Topic: Error Msg.: "Error 553 .... not in my allowed rcpthost

[technostruct]

Hi all.  Gotta' start by saying how much I've loved SME Server v6.0.1.  Its far overdone all my expectations and then some.  Love it !!

Okay, so the only problem I'm having is the following error message with e-mail using POP3.  I have a work e-mail (my "day job") that I can send to my home mail okay, but when sending TO my work account I get the following error message:

"Server Response: '553 Sorry, that domain isn't in my list of allowed rcpthosts.'"

This is only happened so far when I try to send mail via POP3 - I can log into webmail NO problem and send e-mail out.

I'm using SME Server v6.0.1, with "first.last@domain.end" as my e-mail address format.  I've read through the docs and I'm at an end for why I can't seem to get this to work.

POP3 login is:
UN:  flast (first initial, last name mushed)

[brad]

Is sounds like you are trying to use your HOME's smtp server from WORK.

If you are at WORK, you should use your work's smtp or work's ISP SMTP server.

If you really want to use your homes smtp server, you could always VPN in from work.

Try this: from work email a user on your home SME server. it should work and not give you the error. (it is allowed)

Does this help?
--Brad D.

[brad]

...oh, and try this link:

http://no.longer.valid/phpwiki/index.php/AdministrationFAQ#smtp

--Brad D.

[Jon_Reynolds]

What you would want to do is in the /var/qmail/control/ directory there is a file called, oddly enough, rcpthosts. You would then add your home IP address in there or your domain name and restart qmail. But wait! There is probably a template file to add this into so read what it says when you open that file.

Why your webmail works is because when you are logged onto your webmail it is all local to your SME box. You are actually on that system and it is always allowed to send using its own smtp server. When you are outside your network trying to use a client that network has to be allowed to relay through your server. Which is a Good Thing.

Jon

[skelk]

This one is a real pain.

My network is as follows:

Local 192.168.1.x network connected to an ADSL router with a gateway of 192.168.1.1.  These are Nat'd behind the routers external IP.  
The SME server connected to the same adsl router with an IP in the same subnet as the external IP.  
The router will route this subnet to the public subnet which the mail server is in (they are both connected to the same ADSL router but are in different subnets).  This allows the mail server to be directly contacted via the internet without port forwarding.

when a PC in the 192.168.1.0 subnet tries to send mail it gets the 553 error.  I assume this is because the mail server believes that PC is external even though it is on the same switch!  

I don't need to use the sme server for anything other than email and as a webserver so I am using the server only mode with one LAN Card.  

I specifically don't want to use the sme server as a gateway because it would then become a single point of failure.  

I also don't want to have to use the secure email contrib because it forces me to use a different port and also use SSL.  

Any ideas?

any ideas?

[smeghead]

hmm, it seems like you ".. want you cake and to eat it too"

Your current setup has the router as a single point of failure anyway!

Your, problem is that the SME box has a public IP (and no firewall); I assume your using the DMZ option within the router to point all public access to the SME IP address - not a good setup IMHO.

The only way I can see this working how you want (tho I REALLY think you should change your current setup) is to allocate a second IP to the SME NIC that is in your internal network range; you could setup the public IP a a trusted network as well but that would be asking for trouble.

The best way is to do what you don't wnat to do and that is port forwarding; I use it all the time and combined with an SME in gateway mode make my security very granular and easy.  This setup gives no probs with VPN passthrough and is easy to administer

Please rethink your config and ignore my recommendations by all means but as it stands your security is no where near as good as it could be.

HTH

[Jon_Reynolds]

Ok, I'm not sure I followed what you meant so let me see if I have this right.

Your SME server has your external IP address and NOT your internal address? The other systems on your network all have the internal IP scheme of 192.168.x.x but your SME server doesn't have this same IP scheme? See how I asked the same quetion twice?

If that is the case then you should do the same as I suggested to the other user who started this thread. By default qmail, which is the email system that SME uses, will not be an open relay, this is good. One thing I see that might be a problem with your setup is this. If you have an external IP on your SME server given to you by your ISP then everyone on that subnet can use your mail server to relay, which is a Bad Thing.

I would put my SME server behind my firewall and router and give it an internal IP. That would solve your problem with being able to email locally but not remotely but that is what webmail is for. If you can't do that for some reason then you need to add your internal IP address into the /var/qmail/control/rcpthost file. I am sure there is a template so modify that instead.

Hope that helps,

Jon

[skelk]

You guys are pretty fast!

I know it sounds like I want my cake and eat it!  

I am operating a non profit wireless network that on its own merits blocks all users from connecting to each other by default.  This includes user to internal mail server.  I cannot open this up without killing my security policy.  Also, I keep each Access Points internal Lan on 192.168.x.x so they wouldn't route without first being NAT'd behind their AP's Wireless IP anyway.  So in short, local access is out.

The only way around this is to have the mail server on a public IP.  This way, all users can route to it.
Essentially, the user doesn't need to leave my local network to access the mail server.  I tried adding 192.168.0.0 as a local trusted network but this aint working either.

I also tried your suggestion Jon.  If I add the IP address as a domain in the gui it automatically puts the IP into that rcpthosts file and restarts qmail.  I tried manually but it didn't work.  Either way it doesn't work.  The subnet belongs to me and is dedicated for the sme server and a couple of monitoring servers.  No risk from open relay from that angle which is one godsend.

Port forwarding is out because if the router sees internal connections trying to get to its WAN IP then it just barfs (it assumes they want to configure the router).  I tried changing the port that the router is configured internally by.  Nope...  

Smeghead - my adsl router isn't a single point of failure because I plan to stick several other ADSL connections into my wireless lan.  I also plan to get smtp backup should my mail server fail.  

With all this in mind are there any other options?

[Jon_Reynolds]

Not fast, just happened to check email.

Ok, I am not understanding your setup, I see it as adsl>router>sme>localnetwork? Better yet, what is the path that a client would follow to access the Internet?

Is it just 1 external IP for the entire internal network or does each internal network have it's own external IP?

If you add the relay host entry in /var/qmail/control/rcpthost file when you restart SME will re-write it back to it's original setting, thats why you need to find the custom rcpthost file or create one in the templates directory.

The syntax for the rcpthost file should be :192.168.0 and I believe that is all you would need.

Help me to understand a little better and I will see if I can help you more,

Jon

[Jon_Reynolds]

The syntax for the rcpthost file should be :192.168.0 and I believe that is all you would need.

That should be :192.168.1 and NOT :192.168.0 sorry about that.

[Jon_Reynolds]

That should be :192.168.1 and NOT :192.168.0 sorry about that.

crap. That should be 192.168.1. the colon is used in the smtproutes file.

[skelk]

Hi,

The setup is as follows:

                   
ADSL ROUTER/FIREWALL>SMESERVER>NOTHING
                  SAMEROUTER/FIREWALL>LOCALNETWORK>WIRELESS NETWORK

The ADSL router has a four port switch.  The LOCAL NETWORK is NAT'd Behind the routers external IP x.x.x.166.  This is a /29 subnet.  The router has two internal IP's.  192.168.1.1 and x.x.x.161 (same routable subnet as external IP).  The SME SERVER has an IP in that very same subnet x.x.x.165.  It has a gateway of x.x.x.161  I know this is bad from a security point of view and quite messy from a configuration point of view too but I plan to harden down the os on the sme server and block all ports except for 21,25,80,110,443 etc (you get the picture)...  

If you add an IP address as a Domain from the gui it automatically puts that IP in the correct format in the rcpthosts file.  I know this is a rubbish way to do it but it gets it in the file.  I couldn't find the custom file (I will locate it eventually).  This approach still doesn't work for me though.  I am sure I had it working before I installed SpamAssassin too!