- Plesk for Linux
In an attempt to send an email from Plesk server using Outlook to some external domains (hotmail.com, gmail.com, etc), the following bounce message is returned:
CONFIG_TEXT: Server error: '454 4.7.1 email@example.com: Relay access denied'
CONFIG_TEXT: Client host rejected: Access denied: 554 5.7.1 <example.com[203.0.113.2]>: Client host rejected: Access denied
Other mail clients (Opera Mail, Mozilla Thunderbird) are able to send messages;
Too restrictive Outlook configuration
Note: This article may require additional administrative knowledge to apply. If any help is required, contact the server’s administrator or hosting support.
Connect to the server via SSH.
Create a backup of the main Postfix configuration file:
# cp /etc/postfix/main.cf /etc/postfix/main.cf.back
/etc/postfix/main.cfusing a text editor.
Make sure that the row below is present in the
/etc/postfix/main.cfor add it if it is missing:
CONFIG_TEXT: smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
Delete or comment (add "#" symbol in the beginning) the below line in the same file:
CONFIG_TEXT: #smtpd_sasl_security_options = noplaintext
Allow non-secure access by adding the below line:
CONFIG_TEXT: smtpd_tls_auth_only = no
Reload Postfix with the command:
# service postfix reload
Make sure that Outlook has got the following configuration in Outlook > File > Account Settings > Account Settings > firstname.lastname@example.org > Change.. > More Settings:
Of all the steps, I only had to do point 4 (comment the line "smtpd_sasl_security_options = noplaintext") to be able to send emails again from Windows Live Mail and Outlook.
My questions are: is correct to apply only step 4? Are we descending security with this methode?
> My questions are: is correct to apply only step 4?
Step 1 is required anyway to connect to the server. Step 2 is used to backup the original configuration file in case it will be wrongly changed.
In general Step 3,5 is required, probably on your server these settings were already set correctly.
> Are we descending security with this method?
These steps slightly decrease mail server security in terms of authentication. However, this is required to work with some mail clients.
Thanks for the reply! Some time ago I had problems with another server that was compromised, and had that option active, it was Plesk (it was version 11), and the same configuration (I could send emails without problems with Microsoft software). In what sense is security compromised when changing this method? I'm afraid that activating this option will lower the security level and have problems and compromise the security of the server. Can you tell me it's not that bad?
Searching in the net I read that when activating this, it was best to force the encryption, so I activated this in main.cf:
smtpd_tls_security_level = may
smtpd_tls_security_level = encrypt
Unfortunately, it gave some problems when receiving from certain recipients, so I had to deactivate it.
I don't know if the coincidences exist, but today I upgraded to Plesk 17.8.11, and included a superior version of Roundcube... that has stopped working precisely because a similar SMTP issue, specifically "ERROR SMTP (535)" in Roundcube.
I have applied the changes of "point 4" (comment the line "smtpd_sasl_security_options = noplaintext") and Roundcube has worked again. It was destiny... The truth is that I continue worrierd about lowering security in this way, but if experts recommend it and indicate that there is no problem, I will trust.
When setting `smtpd_tls_security_level` to `may` you are allowing unencrypted connection to SMTP service. If mail client using an unencrypted connection, your mailbox credentials and outgoing message theoretically can be intercepted. You have to rely either on that the route between mail client and the server is not compromised (for example if client and server are located in the same isolated network) or that the mail client will be using secure connection (which is not the case here, since the article describes case when Outlook cannot establish secure connection when it enforced).
Basically, as a result, it is up to the mail user to ensure wheither their sensitive data will be compromised.
For Roundcube it is safe enough, since the mail client (Roundcube) and the mail servece are located on the same computer, and their intercommunications cannot be intercepted unless the server itself is compromised.
I hope these explanations were helpful.
Please sign in to leave a comment.