Messaging Gateway

 View Only

  • 1.  BM-9.0.0.2 Inbound connection returns 554 Access Denied

    Posted Mar 21, 2010 03:51 AM

    I'm testing out the Brightmail gateway VM and have it set up on two interfaces for inbound and outbound.  I have no problem sending outbound mail.  I've opened up the firewall's external 25 to the Inbound port and have it set to accept connections from all IPs.  Internally I can connect via telnet and get a prompt and submit.  From an external connection, namely my home connection on comcast, it returns a 554: Client host rejected: Access denied when I try to telnet to it.  From my yahoo and comcast account I can send mails but not receive them from our mail server.  Nor do I get an immediate bounce message.

    I thought that maybe one of the rules was picking them up and dumping them so I disabled the reputation filters and checked the spam, content, and virus filters and restarted the MTA and Conduit services and re-tested.  I still got the same 554 error.  I hate to ask, but what might I be missing that could prevent me from successfully connecting to the inbound port, from an external address?

    ~Pete


  • 2.  RE: BM-9.0.0.2 Inbound connection returns 554 Access Denied

    Posted Mar 21, 2010 06:08 PM

    After stepping back through the configs on the mail server, BM vm and firewall I found that I had my NAT mapping pointing to the wrong SMTP IP address on the inside.  That and an additional adjust of the external DNS and firewall mappings got mail flowing in both directions smoothly.

    ~Pete


  • 3.  RE: BM-9.0.0.2 Inbound connection returns 554 Access Denied

    Posted Mar 21, 2010 10:42 PM
    Hi Pete,

    It's good to know that you were able to resolve the issue. 

    For future reference, plesae note that in situations like these, looking at maillog (using the "watch maillog" CLI command) will be useful.  For maillog to provide useful information for troubleshooting, you will need to change the logging level for Message Transfer Agent (MTA) to Information, but do not run the system at higher logging level for extended periods of time.  When you are done with troubleshooting remember to change the logging level back to warning.

    Here is an example of the rejected connection log entry in maillog:

    2010 Mar 17 06:23:02 PDT (info) ecelerity: [20067] ML-REJECT: Rejection on: 10.160.248.102:25,200, sent to host: 10.160.248.103:53168, Audit ID 0aa0f865-b7b85ae000004e63-00-4ba0d7b6da41, 554 <unknown[10.160.248.103]>: Client host rejected: Access denied

    Notice that 10.160.248.102 is the IP address of my outbound listener and this listener is configured to accept connections ONLY from specific IP addresses.  Since the IP address 10.160.248.103 is NOT authorized to connect to the outbound listener of my SBG box, it gets rejected with the "554 <unknown[10.160.248.103]>: Client host rejected: Access denied " message.

    Hope this information will be helpful for other customers running into similar issues.

    Regards,

    Adnan