We have created an emailaccount on our server. Lets say account@domain.com. If we send an email from outbound.protection.outlook.com with that emailaddress to any other mail@domain.com blocks the mail. The message is;
<account@domain.com>: Sender address rejected: not logged in;
We already have a SPF record but mails are still rejected.
Is it possible to allow outbound.protection.outlook.com to sent mails on behalf of domain.com this per domain, or even better, per mailaccount ?
If I got it right you're trying to send an email from outbound.protection.outlook.com using the user that is set in your Carbonio.... without authenticate.... right?
So account@domain.com is in Carbonio and you're trying to send a mail from outbound.protection.outlook.com using it... that's not suppose to work. So my 1st impression is that Carbonio is doing it right.
If you wish to use another server to send messages using your Carbonio, it must authenticate.
If I got it wrong just forget about it and please elaborate more.
Regards
I tend to agree with anahuac here. Probably it should be the other way around: you should ask admins of outbound.protection.outlook to allow users from domain.com to be able to send messages on their behalf...
Hi,
Could you please help me understand the scenario.
So the outbound.protection.outlook is your relay host configured in Carbonio CE for external outbound email, am I getting it right?
And outbound.protection.outlook is add to your SPF/TXT records of the mentioned domain, is it so?
Therefore, while sending email with the following flow:
Carbonio CE --> outbound.protection.outlook --> Internet --> Remote SMTP Server
You are getting "<account@domain.com>: Sender address rejected: not logged in;"
Regards,
Sharif
Hi @sharif,
No, we don't have a relay host configure in Carbonio CE. We have a domain setup "domain.com" in our Carbonio server "mail.carbonioserver.xyz". Now someone with emailaddress "user@domain.com" is using Outlook.com to mail and uses the the following route.
Outlook.com --> Internet --> Remote SMTP Server
We have in SPF record
v=spf1 a mx include:spf.protection.outlook.com ~all
So sending mails from Outlook.com to domains not hosted on our mailserver works fine due to the SPF record. But sending mail from Outlook.com to any user for any domain on our mailserver will be rejected with
"<account@domain.com>: Sender address rejected: not logged in;"
The person is not logged in and is not sending from our mailserver but from Outlook.com.
I understand what @anahuac and @stefanodavid are saying (sorry for late reply guys) but if thats not possible, what use is a SPF record? Or am I confusing the role of a SPF record?
Hi,
What @anahuac and @stefanodavid are saying is right. But I think here what is happening is that your Carbonio CE server has strict anti-spoofing policies, it may reject emails that appear to come from a domain that is expected to be hosted by the server itself but are sent from an external service (like Outlook.com).
Regards,
Sharif
Also, could you please check if this helps or not:
su - zextras carbonio prov mcf +zimbraMtaSmtpdSenderRestrictions "permit_sasl_authenticated"
Regards,
Sharif
I just modified it from "reject_sender_login_mismatch" to "permit_sasl_authenticated" and will check it and let you know.
Modified and restarted zmcontrol but still not accepting mail.
Could you please tell us more? like how does outlook.com authenticate?
How you have configured the mail flow?
Regards,
Sharif
I understand, I will ask the guys who configured outlook.com about this and let you know, probably tomorrow.
Thanks in advance!
Hi @sharif,
In the DNS for domain.xyz we have two dkim records. One for our mailserver and one is setup for 365. In our SPF record we included the mailserver of microsoft 365 by including the spf.protection.outlook.com.
v=spf1 a mx include:spf.protection.outlook.com ~all
In Carbonio CE we setup two mailaccounts for domain.xyz. lets say user1@domain.xyz and user2@domain.xyz.
user2@domain.xyz is a forward to user2@domainxyz.onmicrosoft.com
user2@domain.xyz is sending mail from microsoft 365 environment without authentication on our Carbonio CE server. But in my opinion this should not be nescessary because of the dkim and spf combination. (please correct me if I am wrong here)
Mails from user2@domain.xyz to other global users are accepted and is received due to the dkim and spf settings. But mails from user2@domain.xyz to user1@domain.xyz are blocked by our mailserver.
"<user2@domain.xyz>: Sender address rejected: not logged in;"
This setup used to work with zimbra before migrating domain.xyz to Carbonio CE. I know that is not a guarantee that it should work now 😉
Hi @sharif,
In the DNS for domain.xyz we have two dkim records. One for our mailserver and one is setup for 365. In our SPF record we included the mailserver of microsoft 365 by including the spf.protection.outlook.com.
v=spf1 a mx include:spf.protection.outlook.com ~all
In Carbonio CE we setup two mailaccounts for domain.xyz. lets say user1@domain.xyz and user2@domain.xyz.
user2@domain.xyz is a forward to user2@domainxyz.onmicrosoft.com
user2@domain.xyz is sending mail from microsoft 365 environment without authentication on our Carbonio CE server. But in my opinion this should not be nescessary because of the dkim and spf combination. (please correct me if I am wrong here)
Mails from user2@domain.xyz to other global users are accepted and is received due to the dkim and spf settings. But mails from user2@domain.xyz to user1@domain.xyz are blocked by our mailserver.
"<user2@domain.xyz>: Sender address rejected: not logged in;"
This setup used to work with zimbra before migrating domain.xyz to Carbonio CE. I know that is not a guarantee that it should work now 😉
Hi @anahuac
You have any idea ?
In short,
Whenever we send an e-mail from an application or script (within spf records) with a sender emailadress known to our Carbonio CE server to a mailbox on our Carbonio Server we get this user not logged in error.
So I guess @sharif is right when mentioning this
" But I think here what is happening is that your Carbonio CE server has strict anti-spoofing policies, it may reject emails that appear to come from a domain that is expected to be hosted by the server itself but are sent from an external service (like Outlook.com). "
The question is how to soften these anti-spoofing policies so it accepts the mails.