The Old 530 5.7.1 Error Redux ...

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
spoole
Posts: 20
Joined: Sat Sep 13, 2014 3:22 am

The Old 530 5.7.1 Error Redux ...

Post by spoole »

The closest I've seen to our issue, after lots of Googlin' and searchin', is this discussion here: viewtopic.php?f=15&t=63617&p=281610&hil ... .1#p281610. Not quite the same, but I'll carefully pore through that one tonight.

Our setup is Zimbra 8.6 running on a Dell Poweredge, Centos 7.6. (Tried to upgrade Zimbra a few months ago and it bombed, so I'm waiting before I upgrade again. That's for a later discussion.) We have a valid cert from GoDaddy, all that works just fine, too. We use a pfsense router/firewall to NAT incoming to Zimbra and Barracuda, with dnsmasq spoofing DNS on the Zimbra server. Basically,

Code: Select all

Incoming Port 25 --> Barracuda Spam Filter --> Zimbra
Other incoming ports --> Zimbra
Zimbra outgoing --> Barracuda Spam Filter --> The Internet (port 25)
In other words, I'm routing both incoming and outgoing through the Barracuda to catch spam. (This has saved my bacon and has kept me off the blocklists several times now.) :)

This was working splendidly for months and months ... then the Barracuda died yesterday morning with a bad hard drive. I temporarily bypassed Barracuda for incoming and outgoing and exposed Zimbra directly to the Internet. I went in to Zimbra admin/config and deleted the outgoing relay strings. It worked sort of: some outgoing emails were sent, others were rejected (most notably by Comcast and GMail) with the error 530 5.7.1.

This tells me that our Zimbra setup isn't doing something properly for outgoing mail. I don't know what Barracuda does differently, but as soon as we installed the replacement and put Barracuda back in line, Comcast and Gmail were happy again.

What's throwing me is that 530 5.7.1 supposedly means "authentication error." I'm just sending email to outside recipients over port 25. I'm not trying to log in with Comcast or GMail from our Zimbra server, so the Wiki article's suggestion for password lists doesn't apply. I just need to send an email to "joe-schmo@gmail.com."

No doubt I've missed something in our Zimbra settings, but if anyone here has any ideas, I'd appreciate it. Right now, we're back up and running, but if I ever lose Barracuda again, I need to be able to put Zimbra straight online and still have our outgoing email be handled properly by Comcast, Gmail, and the other criminals.

More detail, based on the Wiki article, follows. This is the current configuration with Barracuda back inline, operating normally (my comments in parentheses when Barracuda was bypassed). Sorry for the length.

I wonder if the SMTP server shouldn't be pointing to the certificate? Doesn't explain why Barracuda is happy (it's using a self-generated cert), but it's the only thing I wonder about.

Thanks in advance.

Code: Select all

zmprov gs mail.crawfordbroadcasting.com | grep -i mta

zimbraMtaAddressVerifyNegativeRefreshTime: 10m
zimbraMtaAddressVerifyPollCount: ${stress?3}${stress:5}
zimbraMtaAddressVerifyPollDelay: 3s
zimbraMtaAddressVerifyPositiveRefreshTime: 12h
zimbraMtaAliasMaps: lmdb:/etc/aliases
zimbraMtaAlwaysAddMissingHeaders: yes
zimbraMtaAntiSpamLockMethod: flock
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: mail.crawfordbroadcasting.com
zimbraMtaAuthTarget: TRUE
zimbraMtaAuthURL: https://mail.crawfordbroadcasting.com:443/service/soap/
zimbraMtaBounceNoticeRecipient: postmaster
zimbraMtaBounceQueueLifetime: 5d
zimbraMtaBrokenSaslAuthClients: yes
zimbraMtaCommandDirectory: /opt/zimbra/postfix/sbin
zimbraMtaDaemonDirectory: /opt/zimbra/postfix/libexec
zimbraMtaDefaultProcessLimit: 100
zimbraMtaDelayWarningTime: 0h
zimbraMtaDnsLookupsEnabled: FALSE
zimbraMtaEnableSmtpdPolicyd: FALSE
zimbraMtaHeaderChecks: pcre:/opt/zimbra/conf/postfix_header_checks
zimbraMtaInFlowDelay: 1s
zimbraMtaLmdbMapSize: 16777216
zimbraMtaLmtpConnectionCacheTimeLimit: 4s
zimbraMtaLmtpHostLookup: dns
zimbraMtaLmtpTlsCiphers: export
zimbraMtaLmtpTlsLoglevel: 0
zimbraMtaLmtpTlsMandatoryCiphers: medium
zimbraMtaLmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaLmtpTlsSecurityLevel: may
zimbraMtaMailqPath: /opt/zimbra/postfix/sbin/mailq
zimbraMtaManpageDirectory: /opt/zimbra/postfix/man
zimbraMtaMaxUse: 100
zimbraMtaMaximalBackoffTime: 4000s
zimbraMtaMilterCommandTimeout: 30s
zimbraMtaMilterConnectTimeout: 30s
zimbraMtaMilterContentTimeout: 300s
zimbraMtaMilterDefaultAction: tempfail
zimbraMtaMinimalBackoffTime: 300s
zimbraMtaMyDestination: localhost
zimbraMtaMyNetworks: 127.0.0.0/8 192.168.1.0/24 (the 192.x.x.x is my internal network, of course)
zimbraMtaNewaliasesPath: /opt/zimbra/postfix/sbin/newaliases
zimbraMtaNotifyClasses: resource
zimbraMtaNotifyClasses: software
zimbraMtaPolicyTimeLimit: 3600
zimbraMtaPropagateUnmatchedExtensions: canonical
zimbraMtaQueueDirectory: /opt/zimbra/data/postfix/spool
zimbraMtaQueueRunDelay: 300s
zimbraMtaRelayHost: 192.168.1.200:25 (this was set to an empty string while Barracuda was down)
zimbraMtaSaslAuthEnable: yes
zimbraMtaSaslSmtpdMechList: PLAIN
zimbraMtaSaslSmtpdMechList: LOGIN
zimbraMtaSenderCanonicalMaps: proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
zimbraMtaSendmailPath: /opt/zimbra/postfix/sbin/sendmail
zimbraMtaSmtpCnameOverridesServername: no
zimbraMtaSmtpHeloName: $myhostname
zimbraMtaSmtpSaslAuthEnable: no
zimbraMtaSmtpSaslSecurityOptions: noplaintext,noanonymous
zimbraMtaSmtpTlsCiphers: export
zimbraMtaSmtpTlsLoglevel: 0
zimbraMtaSmtpTlsMandatoryCiphers: medium
zimbraMtaSmtpTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpTlsSecurityLevel: may
zimbraMtaSmtpdBanner: $myhostname ESMTP $mail_name
zimbraMtaSmtpdClientPortLogging: no
zimbraMtaSmtpdClientRestrictions: reject_unauth_pipelining
zimbraMtaSmtpdDataRestrictions: reject_unauth_pipelining
zimbraMtaSmtpdErrorSleepTime: 1s
zimbraMtaSmtpdHardErrorLimit: 20
zimbraMtaSmtpdHeloRequired: yes
zimbraMtaSmtpdProxyTimeout: 100s
zimbraMtaSmtpdRejectUnlistedRecipient: no
zimbraMtaSmtpdRejectUnlistedSender: yes
zimbraMtaSmtpdSaslAuthenticatedHeader: no
zimbraMtaSmtpdSaslSecurityOptions: noanonymous
zimbraMtaSmtpdSaslTlsSecurityOptions: $smtpd_sasl_security_options
zimbraMtaSmtpdSenderLoginMaps: proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
zimbraMtaSmtpdSenderRestrictions: reject_authenticated_sender_login_mismatch
zimbraMtaSmtpdTlsAskCcert: no
zimbraMtaSmtpdTlsCcertVerifydepth: 9
zimbraMtaSmtpdTlsCiphers: export
zimbraMtaSmtpdTlsLoglevel: 1
zimbraMtaSmtpdTlsMandatoryCiphers: medium
zimbraMtaSmtpdTlsProtocols: !SSLv2, !SSLv3
zimbraMtaSmtpdVirtualTransport: error
zimbraMtaStpdSoftErrorLimit: 10
zimbraMtaTlsAppendDefaultCA: no
zimbraMtaTlsAuthOnly: TRUE
zimbraMtaTlsSecurityLevel: may

zimbra@mail ~]$ postconf | grep -i tls

lmtp_enforce_tls = no
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_starttls_timeout = 300s
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_block_early_mail_reply = no
lmtp_tls_cert_file =
lmtp_tls_ciphers = export
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_eccert_file =
lmtp_tls_eckey_file = $lmtp_tls_eccert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_fingerprint_cert_match =
lmtp_tls_fingerprint_digest = md5
lmtp_tls_force_insecure_host_tlsa_lookup = no
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = !SSLv2
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_scert_verifydepth = 9
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level = may
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_trust_anchor_file =
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer}
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_use_tls = $smtpd_use_tls
smtp_enforce_tls = no
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_block_early_mail_reply = no
smtp_tls_cert_file =
smtp_tls_ciphers = export
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_eccert_file =
smtp_tls_eckey_file = $smtp_tls_eccert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_fingerprint_cert_match =
smtp_tls_fingerprint_digest = md5
smtp_tls_force_insecure_host_tlsa_lookup = no
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = !SSLv2
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = may
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_trust_anchor_file =
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtpd_client_new_tls_session_rate_limit = 0
smtpd_enforce_tls = no
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_policy_service inet:localhost:10031, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
smtpd_starttls_timeout = ${stress?10}${stress:300}s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtpd_tls_ciphers = export
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_eccert_file =
smtpd_tls_eckey_file = $smtpd_tls_eccert_file
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers =
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = yes
tls_append_default_CA = no
tls_daemon_random_bytes = 32
tls_dane_digest_agility = on
tls_dane_digests = sha512 sha256
tls_dane_trust_anchor_digest_enable = yes
tls_disable_workarounds =
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH
tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
tls_legacy_public_key_fingerprints = no
tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH
tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH
tls_null_cipherlist = eNULL:!aNULL
tls_preempt_cipherlist = no
tls_random_bytes = 32
tls_random_exchange_name = ${data_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
tls_ssl_options =
tls_wildcard_matches_multiple_labels = yes
tlsmgr_service_name = tlsmgr
tlsproxy_enforce_tls = $smtpd_enforce_tls
tlsproxy_service_name = tlsproxy
tlsproxy_tls_CAfile = $smtpd_tls_CAfile
tlsproxy_tls_CApath = $smtpd_tls_CApath
tlsproxy_tls_always_issue_session_ids = $smtpd_tls_always_issue_session_ids
tlsproxy_tls_ask_ccert = $smtpd_tls_ask_ccert
tlsproxy_tls_ccert_verifydepth = $smtpd_tls_ccert_verifydepth
tlsproxy_tls_cert_file = $smtpd_tls_cert_file
tlsproxy_tls_ciphers = $smtpd_tls_ciphers
tlsproxy_tls_dcert_file = $smtpd_tls_dcert_file
tlsproxy_tls_dh1024_param_file = $smtpd_tls_dh1024_param_file
tlsproxy_tls_dh512_param_file = $smtpd_tls_dh512_param_file
tlsproxy_tls_dkey_file = $smtpd_tls_dkey_file
tlsproxy_tls_eccert_file = $smtpd_tls_eccert_file
tlsproxy_tls_eckey_file = $smtpd_tls_eckey_file
tlsproxy_tls_eecdh_grade = $smtpd_tls_eecdh_grade
tlsproxy_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
tlsproxy_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
tlsproxy_tls_key_file = $smtpd_tls_key_file
tlsproxy_tls_loglevel = $smtpd_tls_loglevel
tlsproxy_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
tlsproxy_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols
tlsproxy_tls_req_ccert = $smtpd_tls_req_ccert
tlsproxy_tls_security_level = $smtpd_tls_security_level
tlsproxy_use_tls = $smtpd_use_tls
tlsproxy_watchdog_timeout = 10s

spoole
Posts: 20
Joined: Sat Sep 13, 2014 3:22 am

Re: The Old 530 5.7.1 Error Redux ...

Post by spoole »

A brief update: one of the ISPs that was rejecting our email was Hiwaay in Alabama. I'm friends with those guys and had one of their techs pull up the logs to see if he saw anything. He says, "nada." Nothing.

This is truly baffling. It's also concerning that other, similar posts to mine -- both here and in support forums for various ISPs online -- generally go unanswered. Zimbra's Wiki is written for people who want to *relay* mail through a different ISP (whence the instructions for setting up password lists and etc.).
spoole
Posts: 20
Joined: Sat Sep 13, 2014 3:22 am

Re: The Old 530 5.7.1 Error Redux ...

Post by spoole »

OH-KAY: A bit more info. Tonight, I set up our pfsense firewall to do a packet capture on anything headed to the IP address of the spam filter of my personal ISP (hiwaay.net, their mail is handled by antespam.com). With Barracuda inline, everything worked fine, as mentioned above.

I bypassed Barracuda by going into Zimbra Admin and removing the External MTA Relay field, then restarted Zimbra. The resulting packet capture was only 24 bytes. Basically nothing.

What that tells me is that, once you enable External MTA Relay, you obviously have to do something additional to DIS-able it. Just making the "external relay" field blank won't do it.

This article in the Wiki --https://wiki.zimbra.com/wiki/Sending_ma ... rnal_relay -- covers enabling it just fine; it doesn't discuss how to disable the external relay later, should you need to do that. If anyone could point me to good documention on DISabling an existing relay, I'll be ever so grateful. :)
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: The Old 530 5.7.1 Error Redux ...

Post by phoenix »

You can check it's been set correctly with the following (I'm assuming a single server installation):

Code: Select all

zmprov gs $(zmhostname] zimbraMtaRelayHost <-- this should show the FQDN of your MTA server
 
zmprov gcf zimbraMtaRelayHost  <-- this should be empty
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
spoole
Posts: 20
Joined: Sat Sep 13, 2014 3:22 am

Re: The Old 530 5.7.1 Error Redux ...

Post by spoole »

Thanks, Bill. I'm going to check a couple of other things later today. I *think* what is happening is that the MTA Relay field in the postfix configuration is not being cleared to a blank string, even though it has been set to the blank string in Zimbra Admin. I'm going to look into that. If that's the case, I guess it could be considered a (very minor) bug. I'll file a report.

Like I said, we're working now, I'm happy, but I wanted to address this for the future.

If you pore through that horrible output in my first post, you'll see that zimbraMtaRelay is indeed set to the local IP address of the Barracuda (192.168.1.200:25). I had already noted that. What I did NOT note is what that setting was after I blanked the field in Zimbra Admin.

Thanks again and have a great day.
spoole
Posts: 20
Joined: Sat Sep 13, 2014 3:22 am

Re: The Old 530 5.7.1 Error Redux ...

Post by spoole »

One final post (for now, anyway) just in case someone else runs across this. I installed Zimbra 8.6 on a spare machine today and played with it.

First, without a relayhost in postfix/conf/main.cf, I was able to send email to the outside world just fine.

I then went into Zimbra Admin, added the IP address of our Barracuda (this is on the same internal network), restarted Zimbra, and the outgoing email hit Barracuda just fine.

Back into Zimbra Admin. I removed the IP address of the Barracuda, clearing the External MTA Relay field to a blank string. Restart ... and unable to send to any external address.

Some Googlin' and poking in the Wiki shows that Zimbra sets this field in postfix/conf/main.cf via the configuration in LDAP. I may try to forcibly blank that field with zmprov (something else came up today, I had to stop playing for a while). I just checked main.cf, and even with that field in Zimbra Admin blanked, and a restart, the relayhost = in main.cf is still pointing to Barracuda's internal IP address.

I note that earlier versions of Zimbra Admin had a "remove" button for that Relay field. That button is gone now. It does appear that Zimbra will gladly *set* the external relay host, but will *not* clear it back to the original config should you decide that you no longer want to use the external relay.

Not sure if that's a bug, but after a few final checks, I'll file either a bug report or a RFE.
Post Reply