Relay denied 4.7.1

Onyxnz

Member
Feb 22, 2018
6
1
23
53
I think I must have something wrong with my installation or my expectations. I have setup a home network with PMG5, handing off to 3 internal mailservers/webservers running ISPConfg 3 on Debian 9.
  • I am trying to send email from outside my LAN (in another city to study).
  • My email client (Thunderbird on Ubuntu) has SMTP authentication set up, sending to port 25
  • I can send email to my own domains.
  • I can receive email on those internal servers.
  • I CANNOT send to other domains at all.
The PMG5 syslog says:
Code:
Feb 22 21:09:30 email postfix/postscreen[4755]: CONNECT from [27.252.82.144]:46776 to [10.0.2.32]:25
Feb 22 21:09:31 email postfix/postscreen[4755]: PASS OLD [27.252.82.144]:46776
Feb 22 21:09:31 email postfix/smtpd[4757]: connect from 144.82.252.27.dyn.cust.vf.net.nz[27.252.82.144]
Feb 22 21:09:31 email postfix/smtpd[4757]: Anonymous TLS connection established from 144.82.252.27.dyn.cust.vf.net.nz[27.252.82.144]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Feb 22 21:09:31 email postfix/smtpd[4757]: NOQUEUE: reject: RCPT from 44.82.252.27.dyn.cust.vf.net.nz[27.252.82.144]: 454 4.7.1 <blah@blahblah.co.nz>: Relay access denied; from=<onyx@mydomain.com> to=<blah@blahblah.co.nz> proto=ESMTP helo=<[192.168.1.95]>
Feb 22 21:09:34 email postfix/smtpd[4757]: disconnect from 144.82.252.27.dyn.cust.vf.net.nz[27.252.82.144] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6

So I think what is happening is that there is no interaction with the internal ISPCONFIG3 servers at all from outside the LAN. How do I get the PMG server to authenticate with the other servers?
 
pmg is no "open relay". so you should not send mails to outside domains directly to it from thunderbird.

I'm also using ispconfig and I've configured the postfix to send outgoing mails to port 26 on the proxmox mailgateway. Just add/edit this line in the postfix config in main.cf:
Code:
relayhost = <proxmox-ip>:26
 
If you want to use PMG as outgoing anti-spam/anti-virus proxy, it's required, that your normal/recent/... sending server, where you authenticate with (e.g. mail.yourdomain.tld, user xxx, pass yyy) does not directly send to the public internet but relays its mail through PMG. That's done e.g. on a postfix server by adding

relayhost = IP:26

where IP is the ip address of your PMG. You can also use a hostname or FQDN instead, but then you need to ensure, that it's resolvable.

You need to add to main.cf on your "origin"/"recent"/"legacy" server, not on PMG and then need to restart postfix. If you use something else, you need to check manual for Relayhost or Smarthost setting.

Maybe PMG will provide in future also SASL AUTH to their sending postfix, but currently it's not implemented. With my recent ESVA setup, I set it up like this. You could also whitelist your IP addresses to relay through PMG without any authentication, but that's very dangerous as you need to ensure, that no spammer is able to use this IP addresses or you may be blacklisted very fast.
 
Thanks a lot!

If you want to use PMG as outgoing anti-spam/anti-virus proxy, it's required, that your normal/recent/... sending server, where you authenticate with (e.g. mail.yourdomain.tld, user xxx, pass yyy) does not directly send to the public internet but relays its mail through PMG. That's done e.g. on a postfix server by adding

relayhost = IP:26

this relayhost set on the sending server?

where IP is the ip address of your PMG. You can also use a hostname or FQDN instead, but then you need to ensure, that it's resolvable.

You need to add to main.cf on your "origin"/"recent"/"legacy" server, not on PMG and then need to restart postfix. If you use something else, you need to check manual for Relayhost or Smarthost setting.

Maybe PMG will provide in future also SASL AUTH to their sending postfix, but currently it's not implemented. With my recent ESVA setup, I set it up like this. You could also whitelist your IP addresses to relay through PMG without any authentication, but that's very dangerous as you need to ensure, that no spammer is able to use this IP addresses or you may be blacklisted very fast.

how to use PMG as incoming e-mails anti-spam/anti-virus proxy ?
 
Thanks a lot!



this relayhost set on the sending server?



how to use PMG as incoming e-mails anti-spam/anti-virus proxy ?

Yes, it's the relay host for your server, you authenticate with to send your mails (so the server you connect with your mail client).

For incoming you need to change the MX records of your domain to the system, where you've PMG installed. E.g. if you installed it on pmg.domain.tld you need to direct e.g. MX 10 to pmg.domain.tld. To be sure, that it's working well, you should not have other MX records to other systems as spammers may use them, e.g. your backup MX, if it's not protected you still would get spam. Backup MX are usually not required any more, as mails are deferred for a while, if your MX is not available and then resend, once it's up again. If you would like to be 100% safe, set up a backup MX also with PMG (best with a clustered synced second instance) and use both as e.g. MX 10 and MX 20. Also take sure, that the system, you forward the mails after spam and virus filterting too is not accessible through internet anymore directly (for incoming mails, for outgoing you can still use it, but should then require authentication, best practice is to use submission therefor (port 587) and close server-to-server smtp communication (port 25 and 465) from outside, but only from PMG. So you can take sure, that spammers don't ignore MX and try to deliver directly to the server, as some spammers do.
 
Yes, it's the relay host for your server, you authenticate with to send your mails (so the server you connect with your mail client).

For incoming you need to change the MX records of your domain to the system, where you've PMG installed. E.g. if you installed it on pmg.domain.tld you need to direct e.g. MX 10 to pmg.domain.tld. To be sure, that it's working well, you should not have other MX records to other systems as spammers may use them, e.g. your backup MX, if it's not protected you still would get spam. Backup MX are usually not required any more, as mails are deferred for a while, if your MX is not available and then resend, once it's up again. If you would like to be 100% safe, set up a backup MX also with PMG (best with a clustered synced second instance) and use both as e.g. MX 10 and MX 20. Also take sure, that the system, you forward the mails after spam and virus filterting too is not accessible through internet anymore directly (for incoming mails, for outgoing you can still use it, but should then require authentication, best practice is to use submission therefor (port 587) and close server-to-server smtp communication (port 25 and 465) from outside, but only from PMG. So you can take sure, that spammers don't ignore MX and try to deliver directly to the server, as some spammers do.

thanks again! but still very dizzy!:(
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!