Topic: 550 Relay denied error with mail going out

[itguy2012]

Hi All,

I'm doing some final stage testing before i swap a new server with 8.1 for our older 7.5 server and have hit a sticking point with relaying email.
Our setup is as follows... MS Exchange server <-> SME server <-> router <-> internet

I've tried to configure the new server with the same settings as the old one, and in testing all aspects seem to work apart from emails going OUT, sending an email from Outlook (connected to MS Exchange) the email is blocked by sme server with an error "550 relaying denied"

I see that there is a change in 8.0 onwards to do with authentication - is this related?
I tried the following commands form a wiki entry found via a similar post but it did not fix it
config setprop qpsmtpd RelayRequiresAuth disabled
signal-event email-update

SMTP proxy is set to enabled on both servers.

Running config show qpsmtpd shows the following...

qpsmtpd=service
    Bcc=disabled
    BccMode=cc
    BccUser=maillog
    DNSBL=enabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=psbl.surriel.com:zen.spamhaus.org
    RHSBL=disabled
    RelayRequiresAuth=enabled
    SBLList=multi.surbl.org:black.uribl.com:rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    relayrequiresauth=disabled
    status=enabled

thanks!

[itguy2012]

And some fresh eyes of the morning show me that when I ran the RelayRequiresAuth command i hadn't used caps, which had created a second value in lower case.

RelayRequiresAuth=enabled
relayrequiresauth=disabled

Deleted eroneous property and changed the original to disabled, will try this.

N.B. if anyone knows of a better way to do this (ie either authenticate an Exchange server or set a specific exception for one internal server to be allowed to relay please let me know!

[mmccarn]

You could configure your Exchange server to use SMTP authentication for outbound email, or to deliver email directly via MX (bypassing the SME server).

The risk you run with 'RelayRequiresAuth=disabled' is that an infected device on the SME LAN may relay outbound email through the SME server.

[itguy2012]

Well the Exchange server is set to use DNS (MX) for delivery but the external connection to the network is through the SME server which has the SMTP proxy set to Enabled. Which I guess is where it's falling down. I'd ideally keep both of these settings in place.

If SMT proxy was set to disabled, and the RelayRequiresAuth is set to enabled, will that allow it through without being authenticated?
Presumably this would also allow other hosts eg a spam infected pc to send mail out too, which of course I don't want.

Do you know what the process would be to set up authentication on the Exchange server with the SME server - would that need to be set up as a smart host?

[mmccarn]

Yes, for the Exchange server to use SMTP auth you'd have to configure the SME as a 'smarthost' in exchange. 

If SMTPProxy is disabled, outbound traffic on port 25 will bypass qpsmtpd - so 'RelayRequiresAuth' becomes irrelevant unless some device somewhere is configured to use your SME server as an SMTP relay.

With some trial and error you could create a custom version of /etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustSMTPProxy that allows direct oubound SMTP connections from your Exchange server's IP, but proxies or blocks any other outbound SMTP traffic - perhaps by adding a 'from' statement near the top of the template in the 'externalip' section.  Be careful...

[itguy2012]

Thanks that's useful will have a look at that. It's for a server that will replace the current production server so can test it without doing any harm...famous last words!

In terms of the smarthost setup on Exchange, the authentication options are Basic, Exchange Server and Externally Secured. Basic would seem the most obvious but what username/password would go in there - admin?

[mmccarn]

In terms of the smarthost setup on Exchange, the authentication options are Basic, Exchange Server and Externally Secured. Basic would seem the most obvious but what username/password would go in there - admin?

I wouldn't use admin.  I'd recommend that you create a new user for this purpose only - 'smarthost', 'relay', 'outboundrelay', 'exchrelay', or some such (an account with as little access as possible to anything except the ability to relay email...)