Our ZCS server is set up to use our main server (we're an ISP) as the relay MTA. However, we still want to allow SMTP connections from authenticated users (and of course the relay MTA). Unfortunately, SMTP authentication does not work when the sender is connecting from a different subnet - they get a 554 Relay Access Denied rejection. If I put that same machine on the same subnet as ZCS, SMTP authentication works fine. It also works fine if I add the external IP address of the host to the zimbraMtaMyNetworks list, but that's not what I want.
Is this one of those unfortunate "this behavior is by design" issues or am I possibly doing something wrong?