550 Denied due to invalid sender IA

[Skek-Tek]

We have a generic "scanner" account that several misc devices use to send email (mostly MFCs). This worked well until we upgraded from Scalix 11 to 12. I can send to users on the domain fine (e.g. bob@ourcompany.com) but anytime I try to send to users outside the domain (e.g. alice@gmail.com) I get the 550 Denied due to invalid sender IA error. I think it is a Sendmail relay issue but I can't figure out where I went wrong.

[ScalixSupport]

Hi,

Could you please provide us the smtpd configuration file.

Also please create a support ticket for quick response.

Thanks !

Regards,
Scalix Support Team.

[Skek-Tek]

Thanks for the quick response.

Is that the /etc/mail/sendmail.mc file?

These are the none dnl'd bits:

divert(-1)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
VERSIONID(`setup for linux')dnl
OSTYPE(`linux')dnl
define(`confDEF_USER_ID', ``8:12'')dnl
dnl define(`confAUTO_REBUILD')dnl
define(`confTO_CONNECT', `1m')dnl
define(`confTRY_NULL_MX_LIST', `True')dnl
define(`confDONT_PROBE_INTERFACES', `True')dnl
define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
define(`ALIAS_FILE', `/etc/aliases')dnl
define(`STATUS_FILE', `/var/log/mail/statistics')dnl
define(`UUCP_MAILER_MAX', `2000000')dnl
define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
define(`confAUTH_OPTIONS', `A')dnl
define(`confTO_IDENT', `0')dnl
FEATURE(`no_default_msa', `dnl')dnl
FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
FEATURE(redirect)dnl
FEATURE(always_add_domain)dnl
FEATURE(use_cw_file)dnl
FEATURE(use_ct_file)dnl
FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
FEATURE(`blacklist_recipients')dnl
EXPOSED_USER(`root')dnl
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
FEATURE(`accept_unresolvable_domains')dnl
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl MAILER(cyrusv2)dnl
MAILER(scalix)dnl

[ScalixSupport]

Hi,

please post the smtpd configuration file contect

location: /var/opt/scalix/ml/s/sys/smtpd.cfg

Regards,
Scalix Support Team.

[Skek-Tek]

Sorry, here is my /var/opt/scalix/ml/s/sys/smtpd.cfg file:

###############################################################################
# SMTP Relay Configuration
# ########################
#
# For details please see Scalix Overview - Security
#
###############################################################################

###############################################################################
# Relay Configuration
# ###################
#
# EXTENSIONS These extensions will be advertised by the EHLO reply
# DOMAIN_NAME Local host FQDN
# LOCAL_NAMES Local aliases of DOMAIN_NAME
# MAX_HOP_COUNT If the number of Received: header lines in a message sent to
# the relay exceed this number then the message will be
# rejected by the relay. The default value is zero and any
# non-positive value is interpreted as infinity. The default
# value means that no loop detection is done by the relay,
# any loop detection will only be done by sendmail.
# GREETING This is the text after the 220 on the connection
# greeting line some tokens can be used:
# %F - FQDN, %P - protocol, %N program name,
# %V - version, %D date
# LISTEN Comma separated host:port to listen to eg.
# LISTEN=mail.example.com:25,10.100.100.1:smtp
# MAX_MESSAGE_SIZE
# The maximum message size allowed in bytes. Oversized message
# will be rejected with a 552 error. Use 0 for anysize.
# SMTPMILTER Main switch to enable/disable milter support in the Relay using
# TRUE/FALSE. Once enabled, use INPUT_MAIL_FILTER to define
# the actual milter to be used for filtering.
# Note: avoid TRUE if no milter is active to improve performance.
# INPUT_MAIL_FILTER
# Filter message using the specified milter before accepting it.
# Syntax=('<name>', 'S=<socket>, F=<fail>, T=<timeout>') where:
# <name> is milter name
# <socket> is sock name (local or unix socket only)
# <fail> is action if fail to connect milter, default is to
# skip this milter, specify T or R to tempfail message
# <timeout> is 'C:<t>;S:<t>;R:<t>;E:<t> where <t> is timeout
# for Connect, Send, Receive and End-of-message.
# e.g. =('abc', S='local:/tmp/abc, F=T, T=C:5m;S:9s;R:9s;E:5m')
# Note: upto 8 milters can be called in sequence with the
# resultant message content from one milter fed into the next,
# some milter features and protocols may not be supported,
# e.g. quarantine, add extended rcpt and set symbol list.
# MILTER_IGNORE_IP_SENDER
# Sender IP address to ignore when searching for real sender info.
# Specify one literal or wildcarded value per option line, e.g.
# '172.16.0.33' or '172.16.0.*'. The real sender is found when
# it's IP address does not match any entry in the ignore list.
# Note: upto 99 such option lines can be specified.
# MILTER_IGNORE_IP_HEADER
# Format to sscanf() all message headers for real sender info.
# Syntax='<header> %s [%s [%s [%s [%s]]]]' where '%s' are the
# format directives to extract the IP address string from the
# last field - see sscanf() C man page for more details.
# Specify one format specification per option line, e.g.
# 'Received: %s %s %s' if the IP address is in the 3rd word.
# Note: upto 99 such option lines can be specified.
# MAX_CLIENTS The maximum number of client connections allowed per Relay
# (sub)process. This may result in timeout if set too high.
# Default is 6, i.e. upto 6 clients per (sub)process.
# MAX_SUBPROCS The maximum number of Relay subprocesses allowed to run in
# addition to the main process to handle client connections
# on demand. This may result in rejection if set too low.

# Default is 15, i.e. upto 15 subprocesses + 1 main process.
#
###############################################################################


EXTENSIONS=AUTH,DSN,8BITMIME

# Uncomment the following lines to enable the Submission and LMTP listeners
#SUBMIT=ON
#LMTP=ON

###############################################################################
# Catch-all recipients
# ####################
#
# Catch-all recipients are for catching email sent to unknown users, instead
# of non-delivering the email. More than one CATCH line can be used.
#
# CATCH PATTERN RECIPIENT
#
# PATTERN can be:
# user* - any unknown address starting with user
# @domain.com - any unknown address in domain.com
# user*@domain.com - any unknown user starting with user in domain.com
# RECIPIENT
# this is the recipient email address to redirect the email to. It can
# be local or remote, but is subject to any relay rules if remote.
#
# Authentication and Anti-Spamming Measures
# #########################################
#
# Each line is of the form:
# EVENT ACTION PATTERN PATTERN...
# When an event happens the SMTP Relay checks for a matching event/pattern
# sequentially in this file. When it finds the first match, it takes the
# action specified.
#
# ######
# EVENTS
# ######
#
# AUTH_SUCCESS An attempt is made to submit a
# successfully authenticated message.
#
# AUTH_MISMATCH An attempt is made to submit a
# successfully authenticated message but
# the originator name does not match
# the authenticated name.
#
# ANONYMOUS An attempt is made to submit a message
# sent without authentication or after
# failed authentication.
#
# SUBMIT An attempt is made to submit a message from
# the host specified in pattern
#
# RELAY An attempt is made to relay a message through the SMTP Relay
#
# ORIGINATOR An attempt is made to submit a message from a user whose
# email address matches pattern
#
# RECIPIENT An attempt is made to submit a message to a user whose
# email address matches pattern
#
# #######
# ACTIONS
# #######
#
# Accept The message is unconditionally accepted and processed
# normally.
#
# Defer The message is deferred with a 400 code
#
# Discard The message is accepted but then discarded
#
# Header The message is accepted, but an extra header is inserted.
#
# Reject The message is rejected with a 500 code
#
# If Log_ added to the start of an action, then the action is also recorded
# in the SMTP Relay log file.
#
# ########
# PATTERNS
# ########
#
# Hostname Patterns
# - an IP address, eg 123.234.132.231
# - an IP subnet and mask, eg 123.234.200.0/255.255.240.0
# - a hostname, eg bert.loc.co.uk
# - the end of a domain, eg .spammer.net
# - the start of a domain, 123.234.
# - the keyword ALL matches all hosts
# - the keyword LOCAL matches all hosts that do not contain a .
#
# Email Patterns - used by ORIGINATOR and RECIPIENT
# - *@*.spam.net
#
# DNSBL Patterns - These can be used by the SUBMIT EVENT to use DNS black
# list systems (See http://en.wikipedia.org/wiki/DNSBL )
# - DNSBL,host,reply eg DNSBL,bl.spamcop.net,ALL
#
###############################################################################

# NB Authenticated RELAYs are always allowed
RELAY accept 127.0.0.1
RELAY accept .freightlinerofmaine.com
RELAY accept 10.100.61.0
RELAY Log_Reject ALL

# extra rules added to prevent open relay usage
RECIPIENT Log_Reject *@*@*
RECIPIENT Log_Reject *%*
#RECIPIENT Log_Reject *!*
RECIPIENT Log_Reject *#*@*

# set maximum message size allowed (default unlimited)
#MAX_MESSAGE_SIZE=0

# master switch to enable milter support (default off)
#SMTPMILTER=FALSE

# list of milters to call sequentially (default none)
#INPUT_MAIL_FILTER=('CTmilter', 'S=local:~/temp/CTmilter_socket, F=T, T=C:300s;S:10s;R:10s;E:300s')

# list of addresses to ignore for real sender info (default off)
#MILTER_IGNORE_IP_SENDER=<ip>

# list of formats to sscanf() message headers for real sender info
# format to scan 'Received: from domain (host [ip]) ...'
#MILTER_IGNORE_IP_HEADER=Received: %s %s %s %s
# format to scan 'Received: from domain ([ip]) ...'
#MILTER_IGNORE_IP_HEADER=Received: %s %s %s
# format to scan 'Received: from [ip] ...'
#MILTER_IGNORE_IP_HEADER=Received: %s %s

# The following group sets the configuration for the submission listener
# This listener is only active if SUBMIT=ON is above
# By default it binds to port 587
[SUBMIT]
#LISTEN=localhost:587
# Reject all anonymous connections
ANONYMOUS Log_Reject ALL

# The following group sets the configuration for the lmtp listener
# This listener is only active if LMTP=ON is above
[LMTP]
LISTEN=localhost:24
# Use the following line to listen on a unix domain socket
#LISTEN=~/tmp/lmtp.unix

[ScalixSupport]

Hi,

Please take backup of smtpd.cfg file and make changes as below

Code: Select all

EXTENSIONS=AUTH,DSN,8BITMIME
DOMAIN_NAME=freightlinerofmaine.com
LOCAL_NAMES=freightlinerofmaine.com
SUBMIT=ON
LMTP=ON
DEFAULT_SMTP=localhost 25
DEBUG_LOG=TRUE
RELAY accept 127.0.0.1
RELAY accept .freightlinerofmaine.com
RELAY accept 10.100.61.0
RELAY Log_Reject ALL
RECIPIENT Log_Reject @*@
RECIPIENT Log_Reject %
RECIPIENT Log_Reject !
RECIPIENT Log_Reject #*@
SUBMIT log_reject DNSBL,bl.spamcop.net,ALL
[SUBMIT]
ANONYMOUS Log_Reject ALL
[LMTP]
LISTEN=localhost:24

Restart smtp relay

Code: Select all

# omoff -d0 smtpd
# omon smtpd

And check combination between scalix smtp log and sendmail logs

Regards,
Scalix Support Team.

[Skek-Tek]

Thanks for the quick responses. You guys are awesome!

I made those changes but it was still a no go.

I added this line:
RELAY accept freightlinerofmaine.com

And I added the subnet mask to this line:
RELAY accept 10.100.61.0/255.255.255.0

And now it is working. Does that make sense?

Do I have to run omoff -d0 smtpd and omon smtpd after making changes to /etc/mail/access?

[ScalixSupport]

Hi,

Thanks for your feedback.

I think, In your case defined subnet mask 255.255.255.0 is helped to solve the sender IA issue.
because your IP and subnet mask has different classes.

Not required to run omoff -d0 smtpd and omon smtpd after making changes to /etc/mail/access.

Regards,
Scalix Support Team