cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7563
Views
0
Helpful
9
Replies

Hello, relay access denied error

CrazyyyAlex
Level 1
Level 1

Hello, can someone help me with such thing: need to configure c170 as mail gateway for postfix. the thing is, i've done all the initial setup, set RAT to accept all emails for my domain and for other domains, as i use one interface deployment solution. I've put my postfix as relay host in HAT. Also i've put my host in smtp routes as for my domain and for all other domains too, so c170 must redirect outgoing messages to my postfix, but postfix tells Relay access denied. Did i miss something? or i just don't understand something? it would be great if postfix will send outgoing messages, rather than c170. Need advise. Thanks in advance.

9 Replies 9

Robert Sherwin
Cisco Employee
Cisco Employee

What is message tracking from your postfix appliance showing exactly?  If you have RAT setup with the domain correctly - and your mailflow policy set correct, and your IP added to the correct relay created sendergroup - this should be treating it as a relay connection... 

If you can share message tracking example from the ESA?

-Robert

HERE IS WHAT MY ESA SAYS:

Received Time:           17 Dec 2013 09:28:42 (GMT +02:00)

MID:           74842, 74841

Message Size:           856 (Bytes)

Subject:           123

Envelope Sender:           test@xxxx.xxx.xx

Envelope Recipients:           xxxxxxxxxxxx@mail.ru

Message ID Header:           <52AFFA95.1050701@xxxx.xxx.xx>

SMTP Auth User ID:           N/A

Attachment Attachments:           N/A

Sending Host Summary

Reverse DNS Hostname:           (unverified)

IP Address:           xx.xxx.xx.146

SBRS Score:           not enabled

Processing Details

           MAIL POLICY "OutgoingMail" MATCHED THESE RECIPIENTS: xxxxxxxxxxxx@mail.ru

17 Dec 2013 09:28:42 (GMT +02:00)           Protocol SMTP interface Data 2 (IP xx.xxx.xx.147) on incoming connection (ICID 363238) from sender IP xx.xxx.xx.146. Reverse DNS host None verified no.

17 Dec 2013 09:28:42 (GMT +02:00)           (ICID 363238) RELAY sender group Incoming Relay match xx.xxx.xx.146 SBRS not enabled

17 Dec 2013 09:28:42 (GMT +02:00)           Start message 74841 on incoming connection (ICID 363238).

17 Dec 2013 09:28:42 (GMT +02:00)           Message 74841 enqueued on incoming connection (ICID 363238) from test@xxxx.xxx.xx.

17 Dec 2013 09:28:42 (GMT +02:00)           Message 74841 on incoming connection (ICID 363238) added recipient (xxxxxxxxxxxx@mail.ru).

17 Dec 2013 09:28:42 (GMT +02:00)           Message 74841 on incoming relay (Postfix) missing header Received.

17 Dec 2013 09:28:42 (GMT +02:00)           Message 74841 contains message ID header '<52AFFA95.1050701@xxxx.xxx.xx>'.

17 Dec 2013 09:28:42 (GMT +02:00)           Message 74841 original subject on injection: 123

17 Dec 2013 09:28:42 (GMT +02:00)           Message 74841 (856 bytes) from test@xxxx.xxx.xx ready.

17 Dec 2013 09:28:42 (GMT +02:00)           Message 74841 matched per-recipient policy OutgoingMail for outbound mail policies.

17 Dec 2013 09:28:42 (GMT +02:00)           Message 74841 queued for delivery.

17 Dec 2013 09:28:42 (GMT +02:00)           SMTP delivery connection (DCID 41909) opened from Cisco IronPort interface xx.xxx.xx.147 to IP address xx.xxx.xx.146. on port 25.

17 Dec 2013 09:28:42 (GMT +02:00)           (DCID 41909) Delivery started for message 74841 to xxxxxxxxxxxx@mail.ru.

17 Dec 2013 09:28:42 (GMT +02:00)           (DCID 41909) Message 74841 bounce verification rewriting sender test@xxxx.xxx.xx to prvs=056d5f626=test@xxxx.xxx.xx.

17 Dec 2013 09:28:42 (GMT +02:00)           (DCID 41909) Message 74841 to xxxxxxxxxxxx@mail.ru bounced by destination server. Reason: 5.1.0 - Unknown address error ('554', ['5.7.1 <xxxxxxxxxxxx@mail.ru>: Relay access denied'])

17 Dec 2013 09:28:42 (GMT +02:00)           Start message 74842 on incoming connection (ICID 0).

17 Dec 2013 09:28:42 (GMT +02:00)           A new message 74842 was generated to handle bounce of message 74841.

17 Dec 2013 09:28:42 (GMT +02:00)           Message 74842 enqueued on incoming connection (ICID 0) from .

17 Dec 2013 09:28:42 (GMT +02:00)           Message 74842 on incoming connection (ICID 0) added recipient (test@xxxx.xxx.xx).

17 Dec 2013 09:28:42 (GMT +02:00)           Message 74842 (1971 bytes) from ready.

17 Dec 2013 09:28:42 (GMT +02:00)           Message 74842 queued for delivery.

17 Dec 2013 09:28:42 (GMT +02:00)           SMTP delivery connection (DCID 41910) opened from Cisco IronPort interface xx.xxx.xx.147 to IP address xx.xxx.xx.146 on port 25.

17 Dec 2013 09:28:42 (GMT +02:00)           (DCID 41910) Delivery started for message 74842 to test@xxxx.xxx.xx.

17 Dec 2013 09:28:43 (GMT +02:00)           (DCID 41910) Delivery details: Message 74842 sent to test@xxxx.xxx.xx

17 Dec 2013 09:28:43 (GMT +02:00)          Message 74842 to test@xxxx.xxx.xx received remote SMTP response '2.0.0 Ok: queued as E39B43807DF'.

HERE IS WHAT MY POSTFIX SAYS:

Dec 17 09:06:51 mail postfix/smtpd[18564]: connect from smtp.xxxx.xxx.xx[xxx.xxx.xxx.147]

Dec 17 09:06:51 mail postfix/smtpd[18564]: NOQUEUE: reject: RCPT from smtp.xxxx.xxx.xx[xxx.xxx.xxx.147]: 554 5.7.1 <xxxxxxxxxx@mail.ru>: Relay access denied; from=<prvs=056d5f626=test@xxxx.xxx.xx> to=<xxxxxxxxxx@mail.ru> proto=ESMTP helo=

Dec 17 09:06:51 mail postfix/smtpd[18568]: connect from smtp.xxxx.xxx.xx[xxx.xxx.xxx.147]

Dec 17 09:06:51 mail postfix/smtpd[18568]: 8A90D3807E5: client=smtp.xxxx.xxx.xx[xxx.xxx.xxx.147]

Dec 17 09:06:51 mail postfix/cleanup[18569]: 8A90D3807E5: message-id=<2119af$292o@smtp.xxxx.xxx.xx>

Dec 17 09:06:51 mail postfix/qmgr[2383]: 8A90D3807E5: from=<>, size=2553, nrcpt=1 (queue active)

Dec 17 09:06:51 mail postfix/local[18570]: 8A90D3807E5: to=<test@xxxx.xxx.xx>, relay=local, delay=0.08, delays=0.05/0.01/0/0.02, dsn=2.0.0, status=sent (delivered to mailbox)

Dec 17 09:06:51 mail postfix/qmgr[2383]: 8A90D3807E5: removed

Dec 17 09:06:56 mail postfix/smtpd[18564]: disconnect from smtp.xxxx.xxx.xx[xxx.xxx.xxx.147]

Dec 17 09:06:56 mail postfix/smtpd[18568]: disconnect from smtp.xxxx.xxx.xx[xxx.xxx.xxx.147]

Dec 17 09:07:01 mail dovecot: pop3-login: Login: user=, method=PLAIN, rip=xxx.xxx.xxx.xxx, lip=xxx.xxx.xxx.146, mpid=18578, TLS

Dec 17 09:07:01 mail dovecot: pop3(test): Disconnected: Logged out top=0/0, retr=1/2651, del=0/17, size=34346

xx.xxx.xx.146 is ip of my postfix server. it is listed in relaylist. also it is listed in smtp routes for All other domains.

Hello Alex,

the issue is niot between your backend Postfix server and the Email Security Appliance, it is with the destination mail server that rejects the delivery due to policy settings on it:

17 Dec 2013 09:28:42 (GMT +02:00)           (DCID 41909) Message 74841 to xxxxxxxxxxxx@mail.ru bounced by destination server. Reason: 5.1.0 - Unknown address error ('554', ['5.7.1 <xxxxxxxxxxxx@mail.ru>: Relay access denied'])

I'm just wondering as the last octet of the IP address from which the Email Security Appliance is accepting the message:

17 Dec 2013 09:28:42 (GMT +02:00)           Protocol SMTP interface Data  2 (IP xx.xxx.xx.147) on incoming connection (ICID 363238) from sender  IP xx.xxx.xx.146. Reverse DNS host None verified no.

..is also the same to which it delivers it:

17 Dec 2013 09:28:42 (GMT +02:00)           SMTP delivery connection (DCID 41909) opened from Cisco IronPort interface xx.xxx.xx.147 to IP  address xx.xxx.xx.146. on port 25.

Could you please review the mail flow here with the unmasked IP addresses to verify if the connection is indeed received from and delivered to the very same IP address? If so, could you please review your configuration on GUI Network -> SMTP Routes if "All Other Domains" is pointing to this IP? When yes, please remove this entry as it overrides DNS lookups for outbound emails.

Thanks and regards,

Martin

Yes. It is in SMTP Routes for All Otehr Domains. But when i remove it from there, all the outgoing messages go to their destinations, but they are sent by ESA. And they are listed in Incoming mail in the overview. Is this ok in One

interface deployment solution? And are these messages checked for viruses etc?

The situation is the following: i've got two c170. they have two ip's. Both these ip's are chained for one smtp record whith different metric for "clustering." And one pop3 record for my dovecot server which is installed alongside my postfix server. i use One interface deployment solution for c170. The question is: what did i do wrong? In, for example thunderbird, for pop3 server i put my pop3 record. For smtp server what do i need to enter? My postfix or my c170s?

       

Hello Alex,

I would recommend to open a support case with us, so that we can review your entire configuration here together with the log files and full IP addresses. From my understanding I assume the following:

1. you do not have a RELAYLIST Sender Group configured on your appliance Host Access Table, as all outgoing messages are seen as 'incoming' rather than 'outgoing'.

2. the 'All other destinations' entry pointing to your Postfix is causing trouble here, as all destinations for which no distinct SMTP Route have been configured will end up (and crash) on your Postfix mail server.

3. possibly you have an open relay configured, as the Recipient Access Table is showing 'accept' for 'all other recipients' (instead of 'reject'). This is typically the case to get messages accepted by the appliance when no RELAYLIST Sender Group has been configured.

We in TAC can assist you here to ensure that your IP is not getting listed in RBLs as the appliance is abused by external parties as open mail relay.

Thanks and regards,

Martin

1 The RELAYLIST Sender Group in Host Access Table has 1 server listed (postfix one, which ip ends on 146).

2 In SMTP Routes I've got to set only ip for my Domain? even of i use one interface deployment?

3 In RAT, i also must use Accept only for my domain? even if i use one interface deployment?

Hello Alex,

could you please open a support case with us in TAC, as we definitly need to review your configuration of the appliance in detail to understand the current mail flow and how the appliance would need to be configured to get things working correctly for you.

Many thanks for your understanding,

Martin

Hello once again. I used your advices and configured as it was in the manual. But, i had an issue with authentification, as i do not use active directory. and occaisionally i found an article about smtp forwarded authentification. and i manged. Now everything works as i wanted to. Thanks all)))))))