Tracks

Zimbra Relay Access - Denied

by Alex Gallacher
by Alex Gallacher

Zimbra Relay Access - Denied

If you manage a Zimbra Collaboration Suite (ZCS) environment, you’ve likely seen the dreaded "554 5.7.1 <[email protected]>: Relay access denied" error in your mail logs.

| Setting | Command to Check | Desired State | | :--- | :--- | :--- | | | zmprov getServer zimbraMtaTlsAuthOnly | TRUE | | Submission Port | zmprov getServer zimbraMtaAuthEnabled | TRUE on port 587 | | Trusted Networks | zmprov getServer zimbraMtaMyNetworks | Only internal subnets | Final Thoughts "Relay access denied" is frustrating because it stops legitimate email. But remember: without this guardrail, your Zimbra server would be an open relay—and it would be blacklisted within hours.

It usually appears without warning. One minute, a user or an application is sending mail fine; the next, emails are bouncing back. Don’t panic. This error is actually Zimbra’s security system doing its job—it just needs a little adjustment. zimbra relay access denied

Found this helpful? Subscribe to our newsletter for more Zimbra and open-source mail server tips.

Add the device’s IP address to Zimbra’s “mynetworks” setting. This tells Zimbra, "Trust anything coming from this IP." If you manage a Zimbra Collaboration Suite (ZCS)

This most often happens in three specific scenarios: Zimbra’s default security stance is: Authenticate first, then relay. If a device or script tries to send mail through your server on port 25 (the standard SMTP port) without a username and password, Zimbra will reject it.

zmprov modifyServer `zmhostname` zimbraMtaMyNetworks '127.0.0.0/8 10.0.0.0/24 YOUR_DEVICE_IP/32' zmcontrol restart mta Only do this for internal, static IPs. Never add public IP ranges here. How to Diagnose the Problem in 30 Seconds Still stuck? Check the mail logs. SSH into your Zimbra server and run: It usually appears without warning

Change the sending device to use port 587 (Submission) instead of port 25, and enable SMTP Authentication . Most modern email clients (Outlook, Thunderbird, Apple Mail) support this natively.

zmprov getServer `zmhostname` | grep zimbraMtaAuthEnabled It should return TRUE . If you’ve configured a “Send As” alias (e.g., sending as @gmail.com from your Zimbra webmail), Zimbra will reject it unless you’ve explicitly allowed it.

zmprov modifyAccount [email protected] +zimbraAllowFromAddress [email protected] zmprov fc account [email protected] This is a classic "broken copier" or "buggy CRM" problem. Printers, scanners, and legacy applications often hard-code an IP address and try to send mail without logging in.

To test if this is the issue, try:

This site uses cookies. By continuing to use the site you consent to their use. Close and Accept Use of Cookies on KLOF Mag