Milter-reject on distribution list without any ACL

General discussion about Zimbra Desktop.
Post Reply
frankchavez
Posts: 36
Joined: Sat Sep 13, 2014 1:24 am

Milter-reject on distribution list without any ACL

Post by frankchavez »

It was recently brought to my attention another issue since updating to 8.6.0 and it remains for P1 (build 1162)
I am seeing these messages in the zimbra.log and am unable to email to some distribution lists.
Mar 3 21:23:38 mail postfix/smtpd[22746]: NOQUEUE: milter-reject: RCPT from anti-spam.fqdn[192.168.x.x]: 571 571 Sender is not allowed to email this distribution list: dlist@domain.com; from=<any@email.com> to=<dlist@domain.com> proto=ESMTP helo=<anti-spam.fqdn>
Obviously changed host names, IP, distribution list names, and emails listed.
Running zmprov gdl on the distribution list or looking from the GUI I do not see any ACLs configured for the distribution list at all. Also if I restart MTA services some distribution lists start working while others start giving the above message.
We do have some distribution lists with ACLs configured, but I have not see any issues with those. We have only seen it with ones that do not have any ACLs configured at all.
This new community site doesn't appear to be indexed by google so stuck using the limited built in search and didn't find any mention of others with this issue.
Has anyone run into this? Any ideas on where to start?

I already opened a support ticket, but response times have been unimpressive especially considering we just renewed support and purchased additional licenses.
frankchavez
Posts: 36
Joined: Sat Sep 13, 2014 1:24 am

Milter-reject on distribution list without any ACL

Post by frankchavez »

I temporarily resolved this by turning off the milter service for MTA since I needed it fixed immediately.

This means my distribution lists with ACLs are open to emails from anyone now, but at least I'm not rejecting valid emails to unprotected distribution lists.
imanudin11
Outstanding Member
Outstanding Member
Posts: 304
Joined: Sat Sep 13, 2014 2:23 am
ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
Contact:

Milter-reject on distribution list without any ACL

Post by imanudin11 »

Hi,



For temporery workaround, you can protect your distribution list with install CBPolicyD. You can see the example configuration at this link : http://imanudin.net/2014/09/29/how-to-r ... h-policyd/ about how to protect/restrict user to sent an email to distribution list



at least your distribution list has been protected while looking for problem on Milter
**

Best Regards,
Ahmad Imanudin - Sharing is Beautiful !
Personal Blog [EN] :http://www.imanudin.net
frankchavez
Posts: 36
Joined: Sat Sep 13, 2014 1:24 am

Milter-reject on distribution list without any ACL

Post by frankchavez »

Official response was that we need to add the ACL to allow everyone to email distribution lists after enabling Milter server: http://wiki.zimbra.com/wiki/Enabling_an ... bra_milter



There was no explanation given as to why it started with 8.5.0 or why it happens to random distribution lists.

I am just going to look into zimbra to zimbra migration to 8.0.x back to before these terrible "upgrades" with lots of bad issues.



Until then I will definitely be using the cbpolicyd as a temporary solution, thanks for the help.
User avatar
gabrieles
Outstanding Member
Outstanding Member
Posts: 233
Joined: Tue Feb 14, 2017 9:40 am

Re: Milter-reject on distribution list without any ACL

Post by gabrieles »

This old post saved my back today.
mailing list "thislist@mydomain.com" rejecting with "milter-reject - blah blah - 571 Sender is not allowed to email this distribution list" with no apparent cause
- no zimbraACE in zmprov gdl thislist@mydomain.com
- zmmilterctl restart on all frontends, zmcontrol restart on all frontends
- no entry (except the correct zimrbaDistributionList) similar to the string "thislist@mydomain.com" in the entire ldap, and even in the entire ldap dump of both the ldap masters in the infrastructure
- no rights set on the 6 members of the list
- deleted the list, and recreated from zero, the problem persists
- (this is fun, brace yourselves) renamed the list in "test_list@mydomain.com": the delivery works perfectly, renamed back to "thislist@mydomain.com", again resurfaces the problem...
- it was obviously related to the name of the list, so checked the entire CBPolicyd tables for any occurrence of "thislist@mydomain.com": none

Set the sendToDistList explicitly open for all solved the issue.
zmprov grr dl distributionlist@zimbra.lab all sendToDistList

zmprov gdl thislist@mydomain.com zimbraACE
zimbraACE: 00000000-0000-0000-0000-000000000000 all sendToDistList
Post Reply