[SOLVED] Zimbra with NAT-FORWARD

[Nascimento]

Now I have rebuild the entire firewall using SNAT and DNAT insteed of MASQUERADE (to prevent "wrong" packages headers to came to my server with my internal firewall address. Now everyone come as THEY are. ;-) )

BUT - yeap..a catch ..again

Still no INBOUND mail from the WORLD.
No - the world is not my clients with OUTLOOK EXPRESS.. i MEAN - GOOGLE, HOTMAIL, and what-so-ever other MTA.

I've tested it:.

From OUTSIDE !

telnet smtp.mydomain.com.br

(waited a LOOONG time for initial presentation)
220 smtp.mydomain.com.br ESMTP Postfix
helo localhost - #just to test
250 smtp.mydomain.com.br
mail from:user@mydomain.com.br
250 2.1.0 Ok
rcpt to:consultoria@mydomain.com.br
CONECTION CLOSED BY FOREING HOST


no "NO RELAY AUTHORIZED" error.. just DROP the connection like that?


Am I missing something?
Can I paste here my firewall script? (of course, not the real IP's been used.)

[Nascimento]

Still no INBOUND mail from the WORLD.
No - the world is not my clients with OUTLOOK EXPRESS.. i MEAN - GOOGLE, HOTMAIL, and what-so-ever other MTA.

Forgot to say that: if I put my VALID ip RANGE at the trusted host, or ONLY my firewall IP at the trusted host - I do receive INBOUND emails and INTERNAL - normally - everything OKAY. JUst one thing - that causes my smtp to understand it and behave as an OPEN RELAY again.. .-.-

Lol.. what an fight, hun?
Man - i need to learn more about zimbra. I know that - sorry guys.

[phoenix]

Forgot to say that: if I put my VALID ip RANGE at the trusted host, or ONLY my firewall IP at the trusted host - I do receive INBOUND emails and INTERNAL - normally - everything OKAY. JUst one thing - that causes my smtp to understand it and behave as an OPEN RELAY again.. .-.-

Lol.. what an fight, hun?
Man - i need to learn more about zimbra. I know that - sorry guys.

This isn't a Zimbra problem, I believe it's caused by the firewall. You can certainly post your firewall rules and I'll have a look but, as I said earlier, I'm not an expert with iptables.

[Nascimento]

# FIREWALL EXTERNAL IP = 200.78.75.165/32

INT_LAN=192.168.0/24
EXT_LAN=200.78.75.0/24
EXT_IFACE=eth1
INT_IFACE=eth0

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
iptables -A INPUT -p tcp -s $INT_LAN --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s $INT_LAN -j ACCEPT

iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -s $INT_LAN -d 0.0.0.0/0 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d $INT_LAN -j ACCEPT

# M.T.A Firewall OUTPUT
iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 25 -j DNAT --to 192.168.0.49:25
iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 80 -j DNAT --to 192.168.0.49:80
iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 110 -j DNAT --to 192.168.0.49:110
iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 143 -j DNAT --to 192.168.0.49:143
iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 465 -j DNAT --to 192.168.0.49:465
iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 993 -j DNAT --to 192.168.0.49:993
iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 995 -j DNAT --to 192.168.0.49:995
iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 7025 -j DNAT --to 192.168.0.49:7025

# - M.T.A Zimbra = 192.168.0.49

iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 25 -j DNAT --to 192.168.0.49:25
iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 80 -j DNAT --to 192.168.0.49:80
iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 110 -j DNAT --to 192.168.0.49:110
iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 143 -j DNAT --to 192.168.0.49:143
iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 465 -j DNAT --to 192.168.0.49:465
iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 993 -j DNAT --to 192.168.0.49:993
iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 995 -j DNAT --to 192.168.0.49:995
iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 7025 -j DNAT --to 192.168.0.49:7025

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 200.78.75.165

iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 25 -j SNAT --to 200.78.75.165:25
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 80 -j SNAT --to 200.78.75.165:80
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 110 -j SNAT --to 200.78.75.165:110
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 143 -j SNAT --to 200.78.75.165:143
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 465 -j SNAT --to 200.78.75.165:465
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 995 -j SNAT --to 200.78.75.165:995
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 7025 -j SNAT --to 200.78.75.165:7025



-------

Any ideas about what am I forgetting to do? This is the relevant rules that affect my MTA over NAT behavior.

Thnkx for the helping!


Nascimento

[Nascimento]

Guys, think the problem is at Zimbra MTA Server -

I have installed Zimbra at my NOTEBOOK (don't laught) and had it tested behin my firewall at the SAME conditions - and IT WORKS PERFECTLY.

As I've told before; this MTA is working into a Gentoo Linux with chroot inside an Debian 4 on in.

I dont know whatever the old sys admin guy had to do (ruin) into zimbra to make that work - but I'm gonna buy a new machine and re-install all Zimbra Services on that - getting only the accounts and e-mail backups.

Start over seems the more reliable choice - cause this client is suffering too much with that problem.

Things that made me choose that:

- Zimbra only send mail if I put firewall internal IP on trusted network behind a MASQUERADE - so ALL inbound connections hits me with Firewall INternal IP - making ZImbra behave as an OPEN RELAY for a IPTABLES MASQUERADE.

- When iptables use SNAT and DNAT - all inbound connections receive a RESET in the middle of transaction:

telnet smtp.mydomain.com.br
SMTP ... OK
mail from:test@mydomain.com.br
SMTP OK
rcpt to:existing_user@mydomain.com.br
CONNECTION CLOSED BY FOREING HOST

And at Zimbra tcpdump shows a reset in all inbound.

- Making a DIFF using the same versions between main zimbra files, there's a LOT of modifications made by hand.

All of that could be avoided if people just read the documentation's locate at Zimbra Main Site.

Well - I'm closing that post and suggest to the new-commers that do not try to make it work at "any cost" in your favorite Gnu/Linux flavour - 'cause any costs could be really too much.

Thnk you all for the help!
------------------------------

Very gratefull,


Daniel Nascimento