Zimbra as filter/relay

[bjquinn]

Chocolate chip, please.

[bjquinn]

What are the modifications you've made to your Zimbra server so far (other than the AD lookup)? Have you done anything different that isn't mentioned in the Split Domain article with Zimbra as a primary server?

[dlochart]

Quote:

Originally Posted by bjquinn

What are the modifications you've made to your Zimbra server so far (other than the AD lookup)? Have you done anything different that isn't mentioned in the Split Domain article with Zimbra as a primary server?

I am actually documenting what I did now. When I am done and I eat lunch I will post back here. I think I'll have chocolate chip cookie for desert

[bjquinn]

Lol sounds great!

[dlochart]

I am putting this up to show what I did to allow the Zimbra MTA to server as a gateway to some domains while remain primary to others. This may not be the optimal solution and it deviates from the split domain approach defined in the WIKI. I am not a system admin/email admin but learning all of this on the fly so bear this in mind. It works for us.

Mail Gateway Setup
Setup to allow the Zimbra MTA to act as a gateway to an Exchange Server without validating the recipient email address at the MTA.

Configure relay domain

This is where you place the domains to be relayed. This is changed in the main.cf config file under /opt/zimbra/postfix/conf directory

relay_domains=example.com

Create a transport map.
You need to create a transport map that basically maps the domains specified by relay_domains to a protocol and destination. This tells Postfix what to do with mail for a specific domain. For my implementation I will name the transport file “relay_domain_transport”. I simply copied the transport file in /opt/zimbra/postfix/conf to this name and at the bottom added this line:

example.com smtp:[10.129.1.13]

Make sure place the ip address in brackets. This prevents DNS lookups on the domain and will prevent infinite looping.

After saving the file then you must compile the map into a .db file (for hash access)

/opt/zimbra/postfix/sbin/postmap relay_domain_transport

Add the new transport map to the transport_maps parameter in the main.cf. This is only a temporary solution used for testing connectivity and flow. Once you are satisfied you will need to modify the localconfig.xml (see below)
transport_maps= hash:/opt/zimbra/postfix/conf/relay_domain_transport,ldap:/opt/zimbra/conf/ldap-transport.cf
To make this change last across postfix restarts we need to modify the localconfig.xml file. This file is used in generating configuration files.

Edit /opt/zimbra/conf/localconfig.xml. Look for “ postfix_transport_maps “. Add hash:/opt/zimbra/postfix/conf/relay_domain_transport to the beginning like so.

<key name="postfix_transport_maps">
<value>hash:/opt/zimbra/postfix/conf/relay_domain_transport,ldap:/opt/zimbra/conf/ldap-transport.cf</value>
</key>

Allow Outbound Mail
If your secondary (Exchange) server will send mail out through the Zimbra MTA then you need to add the IP Address of the Exchange Server to your mynetworks parameter in the main.cf config file.

mynetworks = 127.0.0.1/32, 10.129.1.13/32

Voila!

[bjquinn]

Great! You deserve a dozen chocolate chip cookies for that!

A couple of questions real quick ---

Quote:

Originally Posted by dlochart

example.com smtp:[10.129.1.13]

Make sure place the ip address in brackets. This prevents DNS lookups on the domain and will prevent infinite looping.

Do you really have to use the IP address, it would be sad to hard code that... is that just to avoid unnecessary DNS traffic?

And I guess you haven't figured out the "recipient lookups against AD" yet? If not, and you're not going to try to do it immediately, maybe I'll get started on this project soon enough and be able to offer some help. So far I've just been researching out whether it's possible or not.

[dlochart]

Quote:

Originally Posted by bjquinn

Great! You deserve a dozen chocolate chip cookies for that!

A couple of questions real quick ---



Do you really have to use the IP address, it would be sad to hard code that... is that just to avoid unnecessary DNS traffic?

Actually you need to if your external MX record points to your postfix MTA. If you did not use the ip (and the enclosing brackets) postfix will try to resolve the domain with DNS to know where to send the mail. Since the resolved address would be the postifx box and not the final destination you would get into an infinite mail loop.

Quote:

Originally Posted by bjquinn

And I guess you haven't figured out the "recipient lookups against AD" yet? If not, and you're not going to try to do it immediately, maybe I'll get started on this project soon enough and be able to offer some help. So far I've just been researching out whether it's possible or not.

I have with the use of the PERL script. However I would like to see if the snippet I got from the postfix board works. I have relay_recipients working but my Exchange admin wants me to let all traffic pass into the Exchange box and let it bounce themails back out. He wants to only be able to look at one machine for logs and what not.

If I have not elaborated what the perls script does is log into the AD server and get a list of valid email recipients. It then updates a file for that domain say example_relay_recipients. It has the form

email1@example.com OK
email2@example.com OK ... and so on

After it writes the file it runs postmap on to create a hash.

In your main.cf you need to add a value to the relay_recipient_maps parameter like so:

relay_recipient_maps=hash:/opt/zimbra/postfix/conf/example_relay_recipients

Now Postfix will reject all mail for example.com that does not have a valid recipient.

Good luck!

[bjquinn]

Ok great. I'll give that a shot myself here pretty soon. Do post back if you don't mind and let me know if the snippet from the postfix board works. That would be the ideal solution. Thanks!

[dlochart]

Quote:

Originally Posted by bjquinn

Ok great. I'll give that a shot myself here pretty soon. Do post back if you don't mind and let me know if the snippet from the postfix board works. That would be the ideal solution. Thanks!

Been a while. I did not try the postfix board snippet so I cannot comment on that. My plan did not work in production. Why? Because I was not testing apples and oranges. In test I was given a domain to use that did not correspond with a real zimbra domain (I asked for one but did not get it) and I failed to create one to match it. So all my tests worked great. However when you already have an existing Zimbra domain all the efforts I put forth in the main.cf were trumped by zimbra because they use the virtual_* maps and pull the data dynamically out with LDAP queries. Since I did not want to delete the domain at that time I needed to come up with a work around real quick. I followed the Split Domain WIKI following the Zimbra MTA as secondary (meaning Zimbra MTA is hit first and relays to primary). I needed to relay each individuals account to the new primary server. This was not bad at all but needs manual maintenance.

Just an FYI for those that find this thread and are having issues.

Again I am no expert at this stuff and i am learning as I go so keep that in mind.

I will be deleting that domain soon so I will revert to implementing the relay the way I initially described.

thanks

[mikec]

Would this solution also work in an example where I am just trying to relay all outbound emails for one of the many domains I have hosted my Zimbra NE to Postini for outbound mail archiving?

I have tried some thing simular using transport maps with no sucess. Here is the post.


Any help would be great.

Thanks