Zimbra Mail Server Relay Access Denied & ISP Relay with Authentication


Below are a common mail server problems that  might be hit you if you wish to move and use your mail server as production server without full & complete check :

  1. Relay access denied because you have a dynamic public IP Address
  2. Email from your mail server delivered to spam box on Gmail or Yahoo mail
  3. Some of your outbound mail being deferred while trying to send to certain domain/recipient

The problem occurred for many reason. It can be a dynamic IP that blacklisted as an open relay mail server; Your IP got trapped and blacklisted on some RBLhost; The destination mail server could not look up your defined host and/or ip address; a missing PTR records or Reverse DNS Zone on your DNS Server and much more.
These are some tips & tricks to solved the problem. If you have no public-static IP address for your mail server, or your mail server behind a NAT service, or you may have no authority to modify the DNS zone, ISP relay may the answer for your problem.
ISP relay means that our mail server will not deliver the outbound mails to the destination mail server. Our mail server will deliver all outbound mails into ISP server (ISP domain & hosting, where our domain resides) and then the ISP server send the message to final destination. It’s means that our mail server will only act as a gateway to the ISP relay.To prevent an open relay hijack from spammer, ISP server usually need an authentication before allows the email delivery.
ISP relays solved the above problem. Any DNS lookup, blacklisted IP or Reverse DNS zone will be asked to ISP mail server. With the reputation of ISP, their mail server should be passed any security check.
Below are a step by step how to configure your Zimbra Mail Server to get an ISP relay authentication. I’m using vavai.co.id as a sample domain with a user name rivai%vavai.co.id and password : passwordku. Public domain & hosting for vavai.co.id  stored on hosting server (ISP server). I’ve also setting up Zimbra with default domain vavai.co.id on local server.
Let’s configure Zimbra to use ISP relay with authentication to send outbound mail message.

  1. Get a canonical name for public domain
  2. [code language=”cpp”]# nslookup mail.vavai.co.id
    Non-authoritative answer:
    mail.vavai.co.id canonical name = vavai.co.id.
    Name: vavai.co.id
    Address: 75.126.137.80[/code]

  3. Open Zimbra Admin Console (https://hostaddress:7071/zimbraAdmin/)
  4. Go to Global Setting | MTA
  5. Write the public canonical name  on  “Relay MTA for external delivery:” option.
  6. Open Konsole/Terminal, Log in as  Zimbra Admin
  7. [code language=”cpp”]# su – zimbra[/code]

  8. Create postfix look up table
  9. [code language=”cpp”]# echo mail.vavai.co.id rivai@vavai.co.id:passwordku > /opt/zimbra/conf/relay_password
    # postmap /opt/zimbra/conf/relay_password[/code]

  10. Test the mapping
  11. [code language=”cpp”]# postmap -q mail.vavai.co.id /opt/zimbra/conf/relay_password[/code]

  12. The response should similar as below : username%domain.tld:password
  13. Configure Zimbra Postfix to use the ISP/SMTP Relay with authentication
  14. [code language=”cpp”]# postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password
    # postconf -e smtp_sasl_auth_enable=yes
    # postfix reload[/code]

  15. Test your Zimbra mail server

Note :
If you found an error or deferred queue as below :
(Authentication failed: cannot SASL authenticate to server …: no mechanism available)
It seems that smtp-sasl_security option do not allows the plain text on ISP relay setting. Checked it with the following command :
[code language=”cpp”]# postconf smtp_sasl_security_options[/code]
If you get the error message :smtp_sasl_security_options = noplaintext, noanonymous
Change the sasl security setting to allow the plaintext  password usage :
[code language=”cpp”]# postconf -e smtp_sasl_security_options=noanonymous
# postfix reload[/code]
Restart the Zimbra service and test the email server.
If you would not prefer with the plain text password on configuration setting,  consider to use SMTP use TLS.

11 thoughts on “Zimbra Mail Server Relay Access Denied & ISP Relay with Authentication

  1. Hey, habe deine Seite gerade bei Yahoo entdeckt. Hast echt ein klasse Blog, werde bestimmt noch das ein oder andere mal hier vorbeischauen! Deine Posts sind auch echt spitze! Lieben Gruss

  2. Hey, habe deine Seite gerade bei Yahoo entdeckt. Hast echt ein klasse Blog, werde bestimmt noch das ein oder andere mal hier vorbeischauen! Deine Posts sind auch echt spitze! Lieben Gruss

  3. I’m installing zimbra on ubuntu 8.04. I have to configure an outgoing STMP server with authentication. So i tried your doc but it can’t find postmap. Is it not a part of the zimbra install? Do i have to install it my self?

  4. I’m installing zimbra on ubuntu 8.04. I have to configure an outgoing STMP server with authentication. So i tried your doc but it can’t find postmap. Is it not a part of the zimbra install? Do i have to install it my self?

  5. @AnAmagian,
    postmap is part of postfix, Zimbra has included it’s command by default. Don’t forget to run the command with Zimbra user permission (su – zimbra)

  6. Couldn?t be written any better. Reading this send reminds me of my old accommodation mate! He in any case kept talking wide this. I will-power to the surface this article to him. Fetching sure he determination press a documentation read. Thanks for sharing!

Leave a Reply

Your email address will not be published. Required fields are marked *