- Relay access denied because you have a dynamic public IP Address
- Email from your mail server delivered to spam box on Gmail or Yahoo mail
- Some of your outbound mail being deferred while trying to send to certain domain/recipient
The problem occurred for many reason. It can be a dynamic IP that blacklisted as an open relay mail server; Your IP got trapped and blacklisted on some RBLhost; The destination mail server could not look up your defined host and/or ip address; a missing PTR records or Reverse DNS Zone on your DNS Server and much more.
These are some tips & tricks to solved the problem. If you have no public-static IP address for your mail server, or your mail server behind a NAT service, or you may have no authority to modify the DNS zone, ISP relay may the answer for your problem.
ISP relay means that our mail server will not deliver the outbound mails to the destination mail server. Our mail server will deliver all outbound mails into ISP server (ISP domain & hosting, where our domain resides) and then the ISP server send the message to final destination. It’s means that our mail server will only act as a gateway to the ISP relay.To prevent an open relay hijack from spammer, ISP server usually need an authentication before allows the email delivery.
ISP relays solved the above problem. Any DNS lookup, blacklisted IP or Reverse DNS zone will be asked to ISP mail server. With the reputation of ISP, their mail server should be passed any security check.
Below are a step by step how to configure your Zimbra Mail Server to get an ISP relay authentication. I’m using vavai.co.id as a sample domain with a user name rivai%vavai.co.id and password : passwordku. Public domain & hosting for vavai.co.idÂ stored on hosting server (ISP server). I’ve also setting up Zimbra with default domain vavai.co.id on local server.
Let’s configure Zimbra to use ISP relay with authentication to send outbound mail message.
- Get a canonical name for public domain
- Open Zimbra Admin Console (https://hostaddress:7071/zimbraAdmin/)
- Go to Global Setting | MTA
- Write the public canonical nameÂ onÂ “Relay MTA for external delivery:” option.
- Open Konsole/Terminal, Log in asÂ Zimbra Admin
- Create postfix look up table
- Test the mapping
- The response should similar as below : username%domain.tld:password
- Configure Zimbra Postfix to use the ISP/SMTP Relay with authentication
- Test your Zimbra mail server
[code language=”cpp”]# nslookup mail.vavai.co.id
mail.vavai.co.id canonical name = vavai.co.id.
[code language=”cpp”]# su – zimbra[/code]
[code language=”cpp”]# echo mail.vavai.co.id email@example.com:passwordku > /opt/zimbra/conf/relay_password
# postmap /opt/zimbra/conf/relay_password[/code]
[code language=”cpp”]# postmap -q mail.vavai.co.id /opt/zimbra/conf/relay_password[/code]
[code language=”cpp”]# postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password
# postconf -e smtp_sasl_auth_enable=yes
# postfix reload[/code]
If you found an error or deferred queue as below :
(Authentication failed: cannot SASL authenticate to server …: no mechanism available)
It seems that smtp-sasl_security option do not allows the plain text on ISP relay setting. Checked it with the following command :
[code language=”cpp”]# postconf smtp_sasl_security_options[/code]
If you get the error message :smtp_sasl_security_options = noplaintext, noanonymous
Change the sasl security setting to allow the plaintextÂ password usage :
[code language=”cpp”]# postconf -e smtp_sasl_security_options=noanonymous
# postfix reload[/code]
Restart the Zimbra service and test the email server.
If you would not prefer with the plain text password on configuration setting,Â consider to use SMTP use TLS.