[SOLVED] 554 5.7.1 - Relay access denied

nyquist

Member
Aug 7, 2013
9
1
23
Hello guys,

Another guy making his first steps with emails here.

I've set a PMG to relay emails for 3 domains to a single MS Exchange 2013 server (MB and CAS roles). Configured DKIM, TLS, DMARC, etc., and everything looks fine in the "tracking center". The thing is.. there is an external company (let's say ABC Co.) who provides services to my customer and that company used to send emails through a dedicated receive connector in the Exchange with anonymous auth from a specific public IP address.
Well, that NAT configuration is not active anymore and everything goes through the PMG, and I'm getting these lines for each email ABC Co. app/service is trying to send.

Jun 8 16:49:07 pmg postfix/postscreen[22833]: CONNECT from [200.20.30.40]:52178 to [172.16.xxx.xxx]:25 Jun 8 16:49:07 pmg postfix/postscreen[22833]: WHITELISTED [200.20.30.40]:52178 Jun 8 16:49:07 pmg postfix/smtpd[22842]: connect from unknown[200.20.30.40] Jun 8 16:49:07 pmg postfix/smtpd[22842]: NOQUEUE: reject: RCPT from unknown[200.20.30.40]: 554 5.7.1 <customer@gmail.com>: Relay access denied; from=<user@internal-domain.com to=<customer@gmail.com> proto=ESMTP helo=<asd.gestionbos.com> Jun 8 16:49:07 pmg postfix/smtpd[22842]: lost connection after RSET from unknown[200.20.30.40]


These are the options I've set for mail proxying

1591900239737.png

And this is how email flows in this case

Incoming
[MS EX] <=TCP 25== [PMG] <=TCP 25== [INTERNET] <=== [ABC Co.]

Outgoing
[MS EX] ==TCP 26=> [PMG] ========> [INTERNET] ===> [EXTERNAL CUSTOMERS]



My logic says, it is failing because no unauthenticated emails are allowed from external port 25.

I've read some posts recommending to add the remote IPs to "Configuration --> MailProxy --> Networks", but I think those are for internal networks only.. so the behaviour on external port 25 will be the same. Please correct me if I'm wrong!

is there a way to allow unauthenticated senders "from a known source IP address" on the external PMG port?
Is are any way at all to solve this?

If there is no workaround, I think I will configure that NAT directly to the mail server filtering by source IP addresses :(

Thanks in advance!!!
Max
 

nyquist

Member
Aug 7, 2013
9
1
23
Did you add the ABC domain under Transport?
No Sr.
I supposed adding a transport would only be necessary when relaying emails to different internal servers. Since there's only one internal mail server, I thought it wasn't needed.

Should I have to add a transport for that external domain pointing to the internal mail server IP address?

Thanks for your answer!!

Max
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
7,195
1,134
164

nyquist

Member
Aug 7, 2013
9
1
23
Hello Stoiko, let me clarify.

Company "XYZ" use a web app hosted at company "ABC". Going through a workflow, the process generates a file, and company "XYZ" used to download the file to then send it to their customers. Those customers are outside company "XYZ".
Many years ago, company "ABC" proposed to automate that process and ask for access to the mail server in order to send those emails in behalf of company "XYZ", so someone at company "XYZ" generated a new receive connector with anonymous authentication and only allowing a small range of IP addresses as the source (that company "ABC" provided), and a DNAT did the rest.

Now the PMG is the only one receiving emails from the outside and those emails are not being allowed anymore.. and that's why I'm here!
The idea is "not" to give user credentials to company "ABC", but to whitelist that IP pool company "ABC" provided and let them "pass" to the internal mail server.
If that's not possible, I would appreciate any suggestions.

I hope this helps.
 

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
7,195
1,134
164
That should be doable if ABC sends the mails to the 'internal port' of PMG (and the ip-ranges are listed in the Networks section in GUI->Configuration->Mail Proxy->Networks).

You can do a Port redirect on your router/firewall to route packet from those ip's on port 25 to port 26

I hope this helps!
 
  • Like
Reactions: dhery and nyquist

Stoiko Ivanov

Proxmox Staff Member
Staff member
May 2, 2018
7,195
1,134
164
Glad that worked!
Please mark the thread as 'SOLVED' - this helps other users with similar questions.

Thanks!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!