1

So i have to use a shared domain during migration from Zimbra to O365.

MX points to Zimbra, but is also configured to enable outgoin emails from O365 to the world in the same domain. I've configured a connector on O365 to the zimbra (it works), and created contacts for not-yet-migrated users.

The plan is, that during migration, the incoming mail comes to zimbra and is redirected to O365 to onmicrosoft domain, for migrated users.

When i send email from O365 to anywhere (except my domain) it works correctly. When I send to anyone within company, that is still on zimbra, I get either of the errors:

550 5.7.1 ... Relaying denied
553 5.7.1 : Sender address rejected: not logged in

Zimbra clearly blocks my user, as it already exists within its server, but I don't know, where to start to unlock it? I've done similar things with other services before, but most didn't care about that.

alexander.polomodov
  • 1,060
  • 3
  • 10
  • 14
kjubus
  • 145
  • 1
  • 9
  • When you relay the emails to your Zimbra server, what are you relaying them to? Are you relaying it directly into Zimbra or are you relaying them your mail gateway (the same way others connect to it via the MX record to deliver mail)? – Henrik Stanley Mortensen Jul 26 '18 at 10:52
  • I'm not sure, I understand your question correctly. The O365 connector is set up, that all mails in this domain should be resolved via MX of the domain. The connector works and gets verified without any problem. – kjubus Jul 26 '18 at 11:07
  • That was what I wanted to know. If you had set it try and relay from a Zimbra SMTP server it would ask for credentials like a user needs when they authenticate normally, and this would make good sense that it doesn't work. But if you simply relay the mails to the MX record it should be received by Zimbra just like it was an external mail and be processed as such. – Henrik Stanley Mortensen Jul 26 '18 at 12:00
  • Instead of relaying from Zimbra to O365, you can direct MX records to the Office 365. Since you do not have any of the not-migrated mailboxes in the O365 Exchange Online service, then not existing mailboxes will be redirected to the Zimbra Connector. I assume you have O365 to yourOrg connector. Check this microsoft-docs article : https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail – aesnak May 22 '22 at 18:20
  • You may also need to specify a Conditional Routing Rule with filters for non-migrated-users(security group) which you added related users within, check below document : https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/conditional-mail-routing#step-2-use-the-eac-to-create-a-mail-flow-rule – aesnak May 22 '22 at 18:34

1 Answers1

0

Zimbra has some security features Restricted Sender and Sender Must Login on Zimbra.
It is possible that this has been configured on Zimbra so it will reject messages from users on the Zimbra server if the mail has not been sent by an authenticated Zimbra user.

On the Zimbra sever check the config file /opt/zimbra/conf/zmconfigd.cf, and look for:

POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cf

Under this line, something like this will be added:

POSTCONF proxy_read_maps FILE zmconfigd/proxy_read_maps.cf

If it does, sender rules are likely configured. In the same config there should be a line like this:

POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf

This will point you to the the location of the smtpd_sender_restrictions.cf file that contains the restricted sender rules.

If this file contains reject_sender_login_mismatch that is likely the issue. What the best practice to work around this in a migration like this I am unsure of. If you disable it, you do weaken security a bit by making it easier to spoof mails for the domain, I think you can add exceptions, but then you will have to edit the file constantly every time you move a user.

This article here goes more in depth about it.

Henrik Stanley Mortensen
  • 398
  • 1
  • 7