Topic: extern distribution list: Recipient address rejected: SMTP AUTH req

- iRedMail version (check /etc/iredmail-release): 1.4.0
- Deployed with iRedMail Easy or the downloadable installer? Downloaded
- Linux/BSD distribution name and version: Ubuntu 20.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.

I saw an earlier thread on this or very similar, but it was not resolved.

Our scenario:

We moved a group of users from the main domain.org to a server running webmail.domain.org.

Everything works fine sending from webmail.domain.org to other webmail.domain.org users and between webmail.domain.org and domain.org

However, we set up distribution lists/forwarding on the domain.org site (hosted in Office 365) for these addresses to send them to webmail.domain.org while people adjust, and also have a few distribution lists that need to go to multiple people, some on domain.org and some on webmail.domain.org.

When a user @webmail.domain.org sends an email to the distribution list hosted on @domain.org that sends the message to a @webmail.domain.org user, it  attempts to send the copy back to the mailbox on @webmail.domain.org with the original sender address of @webmail.domain.org.

This triggers the error:  NOQUEUE: reject: RCPT from mail-bn8nam12lp2168.outbound.protection.outlook.com[]: 554 5.7.1 <destuser@webmail.domain.org>: Recipient address rejected: SMTP AUTH is required for users under this sender domain; from=<sender@webmail.domain.org> to=<destuser@webmail.domain.org> proto=ESMTP helo=<NAM12-BN8-obe.outbound.protection.outlook.com>

I tried to create a rule in /etc/postfix/helo_access.pcre:
/\.outbound\.protection\.outlook\.com$/ OK

But I still am getting the SMTP AUTH message, so this is not a fix for this problem.

I did see this FAQ: https://docs.iredmail.org/errors.html

I do not know if ALLOW_FORGED_SENDERS is an option to solve this problem or not,  because potentially everyone on @webmail.domain.org may need to send to one of these distribution lists.

I also do not know every IP address that Office 365 may use so that I could include them in MYNETWORKS as that article suggests, if that is even a good idea.

So how would I allow a forwarded/distribution list message send back into webmail.domain.com by a webmail.domain.com user when it had to route through the Office 365 domain.com distribution list?


Re: extern distribution list: Recipient address rejected: SMTP AUTH req

After reading another older similar post, I tried to include the Office 365 SPF records in our SPF record for this subdomain and. it now seems to allow this mail path to work.

Is there a better way?


Re: extern distribution list: Recipient address rejected: SMTP AUTH req

I'm afraid that no better way in this case.
The possibility is using a content filter to check mail headers.


Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee