How to enable email relay in Zimbra in same domain, sent from O365

exchangeexchangeonlinezimbra

So i have to use a shared domain during migration from Zimbra to O365.

MX points to Zimbra, but is also configured to enable outgoin emails from O365 to the world in the same domain. I've configured a connector on O365 to the zimbra (it works), and created contacts for not-yet-migrated users.

The plan is, that during migration, the incoming mail comes to zimbra and is redirected to O365 to onmicrosoft domain, for migrated users.

When i send email from O365 to anywhere (except my domain) it works correctly. When I send to anyone within company, that is still on zimbra, I get either of the errors:

550 5.7.1 ... Relaying denied
553 5.7.1 : Sender address rejected: not logged in

Zimbra clearly blocks my user, as it already exists within its server, but I don't know, where to start to unlock it? I've done similar things with other services before, but most didn't care about that.

Best Answer

Zimbra has some security features Restricted Sender and Sender Must Login on Zimbra.
It is possible that this has been configured on Zimbra so it will reject messages from users on the Zimbra server if the mail has not been sent by an authenticated Zimbra user.

On the Zimbra sever check the config file /opt/zimbra/conf/zmconfigd.cf, and look for:

POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cf

Under this line, something like this will be added:

POSTCONF proxy_read_maps FILE zmconfigd/proxy_read_maps.cf

If it does, sender rules are likely configured. In the same config there should be a line like this:

POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf

This will point you to the the location of the smtpd_sender_restrictions.cf file that contains the restricted sender rules.

If this file contains reject_sender_login_mismatch that is likely the issue. What the best practice to work around this in a migration like this I am unsure of. If you disable it, you do weaken security a bit by making it easier to spoof mails for the domain, I think you can add exceptions, but then you will have to edit the file constantly every time you move a user.

This article here goes more in depth about it.

Related Solutions

Email Server IP Address is Blacklisted

GMail and others will frequently blacklist a block of IP addresss in addition to the IP they are blocking. Getting an IP address white listed by Google, Yahoo, etc. is a tedious and slow process. And it is different for each email provider.

Here are links to the 4 major email providers mailing guidelines:

Zimbra outgoing email forwarding/ redirecting from internal to external domain

Only forwarding is probably not enough, you also have to masquerade the domain name, otherwise the example.com mail server probably rejects the mail and this is what you see as bounces.

For us it works like this:

zmprov md fax.mydomain.org zimbraMailCatchAllAddress @example.com
zmprov md fax.mydomain.org zimbraMailCatchAllForwardingAddres @example.com
zmprov md fax.mydomain.org zimbraMailCatchAllForwardingAddress @example.com
zmprov md fax.mydomain.org zimbraMailTransport smtp:mail.example.com
zmprov md fax.mydomain.org zimbraMailCatchAllAddress @fax.mydomain.org zimbraMailCatchAllCanonicalAddress @example.com

Mails arriving at example will still have the To:- field as xx@fax.mydomain.org but the envelope is correct.

Best Answer

Related Solutions

Email Server IP Address is Blacklisted

Zimbra outgoing email forwarding/ redirecting from internal to external domain

Related Topic