Exim with LAN IP only send local, cannot send out

[lowhigh]

Hi all!

I have a Directadmin Server using IP LAN 192.168.123.123, this IP was NAT to IP WAN 123.123.123.123. I have installed all services, Web services OK but Mail server was not.
In Directadmin , i have using all domain with IP 123.123.123.123. In the IP management at Admin Level, I Linked IP WAN with IP LAN 192.168.123.123
However, when using roundcube webmail, sending internal mail to domains in the server is fine, but sending to external domains such as Gmail always reports error 550 Relay not permitted
2025-04-16 00:16:45 1u4j9h-00000000Njf-0WJT ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=mail.mypartner.com [123.234.234.123] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 Relay not permitted

[email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=gmail-smtp-in.l.google.com [173.194.174.27] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 Relay not permitted

I followed this guide https://docs.directadmin.com/change...main-ips-file-for-exim-outbound-ip-interfaces
from the section "For a LAN setup, DA assumes you've set the directadmin.conf option" create the files /etc/virtual/domainips and /etc/virtual/helo_data, add domains to /etc/virtual/domainips in the form
mydomain:123.123.123.123 , or
mydomain: 192.168.123.123
check the files again according to the guide https://docs.directadmin.com/other-hosting-services/email/perfect-email-setup.html
but when sending from Roundcube, exim still says 550 Relay not permitted

Please help me!

 

[lowhigh]

Does anyone know about exim with LAN/NAT ip help me?

 

[Richard G]

I don't use LAN, but did you add the LAN ip in directadmin.conf as stated in the LAN docs step 5?

Then this might also cause issues:

I have a Directadmin Server using IP LAN 192.168.123.123,

Did you install it wit this ip? Because doc says you need to use the external ip (use setup.sh without the license key behind it).

Also used this guide to get the external ip correct?

Edit: Normally this should work. I don't think you even need to use these Exim adjustments.
Anyway, if this is not a legacy license, you can also ask ticket support for help if nobody answers here.

 

[lowhigh]

Dear @Richard G !

of course i have lan_ip option in directadmin.conf. no more IP, system has only 1 IP and this IP is NATed out. it installed fine because it has license
i have license_key but don't know how to send ticket to support

​

 

[zEitEr]

Hello,

mydomain.com

Do you have mydomain.com in /etc/virtual/domains and /etc/virtual/domainowners ?

i have license_key but don't know how to send ticket to support

see: https://tickets.directadmin.com/

 

[lowhigh]

Hello,


Do you have mydomain.com in /etc/virtual/domains and /etc/virtual/domainowners ?



see: https://tickets.directadmin.com/

Dear @zEitEr !

I have checked all as per instructions and it is complete.
I use ticket but it says "This is an Internal License on guest login.Please contact your license provider for technical support."
Since the installation according to the IP LAN/NAT model, all newly installed servers have been unable to send emails out, only internally. Web services are still running fine. I have never encountered such a case so this error affects me a lot.

Please help me!

 

[Richard G]

"This is an Internal License on guest login.Please contact your license provider for technical support."

Oke then we can't help you with that. You are using the license illegaly. Internal licenses are only to be used together with the server it is provided with in the datacenter of the datacenter/hoster who sold you the license.
It is not an owned license which you can use anywhere like at home. They were never intended nore allowed to be used outside the sellers datacenter.

 

[Ohm J]

@Richard G
Using lan IP doesn't meant he's not in the datacenter.

If he installed on Cloud Software like XCP-ng or Proxmox, then he still can create the virtual lan network.

Since he can updated the directadmin service fine, so it's in public IP range network.

 

[Richard G]

Using lan IP doesn't meant he's not in the datacenter.

I never heard you have to NAT in a datacenter, but ofcourse I can be mistaken. When using internal ip's it will be done indeed.

However, being able to update the DA services or being in a public IP range network is also not a proof of legal usage for internal licenses.

@lowhigh If you're using the server/datacenter the way @Ohm J says (so with server you got from the datacenter together with the license inside the datacenter) then you can forget what I wrote.

 

[lowhigh]

I never heard you have to NAT in a datacenter, but ofcourse I can be mistaken. When using internal ip's it will be done indeed.

However, being able to update the DA services or being in a public IP range network is also not a proof of legal usage for internal licenses.

@lowhigh If you're using the server/datacenter the way @Ohm J says (so with server you got from the datacenter together with the license inside the datacenter) then you can forget what I wrote.

Oh no @Richard G , this License is a License for datacenter, I don't use it for home purposes but that doesn't mean that LAN/NAT can't be used. The purpose of using LAN/NAT is due to my network planning, the servers need to connect to LAN together and to limit the complete exposure to the Internet, the NAT solution by Firewall is chosen by us....

@Ohm J , yes this is my authentic License

Has anyone encountered this situation? Help me.

 

[Ohm J]

this message "Relay not permitted" can cause from any issued, like you are in their blocklist, email validate via rDNS SPF DKIM is wrong.

so, try test the email using https://www.mail-tester.com

Or sending to "hotmail" should provide more detail why it's not allowed to send.

 

[zEitEr]

Dear @lowhigh !
If you open /etc/exim.conf and read it, you will probably find:

#COMMENT#44
  # accept if address is in a domain for which we relay as long as recipient
  # can be verified
  accept  domains = +relay_domains
          endpass
          verify = recipient
#EDIT#45:
  accept  hosts = +relay_hosts
          add_header = X-Relay-Host: $sender_host_address

  accept  hosts = +auth_relay_hosts
          endpass
          message = AUTH_REQUIRED
          authenticated = *

  .include_if_exists /etc/exim.acl_check_recipient.post.conf

# FINAL DENY EMAIL BEFORE DATA BEGINS HERE
  # default at end of acl causes a "deny", but line below will give
  # an explicit error message:
  deny    message = RELAY_NOT_PERMITTED

So, once again do you have mydomain.com (sending domain not hostname, the latest is mentioned in the guide you are referring to) in /etc/virtual/domains and /etc/virtual/domainowners ?

 

[lowhigh]

Dear @zEitEr !

I'm sure everything is there. I really don't know where to start.

 

[Richard G]

I really don't know where to start.

For some reason the system thinks you are relaying.
Just to be sure...
1.) You installed Directmin with the WAN ip as shown in the docs, so the installation itself? So interface with WAN ip is created before installation.
2.) When linking ip's, you clicked the public ip and then linked the lan ip to it?
Or did you click the LAN ip and linked the WAN ip to it? Because that would be wrong.

Maybe you did, just doublechecking because I've got the impression you added the WAN ip in DA after installation, but there has to be created an interface with the WAN ip before installation according to the docs.

Reason I think here might be something wrong is this answer:

system has only 1 IP and this IP is NATed out.

After correct installation it should have 2 ip's. The WAN and the LAN ip.
WAN ip created before installation and LAN ip added via ip manager. Or also existing before. Unless the internal_checks feature is used ofcourse. But then Exim seems to misunderstand something.

Again.... this migh all be the case, just doublechecking. The relay notice must come from somewhere.

 

[zEitEr]

The relay notice must come from somewhere.

The variable RELAY_NOT_PERMITTED is defined in /etc/exim.strings.conf

RELAY_NOT_PERMITTED=relay not permitted

The exim.conf has a final list of cases when the error is triggered as mentioned in the post #12 (though it was an older version) and here (the latest version of exim.conf) slightly differs.

The error "relay not permitted" is dropped if all the following conditions are met:

1. recipient user is not whitelisted:

  accept  condition = ${if eq{$acl_m_is_whitelisted}{1}{1}{0}}
          condition = ${if eq{$acl_c_accept_recipient_if_whitelisted}{1}}

2. sending user is not authenticated in SMTP:

  # End of ACL for authenticated connections
  accept  authenticated = *
          control       = submission
          control       = dkim_disable_verify

2. domain is not listed in /etc/virtual/domains:

  # ACCEPT EMAIL BEGINNING HERE
  # accept if address is in a local domain as long as recipient can be verified
  accept  domains = +local_domains
          endpass
          message = UNKNOWN_USER
          verify = recipient

3. sender's IP is not listed in /etc/virtual/pophosts (the file gets populated with IPs which authorised over POP3/IMAP4 protocol)

  accept  hosts = +relay_hosts
          add_header = X-Relay-Host: $sender_host_address

Thus if the TS claims the domain is listed in the /etc/virtual/domains, which is actual for receiving emails, for sending emails the user should be AUTHENTICATED in SMTP.

So the user should use SMTP AUTH. And still if it was the case, then I would expect to see relay not permitted, authentication required

But errors reported in the first message with masked domain are rather confusing:

2025-04-16 00:16:45 1u4j9h-00000000Njf-0WJT ** [email protected] F=<[email protected]> R=lookuphost T=remote_smtp H=mail.mypartner.com [123.234.234.123] X=TLS1.3:TLS_AES_256_GCM_SHA384:256 CV=no: SMTP error from remote mail server after RCPT TO:<[email protected]>: 550 Relay not permitted

in this example an email is sent in behalf of [email protected], see: F=<[email protected]>. And at the same time, the error reports RCPT TO:<[email protected]>, as if the recipient is [email protected] too.

So, the logs are not consequent. I would rather see full lines collected with exigrep