SMTP Error 5.7.1 Unable to relay - from webmail interface
Hi,
This is some strange problem i faced for the first time.
Below Messaging Version on Solaris 10 which is working fine.
Sun Java(tm) System Messaging Server 6.2-7.05 (built Sep 5 2006)
libimta.so 6.2-7.05 (built 12:18:44, Sep 5 2006)
Sometimes (very rarely), users getting "relaying problem" even they try to send from webmail (using browser) interface.
Part of log written to "http" file under <msg-hime>/log directory:
[24/Jun/2007:15:42:34 -0400] webmail httpd[23377]: General Warning: saveSmtp failed: SMTP Error 5.7.1 Unable to relay for user_x@xyz.com
Any help highly appreciated
TIA
Prvn
# 1
Hi,
Doesn't look like the problem is messaging server. If relaying was denied due to messaging server rejecting the email, you would get the message "Relaying not allowed".
What do you have set as your outgoing server for the mshttpd process?
./configutil -o service.http.smtphost
If this comes back with nothing (empty) then it is using the localhost. If it comes back with a host try connecting to that hostname and see what you get back so either:
<no result from above>
telnet localhost 25
<result from above>
telnet hostname 25
It may be that sendmail on the Solaris 10 system is picking up the email, in which case you should do the following:
svcadm disable sendmail
cd /opt/SUNWmsgsr/sbin
./imsimta restart
Regards,
Shane.
# 2
Thanks Shane,
Yes, we have separate AV Box and configured using aliasdetourhost and converstion channels to integrate it. It's working fine.
service.http.smtphost = 192.168.116.122 (AV IP)
service.http.smtpport = 10026
Do you suspect that AV box could have not responded to the user so he got that error?
Sendmail was removed immediately of OS installation.
Regards,
Pravn
# 3
Hi,
I'm extremely SORRY for giving my wrong observations. This problem has started since we'have setup AV Box and giving the same error for ALL users who try to send mails to outside-domain using webmail interface.
Version:
Sun Java(tm) System Messaging Server 6.3-0.15 (built Feb 9 2007)
libimta.so 6.3-0.15 (built 19:27:56, Feb 9 2007)
AV Box IP is = 192.168.1.49 (NOT 192.168.1.49 - attempting to provide as-it-is info so i wont miss anything)
Recently, we've setup Separate AV box on another box(IP= 192.168.1.49 and incoming port = 100026 and outgoing port = 10027).
I've used one of the documents available in this forum that uses alternate conversion and aliasdetourhost to integrate my msg box with AV box and working every thing fine except that users are NOT able to send mails to outside-domain using webmail interface.
The below i did:
To mappings file: (addition)
+++++++++++++++++++++++++++++
NOSCAN_IP
$(192.168.1.49/32) $Y$E
* $N
CONVERSIONS
IN-CHAN=tcp_noscan;OUT-CHAN=*;CONVERT No
IN-CHAN=tcp_local;OUT-CHAN=tcp_intranet;CONVERT No
IN-CHAN=tcp_*;OUT-CHAN=*;CONVERT Yes,Channel=tcp_scan
+++++++
imta.cnf:
added the below line just above the tcp_intranet
[] $E$R${ 192.168.1.49,$L}$U%[$L]@tcp_noscan-daemon
Added aliasdetourhost tcp_scan-daemon to tcp_local channel
Added the below to imta.cnf (at the end)
!
! tcp_scan
tcp_scan smtp single_sys subdirs 20 noreverse dequeue_removeroute maxjobs 7 pool SMTP_POOL daemon 192.168.1.49 port 10026
tcp_scan-daemon
!
! tcp_noscan
tcp_noscan smtp single_sys subdirs 20 noreverse maxjobs 7 pool SMTP_POOL allowswitchchannel
tcp_noscan-daemon
used configutil to set below
service.http.smtphost = 192.168.1.49
service.http.smtpport = 10026
imsimta cnbuild (no errors)
imsimta restart
./stop-msg http
./start-msg http
++++++++++++++++++++++
If I revert configutil parameters it is working fine.
Is it the problem with AV box or Messaging server OR BOTH?
TIA,
Prvn
# 4
Hi,
Why don't you just reconfigure webmail to send emails to localhost - which should then be directed via the anti-virus channel like all other incoming emails? There isn't any advantage to sending the emails to the AV box directly from webmail - it should just be considered the same as any other internal mail.
i.e.
./configutil -o service.http.smtphost -v 127.0.0.1
./configutil -o service.http.smtpport -v 25
./stop-msg http; ./start-msg http
The only issue that may occur is that you currently have an exemption for IP's from $(192.168.1.49/32) $Y$E. I am hoping by using 127.0.0.1 this rule doesn't get matched but it depends on how Solaris chooses to route the traffic.
Regards,
Shane.
# 5
Hi Shane,
If i set service.http.smtphost to 127.0.0.1 or 192.168.1.41 (Messaging server IP), mail is getting delivered but NOT passing through AV Box.
As my intention is to scan every e-mail (even sent to local users by using webmail interface also) i set service.http.smtphost to <AV-Box_IP>.
Do i need to change anything in conversions or rewrite rules?
TIA
Prvn
# 6
Hi,
>> If i set service.http.smtphost to 127.0.0.1 or 192.168.1.41 (Messaging server IP), mail is
>> getting delivered but NOT passing through AV Box.
I was afraid this may happen. Can you please retry both values and provide the mail.log_current lines that match your delivery attempts.
Thanks,
Shane.
# 7
Thanks shane,
The logs written in mail.log_current below:
when service.http.smtphost = 127.0.0.1 :
26-Jun-2007 02:53:43.91 tcp_intranet ims-msE 1 praveen@xyz.com rfc8
22;praveen@xyz.com praveen@ims-ms-daemon xyz.com ([127.0.0.1])
26-Jun-2007 02:53:43.97 ims-msD 1 praveen@xyz.com rfc8
22;praveen@xyz.com praveen@ims-ms-daemon
when service.http.smtphost = 192.168.1.41:
26-Jun-2007 02:56:36.84 tcp_intranet ims-msE 1 praveen@xyz.com rfc8
22;praveen@xyz.com praveen@ims-ms-daemon xyz.com ([192.168.1.41])
26-Jun-2007 02:56:36.85 ims-msD 1 praveen@xyz.com rfc8
22;praveen@xyz.com praveen@ims-ms-daemon
Regards,
Prvn
# 8
Hi,
The emails are coming in on the tcp_intranet channel but you only have the aliasdetourhost on the tcp_local channel, hence why the emails aren't going via your AV scanner.
Try adding "aliasdetourhost tcp_scan-daemon" to the tcp_intranet channel as well and see how that goes with service.http.smtphost set to 127.0.0.1
Regards,
Shane.
# 9
Hi shane,
All incoming mails (incl. sent self mails using webmail interface) seem to be looped. Not able to receive any mail.
The logs written in mail.log_current below: (when sent self mails using webmail)
when service.http.smtphost = 127.0.0.1 :
26-Jun-2007 05:36:32.09 tcp_intranet tcp_scanE 2 praveen@xyz.com rfc822;praveen@xyz.com @tcp_scan-daemon:praveen@xyz.com mailgw ([192.168.1.49])
26-Jun-2007 05:36:32.19 tcp_scanD 2 praveen@xyz.com rfc822;praveen@xyz.com @tcp_scan-daemon:praveen@xyz.com [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|43340|192.168.1.49|10026) (mailgw Symantec Mail Security Tue, 26 Jun 2007 05:36:22 -0700 ) smtp;250 2.1.5 praveen@xyz.com
26-Jun-2007 05:36:36.10 tcp_intranet tcp_scanE 3 praveen@xyz.com rfc822;praveen@xyz.com @tcp_scan-daemon:praveen@xyz.com mailgw ([192.168.1.49])
26-Jun-2007 05:36:36.20 tcp_scanD 3 praveen@xyz.com rfc822;praveen@xyz.com @tcp_scan-daemon:praveen@xyz.com [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|43411|192.168.1.49|10026) (mailgw Symantec Mail Security Tue, 26 Jun 2007 05:36:26 -0700 ) smtp;250 2.1.5 praveen@xyz.com
26-Jun-2007 05:36:40.09 tcp_intranet tcp_scanE 3 praveen@xyz.com rfc822;praveen@xyz.com @tcp_scan-daemon:praveen@xyz.com mailgw ([192.168.1.49])
26-Jun-2007 05:36:40.19 tcp_scanD 3 praveen@xyz.com rfc822;praveen@xyz.com @tcp_scan-daemon:praveen@xyz.com [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|43414|192.168.1.49|10026) (mailgw Symantec Mail Security Tue, 26 Jun 2007 05:36:30 -0700 ) smtp;250 2.1.5 praveen@xyz.com
26-Jun-2007 05:36:44.13 tcp_intranet tcp_scanE 4 praveen@xyz.com rfc822;praveen@xyz.com @tcp_scan-daemon:praveen@xyz.com mailgw ([192.168.1.49])
when service.http.smtphost = 192.168.1.41:
26-Jun-2007 05:20:45.93 tcp_intranet tcp_scanE 5 praveen@xyz.com rfc822;praveen@xyz.com
@tcp_scan-daemon:praveen@xyz.com mailgw ([192.168.1.49])
26-Jun-2007 05:20:46.00 tcp_scanD 5 praveen@xyz.com rfc822;praveen@xyz.com
@tcp_scan-daemon:praveen@xyz.com [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|36905|192.168.1.49|10026) (mailgw
Symantec Mail Security Tue, 26 Jun 2007 05:20:36 -0700 ) smtp;250 2.1.5 praveen@xyz.com
26-Jun-2007 05:20:46.17 tcp_intranet tcp_scanE 9 patrickobi04@tiomail.ch rfc822;linda.garcia@xyz.com
@tcp_scan-daemon:linda.garcia@xyz.com mailgw ([192.168.1.49])
26-Jun-2007 05:20:46.27 tcp_scanD 9 patrickobi04@tiomail.ch rfc822;linda.garcia@xyz.com
@tcp_scan-daemon:linda.garcia@xyz.com [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|36906|192.168.1.49|10026)
(mailgw Symantec Mail Security Tue, 26 Jun 2007 05:20:36 -0700 ) smtp;250 2.1.5 linda.garcia@xyz.com
26-Jun-2007 05:20:46.32 tcp_intranet tcp_scanE 5 praveen@xyz.com rfc822;praveen@xyz.com
@tcp_scan-daemon:praveen@xyz.com mailgw ([192.168.1.49])
26-Jun-2007 05:20:46.40 tcp_scanD 5 praveen@xyz.com rfc822;praveen@xyz.com
@tcp_scan-daemon:praveen@xyz.com [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|36907|192.168.1.49|10026) (mailgw
Symantec Mail Security Tue, 26 Jun 2007 05:20:37 -0700 ) smtp;250 2.1.5 praveen@xyz.com
26-Jun-2007 05:20:46.58 tcp_intranet tcp_scanE 10 patrickobi04@tiomail.ch rfc822;linda.garcia@xyz.com
@tcp_scan-daemon:linda.garcia@xyz.com mailgw ([192.168.1.49])
26-Jun-2007 05:20:46.67 tcp_scanD 10 patrickobi04@tiomail.ch rfc822;linda.garcia@xyz.com
@tcp_scan-daemon:linda.garcia@xyz.com [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|36908|192.168.1.49|10026)
(mailgw Symantec Mail Security Tue, 26 Jun 2007 05:20:37 -0700 ) smtp;250 2.1.5 linda.garcia@xyz.com
26-Jun-2007 05:20:46.72 tcp_intranet tcp_scanE 6 praveen@xyz.com rfc822;praveen@xyz.com
@tcp_scan-daemon:praveen@xyz.com mailgw ([192.168.1.49])
26-Jun-2007 05:20:46.79 tcp_scanD 6 praveen@xyz.com rfc822;praveen@xyz.com
@tcp_scan-daemon:praveen@xyz.com [192.168.1.49] dns;[192.168.1.49] (TCP|192.168.1.41|36909|192.168.1.49|10026) (mailgw
Symantec Mail Security Tue, 26 Jun 2007 05:20:37 -0700 ) smtp;250 2.1.5 praveen@xyz.com
26-Jun-2007 05:20:46.97 tcp_intranet tcp_scanE 10 patrickobi04@tiomail.ch rfc822;linda.garcia@xyz.com
@tcp_scan-daemon:linda.garcia@xyz.com mailgw ([192.168.1.49])
Regards,
Prvn
# 10
I'm not going to poke through your entire configuration. You have made some errors that are causing your server to treat mail processed by your scanning box as new/incoming mail, and it's being sent back to the same box in a loop.
You will want to re-check your entire configuration to avoid that.
In order to get what you're looking for, all done by the MTA, you will need to:
1. Use the aliasdetourhost on the incoming channel (tcp_local). This will only work for mail that's addressed to your users.
2. Use the "alternate conversion channel" for mail being sent by your users.
3. Create a Mapping file entry, similar to the "internal_ip" mapping for your scanning box. Create a tcp_scan channel that uses that, along with a rewrite rule to put mail from the scanning box into that channel.
Check any of the various writeups on this forum for that.Alternate conversion channel is well written up by Chad Stewart at:
http://ims.balius.com/resources/downloads/files/AlternateConversion.pdf
Worthwhile reading his Tuning Guide, too.
# 11
Hi Jay,
Thanks for your response.
I did exactly the way aliasdetourhost and conversion channels to be used.
Whatever LOOP errors occured, they're when i tried keeping aliasdetourhost in tcp_intranet channel.
IN MY SETUP EVERYTHING WORKS FINE EXCEPT THAT not able to scan the mails which are sent by within our local domain using webmail interface. I also suspect mails sent by users of INTERNAL_IP are also not getting sent to AV Box.
When i tried setting the below, i'm getting smtp 5.7.1 relaying not allowed error.
./configutil -o service.http.smtphost -v <AV-IP>
./configutil -o service.http.smtpport -v <AV-Port>
./stop-msg http; ./start-msg http
TIA
Prvn
# 12
Hi,
According to the logs, the emails coming from your AV scanner are coming in onto the tcp_intranet channel and not the tcp_noscan channel. That is why the emails are looping.
So going back over what you said, try the following:
Add the following to your mappings file (slightly different to your config):
NOSCAN_IP
$(192.168.1.49/32) $Y
* $N
Add the following to your imta.cnf file (also slightly different), ABOVE the tcp_intranet channel rewrite rule in your imta.cnf file (so just below the <IMTA_TABLE:internet.rules rule):
[] $E$R${NOSCAN_IP,$L}$U%[$L]@tcp_noscan-daemon
Rebuild the configuration the you can test.
./imsimta cnbuild
./imsimta test -rewrite anything@[192.168.1.49]
If the rules above are working as expected, then you should see a "backward channel" of tcp_noscan. If the rule is not working, you should see tcp_intranet.
If it is now tcp_noscan, run your tests again.
Regards,
Shane.>
# 13
Hi,i get backward channel= tcp_intranetthanksPrvn
# 14
Hi,Then it sounds like you have either put the values in the wrong spot, you are not rebuilding your configuration or you have busted your mappings file. Either way log a Sun support call so it can be looked into with all of the relevant files
