Back to Community Threads
12
550 Authentication is required for relay - Enable domain's SMTP auth setting for local deliveries
Idea shared by CCC - 4/5/2016 at 7:24 AM
Under Consideration
Hello,
 
It seems like smartermail is not taking SPF into account within the context of the following SMTPin setting
 
Settings > Protocol Settings > SMTPin > "Enable domain's SMTP auth setting for local deliveries"
 
We are a hosting company and frequently our clients have need to send mail through a 3rd party email service.  We have added the appropriate SPF records to our client's domains - however inevitably when they try to send themselves a test message from a 3rd party mail server, they get a "550 Authentication is required for relay" message.  The FROM address is a local mailbox, the TO address is a local mailbox, and the sending server passes an SPF check.
 
As I understand, this is related (at least in part) to a setting within SmarterMail's SMTPin Settings which reads "Enable domain's SMTP auth setting for local deliveries".  We have that setting enabled, and at each domain we have the "Enable SMTP Authentication" setting enabled as well.  This effectively blocks random spammers from emailing FROM @ourcustomer.com to @ourcustomer.com - however it is also forcing authentication on legitimate 3rd party mail servers that are authorized in the domain's SPF record. 
 
Obviously we don't want to disable SMTP authentication at the domain level, so the only workaround we have found is to add the sending SMTP servers IP address(es) to the SMTP Authentication Bypass whitelist.  Unfortunately that is not really a sustainable workaround. 
 
I am not sure if this behavior changed in smartermail over the last 6 months or so (we are running 14.5.5...), or if our customers are just using 3rd parties for SMTP more often - but in either case I have found myself adding more and more whitelist entries over the last few months. 
 
Senders are usually pretty good about updating their own SPF records, and since we include the senders SPF records in our customer's domain SPF records - we theoretically have a pretty up to date list of IP addresses that should be allowed to send mail through our customers domain and should not need any whitelist entries.
 
If the sender doesn't pass an SPF check for the FROM address, then i'm fine with our server rejecting with a 550 authentication required message, however if the sending IP passed an SPF check - smartermail should not require authentication for delivery to local users.
 
Has anyone else run into this and/or come up with another workaround that does not result in a less secure SMTP configuration?
 
 

32 Replies

Reply to Thread
3
I struggle with this every day as well.
 
To prevent relaying or delivery of Spoofed Spam the "Enable domain's SMTP auth setting for local deliveries" setting in SMTP IN and "Require SMTP Authentication" on Domains is necessary. However, doing such means that any email addressed from a domain that is not sent by your Mail Server is going to bounce with the "550 Authentication is Required for Relay" message.
 
In an ideal world we would take the hard-line and tell customers that their web application must simply use SMTP Authentication in order to send email as FROM: an address on their domain. However, it is not an ideal world and sometimes there are outdated web apps that still don't allow for SMTP Authentication, or 3rd Party Providers (such as Quickbooks, MailChimp, Constant Contact, etc.) that insist on sending email using their own Mail services addressed as FROM: the customer's domain.
 
SMTP Bypass is one way of handling the problem (which doesn't always work as intended). Alternately you can disable "Require SMTP Authentication" from that domain. There are potential repercussions of either course of action.
 
I'm not aware of any other solution. I, for two, would also like if SMTP IN did take into account SPF/DMARC before rejecting with a 550 Authentication is Required for Relay, because it is a daily struggle when SmarterMail does not take into account 3rd Party Services & Providers that legitimately address their email's FROM: the customer's account.
0
I'm going to try updating from 14.5 to 15.0.5932 to see if there are any behavioral changes in the new version.  I don't see anything in the release notes that jumps out at me as addressing this issue but its worth a shot :)
 
0
I have experienced the same problem, however the smtp bypass authentication doesn't even seem to work.
Example: I have a third party vendor sending un-authenticated mail.  The vendor's listed in SPF and on our server they are whitelisted and in the authentication bypass list.   If noreply@domain.com sends mail to someone@domain.com it bounces with a authentication error.   If I disable "enable domain's smtp auth setting for local deliveries" the error goes away.  I have confirmed the ip address in the sending email and it matches that within the bypass settings.  Seems like this should work even with authentication set for local deliveries.   Any thoughts or suggestions?
1
The "enable SRS" does nore to allow forwarding than to allow sending from 3rd party addresses You may also be experiencing an issue with the number of SPF lookups required with included records. SPF records are limited to 10 lookups. Adding includes sometimes causes the number of lookups tp spiral - tp 30, 30, 40 , or more, and that can cause non-delivery issues related to SPF. We require that all users authenticates with a location account, whether sending from another e-mail address, web form, or shopping cart. This cuts the outbound spam, which used to originate through 3rd party addresses, down to zero, as well.
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Bruce, Thanks for the followup, never considered the spf lookups so that may be an issue.
Agree with you on the local account authentication requirement, however the third party sender doesn't yet have the option for utilizing credentials. That's disappointing, since they work with financial institutions. I'm still confused why a sending IP address in the authentication bypass group would generate the 550 error when the local delivery auth is enabled. Shouldn't it bypass this?
0
My SRS is set to server default.....but I'm not quite sure what the default is. Are you suggesting this be enabled?
0
If it was SPF related, it would be nice if that was logged

(as discussed in the forum thread 2014 - still marked as "under consideration")

http://portal.smartertools.com/community/a696/does-smartermail-strictly-enforce-spf-processing-limits-as-defined-in-rfc-4408.aspx
0
CCC - Thanks for that link and I completely agree!
0
Here's a link with more information on the maximum number of SPF lookups. http://www.openspf.org/FAQ/Common_mistakes
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
Still battling with the issue of "Enable domain's SMTP auth setting for local deliveries" not honoring SPF. 
 
I'm maintaining dozens of IP based whitelists at this point to support 3rd party senders like Office 365 and Shopify. 
 
IP based whitelists are not a scalable and maintainable method for solving this problem in this day and age.  This is what SPF was designed for...
 
Has anyone else found a solution?
3
Employee Replied
10/27/2016 at 7:38 AM
Employee Post
CCC, I've generated a ticket off this so we can track it internally. I'll be bringing this to the dev's on Friday. I'll update this thread once we've discussed this further. 
0
Thanks Von, much appreciated!
0
Employee Replied
10/28/2016 at 9:29 AM
Employee Post
CCC, our developers have added a feature request for specifying a domain and having the whitelist entries dynamically added based on SPF record. They are in agreement that this would benefit a majority of our customers.
0
This is still a bug right? I have clients using shopify and they cant seem to get notifications that come from shopify relay servers when sent to their domain even with SPF record correct. Smartermail just keeps bouncing them with 550 error. Any comments Von?
0
I'm having the exact same issue with Zendesk as the sender. I need this resolved please. What's the word?
0
You happen to find a resolution for this? Seems the thread got quiet and I'm having the same problem... trying to stir the pot a bit. Thanks!
0
Was anything ever done on this?
0
We've had to override SMTP auth safe IP list. Not ideal. I think this thread is in deep sleep.
1
Was anything ever completed on this?
0
just bumping this thread, awaiting a solution...
0
I'll bump this too. It's only gotten worse in the two years since this was started.  Most of our clients use some sort of SAAS solution that uses their domain now.  The biggest issue we are having is Shopify users not getting their orders. 
0
Smartermail seems to have gone silent on this like so many other issues.
1
Isn't this normal behavior of all email servers? I'm not saying that it shouldn't be handled like it was proposed here but IMHO other mail servers are acting the same when they have local domain configured?
 
I think this should be handled just like it was with external MX servers:
 
 
Next to Inbound Message Delivery should be another dropdown or checkbox which would allow domain configuration to check SPF record during delivery for accepting remote emails for this domain. IMPORTANT thing that this scenariu should be also handled in incoming scenario gateway using web service validation.
2
just bumping this as it's late 2020 and I think this is still pending ?!?
1
just bumping this again as it's 2021 now ?!?
0
Kyle Kerst Replied
5/10/2021 at 4:56 PM
Employee Post
Hello everyone. I became aware of this thread this afternoon, and I am in the process of reviewing its entire history now. That being said, the behavior originally reported (550 authentication required for relay) in this scenario (sending from a third party server) is expected, and is being handled similarly to other email server software installations as well. 

The recommended fix is to implement a whitelist entry for that third-party server IP under Settings>Security>Whitelist including the SMTP Authentication Bypass toggle. There are no alternative solutions that I am aware of. 
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
1
That’s great, but that that doesn’t solve the issue of auto-whitelisting ip’s/domains based on SPF records for the domain, and the fact that you can only whitelist IP addresses in SM which can change often for any 3rd party service like Shopify. I whitelist their IP’s but after a little time they swap them out and I’m back to looking though the logs or perform NS lookups for the new ip addresses to manually whitelist (they refuse to give a list of IP’s) them again. All this while my clients are pissed at me as they are getting bounces that they feel they shouldn’t get, although they don’t understand the issues.

Other email services include the SPF record to allow email from those servers. Like I mentioned above, I have no problem adding to the waitlist but having the ability to whitelist a domain name to bypasss auth would be immensely helpful and would solve this whole issue.

Thanks!
David
1
I think all of us understand how to whitelist by IP, but like David said, that's just not always an viable solution. Shopify if a prime example, we've had the same issue with them, but they are just one of many. A mail server honoring it's own domain's SPF records doesn't seem like it would cause any problems... I'm not sure the reluctance to implement this.
1
Kyle Kerst Replied
5/11/2021 at 2:55 PM
Employee Post
Thanks for your feedback on this. I do believe we have a feature request in for this, but under the current functionality, you'll need to add an SMTP Authentication Bypass whitelisting for the third-party server so that SmarterMail knows to exclude them from those requirements. Have a good one!
Kyle Kerst IT Coordinator SmarterTools Inc. www.smartertools.com
0
LOL. Five years later and there’s a “feature request”. Under the current functionality, the best solution is another mail server vendor for customers that depend on SaaS providers.
0
We have the same problem.
But today I tried to send to myself via SMTP in a gmail account. It came out immediately. The email stated my own address as the sender. In the header was the gmail address as Return-Path.
So if the Return-Path differs from the real sender, it works. Apparently, not all SMTP servers have this feature, so there will be problems for them.
0
Zach Sylvester Replied
5/26/2022 at 12:41 PM
Employee Post
Hello Everyone, 

I hope you all are doing well. I went ahead and submitted a new feature request for this to be added. I also added new criteria to the request. The email would have to pass DKIM and SPF in order to be relayed this would ensure with a 99% certainty that the email is authenticated. Make sure that if you want this feature added you give the original post a thumbs up so we know that many users want this added. 

Have a great memorial weekend. 

Kind Regards, 
Zach Sylvester Software Developer SmarterTools Inc. www.smartertools.com
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Configure SmarterMail as a Free Gateway ServerSmarterMail > Server Configuration and Management
"550 Authentication is Required for Relay" when Sending EmailSmarterMail > Troubleshooting
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Cannot Send Email MessagesSmarterMail > Troubleshooting