Overview
When an external provider Gmail is set up to dual delivery mode, Kerio Connect may experience SMTP authentication problems. The Gmail IPs should be added into SMTP relay and Anti-spoofing whitelists.
During SMTP communication, the following error might be generated in Debug logs with SMTP server option enabled:
SMTP: Message from IP address 209.85.167.71 was rejected because of missing authentication
for local domain sender <username@kerio_domain.com>
Command DATA failed: Authentication required for local domain sender <username@kerio_domain.com>
Preconditions
Administrator (root) access to the Kerio Connect server
Diagnosis
Forwarding of mails to internal Kerio Connect accounts via Gmail is not acceptable due to SMTP authentication failing for the Google's servers.
The Gmail IPs should be included in the trusted SMTP sender relay list. When Anti-spoofing protection is enabled, Google's IP addresses should be added to the Trusted IP range. As the Gmail IPs contain a big range to be added, it's recommended to manually add them by modifying mailserver.cfg.
Note: the Gmail IP addresses are being updated from time to time, for the full list please reach out to Google support.
Solution
- Stop the Kerio Connect.
- Open the mailserver.cfg and locate the <list name="IpAccessList"> section. Before the </list>tag add the content of the attached file (Google Servers.txt) into your IP Address Groups. As noted in the diagnosis section, the Google servers list might vary, so we highly recommend to contact Google support to get the latest version of the list.
- Start the Kerio Connect.
- Open Configuration -> IP address groups and confirm the Google Servers' IPs were added correctly.
- Open Configuration -> Security -> Sender Policy tab and enable the group in the "Never reject messages from this IP Group" policy.
Confirmation
Gmail emails are being received correctly by Kerio Connect.