Relaying denied. IP name lookup failed

[kazinvan]

I'm trying to send mail from an ERP application to both internal and external email accounts. The sender address in the ERP app is a valid Scalix account, but SMTP auth is not an option so connections are anonymous.

The IP of the server running the ERP is 205.206.209.124. I have added these lines to smtpd.cfg:

RELAY accept 205.206.209.
ANONYMOUS accept 205.206.209.

Restarted the SMTP service, but I still get these errors:

class com.sun.mail.smtp.SMTPAddressFailedException: 550 5.7.1 <me@domain.com>... Relaying denied. IP name lookup failed [205.206.209.124]

Now is that a relaying problem or a DNS problem?

I added an entry to /etc/hosts for that IP address but not sure if it needs proper DNS resolution. Any suggestions on what to try?

[kazinvan]

bump

[Valerion]

Mail usually does not use /etc/hosts for resolution, as it uses MX records by preference. Add the entry to your internal DNS and see if it still persists.

[kazinvan]

This is coming from a server at a datacenter running our ERP system, not an internet mail server. I can't add it to DNS as I don't manage the IP range.

[kazinvan]

To clarify, I'm assuming you mean add a reverse entry in DNS to resolve the error:

IP name lookup failed [205.206.209.124]

Two problems, I don't maintain the IP range so the owner of the range *should* provide reverse. Also, I'm using external name servers for lookups so I can't add entries into their system.

You can't resolve this via some other method? Hosts? Just allowing this IP to relay regardless of name?

[mikevl]

Hi

Is the ERP server on the same subnet?
Can you ping the ERP server from the Scalix server?
If not this could also have an element of a routing issue. Just a thought

Mike

[kazinvan]

Hi

Is the ERP server on the same subnet?
Can you ping the ERP server from the Scalix server?
If not this could also have an element of a routing issue. Just a thought

Mike

Not on the same subnet, they are connected via VPN.

I can't ping the ERP server from Scalix or vice versa, but that is due to the fact that ICMP traffic is disabled over the tunnel. I do have port 25 open from ERP -> Scalix and can telnet to 25 and get an SMTP prompt. I seem to be able to deliver a message to the server since I'm getting a reply (relay denied).

I'm just not sure how to allow the ERP server to relay anonymously through scalix.

[mikevl]

Hi

RELAY accept 205.206.209.

I think you need to add the last octet of the server IP

RELAY accept 205.206.209.xxx

Mike

[kazinvan]

Docs seem to suggest you don't need it, and leaving it out gives relay to the whole class C. I'm wiling to try at this point though I think I did that at first with no success.

[mikevl]

Hi

You are right

We have a number of cleints using the same configuration and it works. You have done nothing wrong.

One thing to be careful of when opening up a whole subnet is becomming an open relay. Mat be a small risk, but a risk none the less. That was more the reason for specifying complete IP addresses.

Maybe you have latency or time out issues. I would be interested to find out why this is not working in your situation.

Mike

[kazinvan]

I don't think it's latency as we have a high speed connection (E10) with dedicated VPN between the servers. Also, the mail server is responding to the smtp request with 'relay denied'. That is very different from a timeout message on the ERP end.

Also, I'm not too worried about an open relay as all machines in that class C are maintained by our ISP and there is not much running on it besides our gear.

Mike

[kazinvan]

bump, anyone have input?

[kazinvan]

bump, is it really this hard to allow relaying in scalix?

[kazinvan]

bump

[les]

I'm trying to send mail from an ERP application to both internal and external email accounts. The sender address in the ERP app is a valid Scalix account, but SMTP auth is not an option so connections are anonymous.

The IP of the server running the ERP is 205.206.209.124. I have added these lines to smtpd.cfg:

RELAY accept 205.206.209.
ANONYMOUS accept 205.206.209.

Restarted the SMTP service, but I still get these errors:

class com.sun.mail.smtp.SMTPAddressFailedException: 550 5.7.1 <me@domain.com>... Relaying denied. IP name lookup failed [205.206.209.124]

Now is that a relaying problem or a DNS problem?

I added an entry to /etc/hosts for that IP address but not sure if it needs proper DNS resolution. Any suggestions on what to try?

The problem is not in scalix, its how sendmail verifies relay clients.

I assume you can send to internal clients without problem.

The problem only occurs when you try to relay through the scalix server and send to an external client.

Its sendmail throwing you the error. Scalix uses sendmail for sending messages.

from the sendmail.cf

# check client name: first: did it resolve?
R$* $: < $&{client_resolve} >
R<TEMP> $#TEMP $@ 4.4.0 $: "450 Relaying temporarily denied. Cannot resolve PTR record for " $&{client_addr}
R<FORGED> $#error $@ 5.7.1 $: "550 Relaying denied. IP name possibly forged " $&{client_name}
R<FAIL> $#error $@ 5.7.1 $: "550 Relaying denied. IP name lookup failed " $&{client_name}

an nslookup from my site shows now record for that IP.

nslookup 205.206.209.124
Server: 220.233.0.3
Address: 220.233.0.3#53

** server can't find 124.209.206.205.in-addr.arpa: NXDOMAIN

This is the problem.

Normally ISP's will give you some form of record on your reverse address i.e.

[root@quicksilver custom]# nslookup 211.211.211.211
Server: 220.233.0.3
Address: 220.233.0.3#53

Non-authoritative answer:
211.211.211.211.in-addr.arpa name = 111.13.233.220.myisp.com.au.

You need to request that the ISP looking after the ip range creates a reverse record for you.

On the other side of the coin.....is there a real need to relay through your scalix server? If you have valid mx records in external dns then if the ERP system tried to deliver directly it would know where to send it. No real need for relaying that i can see.

The other alternative is to relay via the isp's smtp server, which the erp system is connected to.

hope that helps.