8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
subversionpdx
Posts: 9
Joined: Sat Sep 13, 2014 1:13 am

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Post by subversionpdx »

I just upgraded from 8.0.0 to 8.0.2 yesterday, since then no external clients (outlook, phones, etc) can send email through Zimbra - we use SMTP AUTH / port 587 submission and it's always worked fine in the past. It appears that the RBL is now blocking my users from sending anything.
I checked my Admin GUI for the server, checked trusted networks, tried disabling originating IP address, checked host files, postfix main.cf, spamassasing local.cf etc.
If I disable one of the RBL servers and reload postfix, the next RBL in the config just blocks the send too. Most of my users connect from DSL or Comcast internet connections and remote clients. Sending from the web interface still works fine (albeit slower than it used to be)
It's acting as if it's a typical "relaying denied" - but SMTP authed users should not be restricted from sending via my email server
Any thoughts?

Thanks,

Joe

zimbra@mail:~$ zmprov gacf | grep zimbraMtaRestriction

zimbraMtaRestriction: reject_non_fqdn_sender

zimbraMtaRestriction: reject_unknown_sender_domain

zimbraMtaRestriction: reject_rbl_client bl.spamcop.net

zimbraMtaRestriction: reject_rbl_client relays.mail-abuse.org

zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net

zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zmprov mcf -zimbraMtaRestriction "reject_rbl_client zen.spamhaus.org"



Dec 26 13:44:28 mail postfix/smtpd[30047]: connect from 71-219-140-25.slkc.qwest.net[71.219.140.25]

Dec 26 13:44:28 mail postfix/smtpd[30047]: connect from 71-219-140-25.slkc.qwest.net[71.219.140.25]

Dec 26 13:44:29 mail saslauthd[23251]: zmauth: authenticating against elected url 'https://mail.nnet.com:7071/service/admi ... dmin/soap/' ...

Dec 26 13:44:29 mail saslauthd[23251]: zmpost: url='https://mail.nnet.com:7071/service/admi ... dmin/soap/' returned buffer->data='http://www.w3.org/2003/05/soap-envelope"> xmlns="urn:zimbra">0_47ee1439db2ef4bea25873335858c823ed542d55_69643d33363a33343430356636642d383761652d346664322d613466302d6162323639653535326439323b6578703d31333a313335363732373436393130303b76763d313a333b747970653d363a7a696d6272613b172800000lavender', hti->error=''

Dec 26 13:44:29 mail saslauthd[23251]: auth_zimbra: joe@nnet.com auth OK

Dec 26 13:44:29 mail postfix/smtpd[30047]: NOQUEUE: filter: RCPT from 71-219-140-25.slkc.qwest.net[71.219.140.25]: : Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from= to= proto=ESMTP helo=

Dec 26 13:44:29 mail postfix/smtpd[30047]: NOQUEUE: filter: RCPT from 71-219-140-25.slkc.qwest.net[71.219.140.25]: : Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from= to= proto=ESMTP helo=

Dec 26 13:44:29 mail postfix/smtpd[30047]: NOQUEUE: reject: RCPT from 71-219-140-25.slkc.qwest.net[71.219.140.25]: 554 5.7.1 Service unavailable; Client host [71.219.140.25] blocked using zen.spamhaus.org; The Spamhaus Project - Blocklist Removal Center Results from= to= proto=ESMTP helo=

Dec 26 13:44:29 mail postfix/smtpd[30047]: NOQUEUE: reject: RCPT from 71-219-140-25.slkc.qwest.net[71.219.140.25]: 554 5.7.1 Service unavailable; Client host [71.219.140.25] blocked using zen.spamhaus.org; The Spamhaus Project - Blocklist Removal Center Results from= to= proto=ESMTP helo=

Dec 26 13:44:29 mail postfix/smtpd[30047]: disconnect from 71-219-140-25.slkc.qwest.net[71.219.140.25]

Dec 26 13:44:29 mail postfix/smtpd[30047]: disconnect from 71-219-140-25.slkc.qwest.net[71.219.140.25]
Rich Graves
Outstanding Member
Outstanding Member
Posts: 687
Joined: Fri Sep 12, 2014 10:24 pm

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Post by Rich Graves »

That's not relaying denied, that's an RBL block. You need to tell postfix that authenticated senders skip RBLs. I know how to do this with sendmail. For postfix, read the documentation. These might be relevant:
postconf -e 'permit_sasl_authenticated = yes'

postconf -e 'smtpd_delay_reject = yes'
The first thing to look at, though, is diff -u between your backup of the 8.0.0 version of main.cf (which you have, right?) and your current.
Bug 78157 – smtpd_recipient_restrictions changed to smtpd_relay_restrictions might be relevant.
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Post by phoenix »

In addition to the answer that Rich gave. If you read the Spamhaus link you'll see that it's a PBL, that means that you probably have the 'x-originating-ip' configured to add the users IPs to the headers, that will get rejected by a lot of RBLs as the users ISP specifies the ranges IP that should only send outbound mail via their mail servers. You need to disable this option in the Admin UI and make sure that your users only use port 587 and Authenticate.
You should also specify the RBLs is descending order of effectiveness otherwise you're doing a lot of unnecessary DNS lookups on your DNS servers and wasted checks against the RBLs, check the daily report to see which ones are most effective then reorganise your list.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
subversionpdx
Posts: 9
Joined: Sat Sep 13, 2014 1:13 am

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Post by subversionpdx »

Thank you for the replies -
The only change I had made was to update from 8.0.0 to 8.0.2 - in 8.0.0 the system allowed SMTP auth'd users to send fine. I never altered the order of the RBL settings in Zimbra. Users were sending via 587/Submission port. X-Originating-IP was on in my 8.0.0 install but users never had problems sending email.
After updating to 8.0.2 - inbound email still worked fine, only auth'd users could no longer send (see above) - I disabled X-Originating-IP, turned off RBLs, etc. Authenticated users should not be processed through any RBLs, but they were.
I tried a diff between my 8.0.0 main.cf and the new one, very little difference there, but I tried the configuration directives in 8.0.0 for Postfix and it still kept blocking sends. I also checked the bug thread listed above (thank you) but this didn't help either.
I only solved it by rolling back to my backup of 8.0.0 - which, as expected, is working fine.
Thanks again,

Joe
17126thunder04
Advanced member
Advanced member
Posts: 162
Joined: Fri Sep 12, 2014 11:14 pm

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Post by 17126thunder04 »

I am having the same problem. Any users who attempt to send mail from outside our network using a mail client other than the web interface get blocked via RBL. What can I do to prevent authenticated SMTP users from being checked against RBLs? I've tried the suggested config changes by Rich and no dice.


zimbra@cottontail:~$ zmlocalconfig | grep permit_sasl_authenticated

postfix_permit_sasl_authenticated = yes

zimbra@cottontail:~$ zmlocalconfig | grep smtpd_delay_reject

postfix_smtpd_delay_reject = yes

zimbra@cottontail:~$

User avatar
ccelis5215
Outstanding Member
Outstanding Member
Posts: 632
Joined: Sat Sep 13, 2014 2:04 am
Location: Caracas - Venezuela
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Post by ccelis5215 »

Hello,
Please yell if you want, Bug 78157 – smtpd_recipient_restrictions changed to smtpd_relay_restrictions mentions smptd_relay_restrictions for general use, also, set a three default values.
Digging into Postfix Users - smtpd_relay_restrictions ready for general use states:
[QUOTE]

2 - BACKWARDS COMPATIBILITY SAFETY NET: sites that migrate from

Postfix versions before 2.10 can set smtpd_relay_restrictions

to the empty value, and use smtpd_recipient_restrictions exactly

as they used it before.

[/QUOTE]
I've take a look in my main.cf test server and there diferences...
[QUOTE]smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient, reject_non_fqdn_sender, permit

smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

[/QUOTE]
Note: I' don't have 8.0 main.cf to compare vs 8.0.2.
ccelis.
17126thunder04
Advanced member
Advanced member
Posts: 162
Joined: Fri Sep 12, 2014 11:14 pm

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Post by 17126thunder04 »

I've done the following which doesn't seem to make a difference.


zimbra@cottontail:~/conf$ zmlocalconfig -e "postfix_smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client psbl.surriel.com, permit"

zimbra@cottontail:~/conf$ zmlocalconfig -e postfix_smtpd_relay_restrictions=""

zimbra@cottontail:~/conf$ zmmtactl restart

Rewriting configuration files...done.

/postfix-script: refreshing the Postfix mail system

Stopping saslauthd...done.

Starting saslauthd...done.

Stopping opendkim... done.

Started opendkim: pid 16429

zimbra@cottontail:~/conf$ zmlocalconfig | grep smtpd_recipient_restrictions

postfix_smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client psbl.surriel.com, permit

zimbra@cottontail:~/conf$ zmlocalconfig | grep smtpd_relay_restrictions

postfix_smtpd_relay_restrictions =
When I view the /opt/zimbra/postfix/conf/main.cf file, these changes are not there.


smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client psbl.surriel.com, permit

smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

User avatar
ccelis5215
Outstanding Member
Outstanding Member
Posts: 632
Joined: Sat Sep 13, 2014 2:04 am
Location: Caracas - Venezuela
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Post by ccelis5215 »

[quote user="17126thunder04"]I've done the following which doesn't seem to make a difference.


zimbra@cottontail:~/conf$ zmlocalconfig -e "postfix_smtpd_recipient_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client psbl.surriel.com, permit"

zimbra@cottontail:~/conf$ zmlocalconfig -e postfix_smtpd_relay_restrictions=""

zimbra@cottontail:~/conf$ zmmtactl restart

Rewriting configuration files...done.

/postfix-script: refreshing the Postfix mail system

Stopping saslauthd...done.

Starting saslauthd...done.

Stopping opendkim... done.

Started opendkim: pid 16429

zimbra@cottontail:~/conf$ zmlocalconfig | grep smtpd_recipient_restrictions

postfix_smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client psbl.surriel.com, permit

zimbra@cottontail:~/conf$ zmlocalconfig | grep smtpd_relay_restrictions

postfix_smtpd_relay_restrictions =
When I view the /opt/zimbra/postfix/conf/main.cf file, these changes are not there.


smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client b.barracudacentral.org reject_rbl_client zen.spamhaus.org reject_rbl_client cbl.abuseat.org reject_rbl_client psbl.surriel.com, permit

smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

[/QUOTE]
Try


zmlocalconfig -e "postfix_smtpd_relay_restrictions=reject_non_fqdn_recipient, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain"


without the RBL's..
ccelis
17126thunder04
Advanced member
Advanced member
Posts: 162
Joined: Fri Sep 12, 2014 11:14 pm

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Post by 17126thunder04 »

No luck. Same behavior.
17126thunder04
Advanced member
Advanced member
Posts: 162
Joined: Fri Sep 12, 2014 11:14 pm

8.0.2 Community Edition - no longer allows SMTP auth users send email - RBL blocked

Post by 17126thunder04 »

Are there any other avenues I can take with this issue? It's really starting to cause headache for our users who are outside our network. :(
Post Reply