Zimbra Mail Server Relay Access Denied & ISP Relay with Authentication

Written by Masim "Vavai" Sugianto OpenSUSE, Zimbra Jan 2, 2010 1,066 views Print This Post Print This Post

Below are a common mail server problems that  might be hit you if you wish to move and use your mail server as production server without full & complete check :

  1. Relay access denied because you have a dynamic public IP Address
  2. Email from your mail server delivered to spam box on Gmail or Yahoo mail
  3. Some of your outbound mail being deferred while trying to send to certain domain/recipient

The problem occurred for many reason. It can be a dynamic IP that blacklisted as an open relay mail server; Your IP got trapped and blacklisted on some RBLhost; The destination mail server could not look up your defined host and/or ip address; a missing PTR records or Reverse DNS Zone on your DNS Server and much more.

These are some tips & tricks to solved the problem. If you have no public-static IP address for your mail server, or your mail server behind a NAT service, or you may have no authority to modify the DNS zone, ISP relay may the answer for your problem.

ISP relay means that our mail server will not deliver the outbound mails to the destination mail server. Our mail server will deliver all outbound mails into ISP server (ISP domain & hosting, where our domain resides) and then the ISP server send the message to final destination. It’s means that our mail server will only act as a gateway to the ISP relay.To prevent an open relay hijack from spammer, ISP server usually need an authentication before allows the email delivery.

ISP relays solved the above problem. Any DNS lookup, blacklisted IP or Reverse DNS zone will be asked to ISP mail server. With the reputation of ISP, their mail server should be passed any security check.

Below are a step by step how to configure your Zimbra Mail Server to get an ISP relay authentication. I’m using vavai.co.id as a sample domain with a user name rivai%vavai.co.id and password : passwordku. Public domain & hosting for vavai.co.id  stored on hosting server (ISP server). I’ve also setting up Zimbra with default domain vavai.co.id on local server.

Let’s configure Zimbra to use ISP relay with authentication to send outbound mail message.

  1. Get a canonical name for public domain
    2. # nslookup mail.vavai.co.id
Non-authoritative answer:
mail.vavai.co.id  canonical name = vavai.co.id.
Name:   vavai.co.id
Address: 75.126.137.80
  2. Open Zimbra Admin Console (https://hostaddress:7071/zimbraAdmin/)
  3. Go to Global Setting | MTA
  4. Write the public canonical name  on  “Relay MTA for external delivery:” option.
  5. Open Konsole/Terminal, Log in as  Zimbra Admin
    6. # su - zimbra
  6. Create postfix look up table
    7. # echo mail.vavai.co.id rivai@vavai.co.id:passwordku > /opt/zimbra/conf/relay_password
# postmap /opt/zimbra/conf/relay_password
  7. Test the mapping
    8. # postmap -q mail.vavai.co.id /opt/zimbra/conf/relay_password
  8. The response should similar as below : username%domain.tld:password
  9. Configure Zimbra Postfix to use the ISP/SMTP Relay with authentication
    10. # postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password
# postconf -e smtp_sasl_auth_enable=yes
# postfix reload
  10. Test your Zimbra mail server

Note :

If you found an error or deferred queue as below :

(Authentication failed: cannot SASL authenticate to server …: no mechanism available)

It seems that smtp-sasl_security option do not allows the plain text on ISP relay setting. Checked it with the following command :

# postconf smtp_sasl_security_options

If you get the error message :smtp_sasl_security_options = noplaintext, noanonymous

Change the sasl security setting to allow the plaintext  password usage :

# postconf -e smtp_sasl_security_options=noanonymous
# postfix reload

Restart the Zimbra service and test the email server.

If you would not prefer with the plain text password on configuration setting,  consider to use SMTP use TLS.

Related Entries

3 Responses for “Zimbra Mail Server Relay Access Denied & ISP Relay with Authentication”

  1. Maxine Kroening says:
    January 8, 2010 at 4:11 am

    Maybe you’ll tell me where the source of your post is from? I am inquisitive about learning a lot of about it.

  2. Leprechauns Ireland says:
    January 23, 2010 at 3:07 pm

    Being a blog writer myself, I really appreciate the time you took in wriitng this article. I am currently reading it on my Blackberry and will scan it once I get home.

  3. Anonymous says:
    February 14, 2010 at 2:00 am

    Hey, habe deine Seite gerade bei Yahoo entdeckt. Hast echt ein klasse Blog, werde bestimmt noch das ein oder andere mal hier vorbeischauen! Deine Posts sind auch echt spitze! Lieben Gruss

Leave a Reply

Recent Posts

About Vavai

Masim Vavai Sugianto Masim Vavai Sugianto, Indonesian, male, 32 years old, born and live in Bekasi-West Java, a small town near Jakarta – main city of Indonesia – since 17 May 1976. Founder of Indonesian openSUSE and Zimbra Community, an adventure, travelling and book lover.



I live in a tropical country, Indonesia that only has two seasons, dry season and rainy season. I love the dry season with bright sunshine and rare rain…There is a joke about the seasons in Indonesia. Indonesia is known as a country with so many season, ie : durian season, mango season, married season and much more...



ContactI'm currently working as an IT support for a small company based on Jakarta. My career has led me to specialize in Sysadmin, networking and software implementation with current focus on Linux and open source area. I have experience on MRP, ERP, Gemba Kaizen, Just in Time, Six Sigma and TQC/TQM. Please use my contact page if you wish to contact me.
Log in - BlogNews Theme by Gabfire themes