Exim with LAN IP only send local, cannot send out

[lowhigh]

Hi all!

I have a Directadmin Server using IP LAN 192.168.123.123, this IP was NAT to IP WAN 123.123.123.123. I have installed all services, Web services OK but Mail server was not.
In Directadmin , i have using all domain with IP 123.123.123.123. In the IP management at Admin Level, I Linked IP WAN with IP LAN 192.168.123.123
However, when using roundcube webmail, sending internal mail to domains in the server is fine, but sending to external domains such as Gmail always reports error 550 Relay not permitted
2025-04-16 00:16:45 1u4j9h-00000000Njf-0WJT ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=mail.mypartner.com [123.234.234.123] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 Relay not permitted

[email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [173.194.174.27] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 Relay not permitted

I followed this guide https://docs.directadmin.com/change...main-ips-file-for-exim-outbound-ip-interfaces
from the section "For a LAN setup, DA assumes you've set the directadmin.conf option" create the files /etc/virtual/domainips and /etc/virtual/helo_data, add domains to /etc/virtual/domainips in the form
mydomain:123.123.123.123 , or
mydomain: 192.168.123.123
check the files again according to the guide https://docs.directadmin.com/other-hosting-services/email/perfect-email-setup.html
but when sending from Roundcube, exim still says 550 Relay not permitted

Please help me!

 

[lowhigh]

Does anyone know about exim with LAN/NAT ip help me?

 

[Richard G]

I don't use LAN, but did you add the LAN ip in directadmin.conf as stated in the LAN docs step 5?

Then this might also cause issues:

I have a Directadmin Server using IP LAN 192.168.123.123,

Did you install it wit this ip? Because doc says you need to use the external ip (use setup.sh without the license key behind it).

Also used this guide to get the external ip correct?

Edit: Normally this should work. I don't think you even need to use these Exim adjustments.
Anyway, if this is not a legacy license, you can also ask ticket support for help if nobody answers here.

 

[lowhigh]

Dear @Richard G !

of course i have lan_ip option in directadmin.conf. no more IP, system has only 1 IP and this IP is NATed out. it installed fine because it has license
i have license_key but don't know how to send ticket to support

​

 

[zEitEr]

Hello,

mydomain.com

Do you have mydomain.com in /etc/virtual/domains and /etc/virtual/domainowners ?

i have license_key but don't know how to send ticket to support

see: https://tickets.directadmin.com/

 

[lowhigh]

Hello,


Do you have mydomain.com in /etc/virtual/domains and /etc/virtual/domainowners ?



see: https://tickets.directadmin.com/

Dear @zEitEr !

I have checked all as per instructions and it is complete.
I use ticket but it says "This is an Internal License on guest login.Please contact your license provider for technical support."
Since the installation according to the IP LAN/NAT model, all newly installed servers have been unable to send emails out, only internally. Web services are still running fine. I have never encountered such a case so this error affects me a lot.

Please help me!

 

[Richard G]

"This is an Internal License on guest login.Please contact your license provider for technical support."

Oke then we can't help you with that. You are using the license illegaly. Internal licenses are only to be used together with the server it is provided with in the datacenter of the datacenter/hoster who sold you the license.
It is not an owned license which you can use anywhere like at home. They were never intended nore allowed to be used outside the sellers datacenter.

 

[Ohm J]

@Richard G
Using lan IP doesn't meant he's not in the datacenter.

If he installed on Cloud Software like XCP-ng or Proxmox, then he still can create the virtual lan network.

Since he can updated the directadmin service fine, so it's in public IP range network.

 

[Richard G]

Using lan IP doesn't meant he's not in the datacenter.

I never heard you have to NAT in a datacenter, but ofcourse I can be mistaken. When using internal ip's it will be done indeed.

However, being able to update the DA services or being in a public IP range network is also not a proof of legal usage for internal licenses.

@lowhigh If you're using the server/datacenter the way @Ohm J says (so with server you got from the datacenter together with the license inside the datacenter) then you can forget what I wrote.

 

[lowhigh]

I never heard you have to NAT in a datacenter, but ofcourse I can be mistaken. When using internal ip's it will be done indeed.

However, being able to update the DA services or being in a public IP range network is also not a proof of legal usage for internal licenses.

@lowhigh If you're using the server/datacenter the way @Ohm J says (so with server you got from the datacenter together with the license inside the datacenter) then you can forget what I wrote.

Oh no @Richard G , this License is a License for datacenter, I don't use it for home purposes but that doesn't mean that LAN/NAT can't be used. The purpose of using LAN/NAT is due to my network planning, the servers need to connect to LAN together and to limit the complete exposure to the Internet, the NAT solution by Firewall is chosen by us....

@Ohm J , yes this is my authentic License

Has anyone encountered this situation? Help me.

 

[Ohm J]

this message "Relay not permitted" can cause from any issued, like you are in their blocklist, email validate via rDNS SPF DKIM is wrong.

so, try test the email using https://www.mail-tester.com

Or sending to "hotmail" should provide more detail why it's not allowed to send.

 

[zEitEr]

Dear @lowhigh !
If you open /etc/exim.conf and read it, you will probably find:

#COMMENT#44
  # accept if address is in a domain for which we relay as long as recipient
  # can be verified
  accept  domains = +relay_domains
          endpass
          verify = recipient
#EDIT#45:
  accept  hosts = +relay_hosts
          add_header = X-Relay-Host: $sender_host_address

  accept  hosts = +auth_relay_hosts
          endpass
          message = AUTH_REQUIRED
          authenticated = *

  .include_if_exists /etc/exim.acl_check_recipient.post.conf

# FINAL DENY EMAIL BEFORE DATA BEGINS HERE
  # default at end of acl causes a "deny", but line below will give
  # an explicit error message:
  deny    message = RELAY_NOT_PERMITTED

So, once again do you have mydomain.com (sending domain not hostname, the latest is mentioned in the guide you are referring to) in /etc/virtual/domains and /etc/virtual/domainowners ?

 

[lowhigh]

Dear @zEitEr !

I'm sure everything is there. I really don't know where to start.