Koozali.org: home of the SME Server

550 relay denied after MacOS/iOS upgrade

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
550 relay denied after MacOS/iOS upgrade
« on: January 28, 2021, 05:03:32 PM »
MacOS 10.15.7, iOS 14.4
SME 9

The mac mail.app stopped sending email a few days ago. On each device, iPhone, iPad, MacBook. iMac, the app would ask for the password to be entered.

Only affects one user. The user can logon to SME webmail, send and receive mail via horde. Other Mac users don't report a problem.

Narrowed down log trace to server accepting client app logon, negotiate send, but responds with 550 relay denied. This user can send to other mail accounts on the server, but not to outside accounts such as a gmail or yahoo address.

I have removed and added account on each device, but no joy.

Ideas and suggestions welcome.

P.S. I am also contacting Apple. My post here is to make sure I have checked every possibility.
« Last Edit: January 28, 2021, 05:49:36 PM by Mophilly »
- Mark

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: 550 relay denied after MacOS/iOS upgrade
« Reply #1 on: January 29, 2021, 02:50:45 PM »
I can still send/receive email from apple mail on my iphone after upgrading to ios 14.4.

However:
* my iphone is talking to 'Sogo' on the SME server using ActiveSync instead of using IMAP
* my server supports TLS1.2 according to https://www.ssllabs.com/ssltest

There were some bugs and other notes about updating the ciphersuite on SME a few years ago that involved setting qpsmtpd:tlsCipher or modSSL:CipherSuite.  On my system, both of these are un-set, which leaves me using the default values that came with an update some time in the last 2 - 3 years:

Code: [Select]
# cat /etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers
{
    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
}

# config show qpsmtpd
qpsmtpd=service
    BadCountries=
    Bcc=disabled
    BccMode=bcc
    BccUser=maillog
    DKIMSigning=enabled
    DNSBL=enabled
    GeoIP=enabled
    HeloPolicy=rfc
    HeloReject=1
    KeepLogFiles=30
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=zen.spamhaus.org,bl.spamcop.net,truncate.gbudb.net,ix.dnsbl.manitu.net,b.barracudacentral.org:Blocked - see http://bbl.barracudacentral.com/q.cgi?ip=%IP%
    RHSBL=enabled
    RelayRequiresAuth=enabled
    SBLList=dbl.spamhaus.org,badconf.rhsbl.sorbs.net,nomail.rhsbl.sorbs.net
    TlsBeforeAuth=0
    UBLList=multi.surbl.org:8-16-64-128,black.uribl.com,rhsbl.sorbs.net
    URIBL=enabled
    access=public
    qplogsumm=enabled
    status=enabled

# config show modSSL
modSSL=service
    CertificateChainFile=[removed]
    TCPPort=443
    access=public
    crt=[removed]
    key=[removed]
    status=enabled

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: 550 relay denied after MacOS/iOS upgrade
« Reply #2 on: January 29, 2021, 03:07:33 PM »
I should add:

* I suspecting the problem is with SSL / TLS because the last two times an apple update caused problems that was the reason - first when Apple stopped accepting self-signed certificates, and later when they stopped accepting older SSL.

* Since your users can still send to users on the SME, I suspect you're using TlsBeforeAuth.  As you can see from my last post, I have this disabled.  I configure SME SMTP clients using SSL on port 465.

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: 550 relay denied after MacOS/iOS upgrade
« Reply #3 on: January 29, 2021, 05:50:04 PM »
mmccarn, thank you for the detailed reply. I will look into these settings.
- Mark

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: 550 relay denied after MacOS/iOS upgrade
« Reply #4 on: January 30, 2021, 06:43:21 PM »
Further study, and a long session with Apple tech support, put the focus on the Apple products or my account with Apple as being the source of the problem.

In addition to other common troubleshooting such as deleting certs and renegotiating them, I gritted my teeth and created an account at gmail. The Apple Mail.app will not send via that account either. So the problem does not spring from SME Server or its configuration.

Thank you, mmccarn, for the advice and details. That helped me test a few things and have a more knowledgable conversation with the Apple rep. BTW, the last Apple rep I talked to knew quite a bit about linux, which also helped.
« Last Edit: January 30, 2021, 06:45:16 PM by Mophilly »
- Mark

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: 550 relay denied after MacOS/iOS upgrade
« Reply #5 on: January 31, 2021, 06:49:23 PM »
No joy after my last post. Spent a lot more time with Apple support, and the Apple devices have been eliminated from the calculus. I returned focus to the server. The question came up more than once, "what changed?" I was thinking of software updates and installs; nothing came to mind or was in the notes. It took a close inspection of the system logs, for the day the email behavior changed, to "recall" the change. Thanks to the software gods for logs.

On the day when the behavior changed, I had deleted several old, unused user accounts and locked a couple of others. I haven't found any other forgotten changes. So, next step is to examine the server email options. I plan to run a post-upgrade, reboot event, so see that puts things back in order.

At this point, it appears the smtp authentication is not working as desired. Using telnet, I could connect to the smtp service but I cannot send to any email address outside my domain. The server responds to RCPT TO: with a 550 relay denied message.

I would much rather spend my time working on the SME 10 release. I encourage any reader so inclined to lend a hand to that effort. Many hands make light work.
« Last Edit: January 31, 2021, 11:53:28 PM by Mophilly »
- Mark

Offline Jáder

  • *
  • 1,099
  • +0/-0
    • LinuxFacil
Re: 550 relay denied after MacOS/iOS upgrade
« Reply #6 on: February 06, 2021, 06:37:18 PM »
you could try to use a let encrypt certificate (if your server has port 80 acessible from internet).
I think this can solve your problem.
...

Offline Mophilly

  • *
  • 384
  • +0/-0
    • Mophilly
Re: 550 relay denied after MacOS/iOS upgrade
« Reply #7 on: February 07, 2021, 07:56:10 PM »
you could try to use a let encrypt certificate (if your server has port 80 acessible from internet).
I think this can solve your problem.

Thank you for the suggestion. This particular problem turned out to be somewhat nuanced. The 550 error is not revealing the real problem. I am on the hunt, with help, to determine what happened.

I will update this post when the cause is better understood.
- Mark