opt/SUNWmsgsr/sbin # tail -f /mta/logs/imta/mail.log_current
  08-Sep-2008 13:42:19.52 7079.0fca.710096 tcp_local J 0 [email protected] rfc822; [email protected] mailserv 530 5.7.1 Relaying not allowed: [email protected] SMTP
  bash-3.00# telnet mumxxxx 25 Trying 10.18.18.19...
  Connected to ::ffff:10.18.18.19.
  Escape character is '^]'.
  220 mumxxxx.datxxxx.in -- Server ESMTP (*)
  ehlo mumxxxx.daxxxx.in
  250-mumxxxx.daxxxxx.in
  250-8BITMIME
  250-PIPELINING
  250-DSN
  250-ENHANCEDSTATUSCODES
  250-HELP
  250-XLOOP 82F58AB6E3453199924062C516F2E337
  250-AUTH PLAIN LOGIN
  250-AUTH=LOGIN
  250-ETRN
  250-NO-SOLICITING
  250 SIZE 0
  mail from: [email protected]
  250 2.5.0 Address Ok.
  rcpt to: [email protected]
  530 5.7.1 Relaying not allowed: [email protected]
  rcpt to: [email protected]
  Also please clarify if you want to disable the ability to perform SMTP auth or whether you want to allow email to be sent without requiring SMTP auth -- these are two completely different objectives.
  No I do not want to disable SMTP auth for everyone.DEfault is it should be forced to all except from one ip. ie disable smtp auth only for an ip address.
  Regards
  Pradeep

• Relaying problem when sending email

  Hi All,
  I have read all of the forums regarding this type of problem but I am still unable to send email to outside addresses such as hotmail or yahoo. I can send to internal email adresses without a problem. I have tried autheticating myself with the server first but that didn't make a difference and I cannot make changes to the exchange servers settings for relaying like someone suggested. I know the server is setup correctly because I can send email to external accounts with my desktop outlook client. Can someone please take a look at my code and tell me if their is a problem with it. Thanks in advance!!
  public void execute(javax.mail.Store store, Hashtable variables) throws Exception
          // Get system properties
          Properties props = System.getProperties();
          // Setup mail server
          props.put("mail.smtp.auth", "true");
          props.put("mail.transport.protocol", "smtp");
          props.put("mail.smtp.host",store.getURLName().getHost());
          // authenticate myself with the server
          Authenticator authenticator = new ServerAuthentication(myUsername, myPassword);
         // Get session
          Session session = Session.getDefaultInstance(props,authenticator);
          session.setDebug(true);
          // Define message
          MimeMessage message = new MimeMessage(session);
          message.setReplyTo(new Address[] {new InternetAddress("[email protected]")});
          message.setRecipient(Message.RecipientType.TO,
                               new InternetAddress(((String)variables.get("msgTO")).trim()));
          message.setSubject((String)variables.get("msgSubject"));
          message.setText((String)variables.get("msgBody"));
          // Send message
          Transport transport = session.getTransport();
          transport.send(message);
          transport.close();

  Hello,
  I'm in the situation than yours.
  Here is the code I use to send emails. I had problem with authenticator.
  Transport transport = session.getTransport("smtp");
  transport.connect(server, login, password);
  transport.sendMessage(mimeMessage, mimeMessage.getAllRecipients());
  transport.close();
  Hope this help

• External SMTP Auth

  Hi folks.
  My iPod is not happy. She (he?) can't send mail from outside. I have an IMAP account that I use on my LAN server for my domains. When I go out, I can't send mail.
  Now, port 465 is apparently used for SSL SMTP, but that isn't open on the server. My router has SMTP Mail open.
  What I want to do, I forget the name of. I think it's SMTP Auth, and using a port above what routers would normally close off. So I'd like to use port 3500 or something like that. How do I do that, while using Kerberos or MD5 for sending mail from outside?
  Cheers

  I'd confirm that your ISP is (or is not) blocking inbound port 25; if the server here is connected into the ISP via a residential-grade service tier, then port 25 and port 80 blocks in-bound are fairly common. That is, confirm whether the connectivity problems here are between the ISP and the server, or at the pub.
  As for your own network perimeter, most consumer-grade routers are pretty weak, while those router-firewalls with VPN and port-forwarding aren't that much more expensive. And there are open-source firewalls around. And using a VPN into the firewall is a pretty good solution for many reasons.
  Various organizations that offer wireless do block port 25 outbound and sometimes other specific outbound ports to reduce the spread of malware, or the network loading that can result from torrents. Few organizations block outbound VPNs or webmail (port 80 or port 443) connections.

• SMTP Auth & Maildir

  I have two seperate questions...
  I found this quote here:
  http://docs.info.apple.com/article.html?artnum=106763
  "Whenever Authenticated SMTP is enabled, your email server is effectively a "send only" server, because mail servers from other domains are most likely not configured to authenticate with your server. This means your local email clients can only receive email from other local clients. Authenticated SMTP also requires each user's email client software to authenticate before it sends mail through your server."
  I know this documentation is very old (10.1.3), but I need to know if this still true in Server 10.4.7? I have a LOT of traveling sales people that need to use either mail.app or outlook, and they are not going to be happy if I tell them they have to use webmail. I was planning on switching to OS X Server, but I need to know about this first.
  My second question is, what format does 10.4.7 server store its mail in? mbox? mdir? I have found conflicting answers online..
  Thanks,
  Brian
  Macbook   Mac OS X (10.4.7)  

  Actually, that excerpt does not make sense to me either.
  When Authenticated SMTP is enabled, only clients with the correct username and password may relay mail through your server. Any other client or server will not be able to relay mail through your server. The only mail your server will accept without authentication is those that are meant for the local accounts on the server. SMTP-AUTH just prevents unauthorized relays but not delivery.
  So your travelling reps should be able to use Mail.app to connect to your server and send mail to outside clients through your server. AND their clients should be able to send mail to your reps.

• SMTP Auth For Subset of Users

  I think this is not possible but thought I should ask just in case...
  Any ideas how to configure things to only allow a couple of users to smtp authenticate from WAN side of firewall?
  I'm thinking of a different port number from 25, tied into some sort of lookup table...? (you can probably tell I'm scrabbling about here
  -david

  Thanks Jeff,
  This is purely to get around a lack of secure passwords for LAN users (there are no passwords). At the moment there is no SMTP auth, only relay by LAN IP, and the firewall is closed except for SMTP & VPN. Problem is that the 2 bosses now want to send/receive email from WAN using their fancy mobile phones. However, they are not keen on now introducing secure passwords office wide so I was looking around for other possibilities before informing them that there was really no choice if they wanted to enable SMTP auth and open firewall for pop/imap (due to risk of dictionary hack).
  oh, and yes, it's pop/imap too
  (I have not looked at how these phones work exactly with pop/imap so not sure yet which protocol is preferred).
  The VPN is using the OSX Server and does get used for email from home computer. Actually, I must check to see if the phone thingy can do VPN...
  Appreciate any thoughts. I actually would like to tell them to introduce secure passwords throughout but just wanted to ensure I wasn't giving them wrong info on possible alternatives.
  -david

• Mail and SMTP auth (RFC 1918 error) ?

  I've an iMac and a Macbook (both with Mac OS X 10.5.3). Both connected to Internet using Airport via my WiFi router (with NAT activated on this router). This behavior is working fine since almost 2 years.
  I was using (and I'm still using) Thunderbird (last version) to read and send my emails on the iMac, and Mac OS X Mail on the Macbook.
  Everything was fine until yesterday. My provider has change is SMTP server so that authentification is now required when sending message.
  So I've activated SMTP auth in Thunderbird and all is fine. And do the same under Mail (with password option). But it doesn't work with Mail, I've got a SMTP connexion error.
  When I choose the diagnostic button, I find that SMTP connexion (EHLO) is fine, then saying my IP address (192.168.x.x) is private according to RFC 1918 and ending the connexion (QUIT).
  I have the same error on my iMac, though it just work fine with Thunderbird.
  So it seems to me Mail can't connect because of this behavior. But I don't understand why my IP address in Mail dialog with my provider SMTP server is not NATed by my router, like all other IP traffic.
  And I don't know what to do to correct this problem.

  Well, as SMTP authentification is only required to forward mail to another domain, I try to send an mail to my wife who is on the same domain as myself. It work fine with authentification disabled using Thunderbird but don't work with Mail.
  As it use to work fine until I change the configuration, I try to delete my account informations and create a new one as it was 2 days ago (without SMTP auth) but it still doesn't work even if I've got no problem with Thunderbird.
  Anyone as an idea about all this mess ? My only clue is the Mail connection diag which show connect, helo (with my private IP), server response 550 RFC 1918 and quit. Even if I found this behavior very strange, the result of the diag is the same with or without SMTP auth actived. So I suppose it was already the same before when it was working fine...