| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | | 
05-12-2010, 07:19 AM
| | |  [SOLVED] Inbound TLS not working
Hi All - I have ZCS 6.0 on Ubuntu. All email is filtered through a SPAM server that is hosted at ExchangeDefender. We have the proper certifcates installed (as well as ExchangeDefender) for TLS. I looked in the email headers and outbound email is TLS encrypted. However, inbound email is just basic SMTP (not even ESMTP). All proper ports are open.
I also noticed that internally if I run the following command, TLS looks ok.
telnet 'inside IP' 25
220 host.domain.com ESMTP Postfix
starttls
220 2.0.0 Ready to start TLS
But... If I run the same command from the outside (w/ outside IP):
telnet 'outside IP' 25
220 ********************************
starttls
502 5.5.2 Error: command not recognized
If I run this command from the outside it looks ok.
telnet 'outside IP' 465
220 host.domain.com ESMTP Postfix
starttls
220 2.0.0 Ready to start TLS
Any ideas?? Any help is greatly appreciated.
Thanks. |
05-12-2010, 08:01 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,313
| |
Quote:
Originally Posted by skot999  Any ideas?? | You most likely have a configuration problem or a firewall problem. I'd suggest you start by looking at your Split DNS set-up (you do have one, don't you?) and confirm that it's all OK - check the forums for details of what you need to do to check it.
I notice that you have several threads in the forums that have received answers you your questions and you haven't replied, would you mind giving them some follow-up on whether the solutions worked or not?
__________________
Regards
Bill
|
05-12-2010, 08:42 AM
| | |
Quote:
Originally Posted by phoenix You most likely have a configuration problem or a firewall problem. I'd suggest you start by looking at your Split DNS set-up (you do have one, don't you?) and confirm that it's all OK - check the forums for details of what you need to do to check it.
I notice that you have several threads in the forums that have received answers you your questions and you haven't replied, would you mind giving them some follow-up on whether the solutions worked or not? |
Thanks Bill - I will go through my older posts.
I don't think it is a DNS issue because inbound mail always works... it just defaults to SMTP and not TLS. Ports 25, 465, and 587 are open to my ExchangeDefender SPAM servers. What other configuration options should I be checking? |
05-12-2010, 09:02 AM
| | |
Quote:
Originally Posted by skot999 Hi All - I have ZCS 6.0 on Ubuntu. All email is filtered through a SPAM server that is hosted at ExchangeDefender. We have the proper certifcates installed (as well as ExchangeDefender) for TLS. I looked in the email headers and outbound email is TLS encrypted. However, inbound email is just basic SMTP (not even ESMTP). All proper ports are open.
I also noticed that internally if I run the following command, TLS looks ok.
telnet 'inside IP' 25
220 host.domain.com ESMTP Postfix
starttls
220 2.0.0 Ready to start TLS
But... If I run the same command from the outside (w/ outside IP):
telnet 'outside IP' 25
220 ********************************
starttls
502 5.5.2 Error: command not recognized
If I run this command from the outside it looks ok.
telnet 'outside IP' 465
220 host.domain.com ESMTP Postfix
starttls
220 2.0.0 Ready to start TLS
Any ideas?? Any help is greatly appreciated.
Thanks. | Is there any chance your firewall is configured to do port forwarding instead of one-to-one public IP-to-private IP NAT?
Or perhaps that there is a DNS issue making the public IP not what you intended?
I ask because it looks to me like the telnet to the outside IP is being answered by a different mail server. The 220 greet string is different than the other two telnets and unless you run multiple instances of Postfix listening on different ports, I do not believe you can configure a single instance of Postfix to respond with a different greet string based on the listening port. Also, out of the box no Postfix MTA responds with a 220 and a string of asterisks; Exchange servers do that however...
Hope that helps,
Mark
__________________
___________________________________ L. Mark Stone, CIO  "Uptime. All the time."
477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678
proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
|
05-12-2010, 09:39 AM
| | |
Quote:
Originally Posted by LMStone Is there any chance your firewall is configured to do port forwarding instead of one-to-one public IP-to-private IP NAT?
Or perhaps that there is a DNS issue making the public IP not what you intended?
I ask because it looks to me like the telnet to the outside IP is being answered by a different mail server. The 220 greet string is different than the other two telnets and unless you run multiple instances of Postfix listening on different ports, I do not believe you can configure a single instance of Postfix to respond with a different greet string based on the listening port. Also, out of the box no Postfix MTA responds with a 220 and a string of asterisks; Exchange servers do that however...
Hope that helps,
Mark | Thanks for the reply Mark - I just checked and it is a one to one mapping config in our firewall. What's strange is that this setup is working.... sending and receiving email..no problem. Outbound is TLS encrypted.. Inbound from ExchangeDefender (SPAM server) just gets bumped down to SMTP. TLS is ready on their side. ( I checked through CLI). Is it possible that I have to add ExchangeDefenders IP address to a trusted network on my zimbra admin console? If so, where?
Again thanks for your help. Much appreciated.
Scott  |
05-12-2010, 10:18 AM
| | |
Hi Scott,
I'm not sure what to tell you... to me it really does look like when you do "telnet <outside_ip> 25" that you are connecting to a non-Zimbra email system.
How that may be happening I can't say just yet, but to test if my guess is true, what happens if you try to do "ssh <outside_ip>"?
Hope that helps,
Mark
__________________
___________________________________ L. Mark Stone, CIO "Uptime. All the time."
477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678
proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
|
05-12-2010, 12:32 PM
| | |
Quote:
Originally Posted by LMStone Hi Scott,
I'm not sure what to tell you... to me it really does look like when you do "telnet <outside_ip> 25" that you are connecting to a non-Zimbra email system.
How that may be happening I can't say just yet, but to test if my guess is true, what happens if you try to do "ssh <outside_ip>"?
Hope that helps,
Mark | Thanks Mark - I just tested and I can successfully connect from the outside with ssh. Any other thoughts? |
05-12-2010, 12:35 PM
| | |
Quote:
Originally Posted by LMStone Hi Scott,
I'm not sure what to tell you... to me it really does look like when you do "telnet <outside_ip> 25" that you are connecting to a non-Zimbra email system.
How that may be happening I can't say just yet, but to test if my guess is true, what happens if you try to do "ssh <outside_ip>"?
Hope that helps,
Mark | Are you sure that nothing else has to be modified in the zimbra config to allow inbound TLS? Allow trusted networks ,etc? |
05-12-2010, 01:01 PM
| | |
Quote:
Originally Posted by skot999 Are you sure that nothing else has to be modified in the zimbra config to allow inbound TLS? Allow trusted networks ,etc? | Hi Scott,
I'm not quite there yet because I can't explain why the HELO greet string is totally different when telnetting to the outside IP.
If you don't mind sending me the private IP, I would propose trying to do a manual smtp transaction by running the following commands from one of our zimbra servers (you could do this yourself too, you just need to do it from a mail server with proper public DNS records): Code: telnet your_outside_IP 25
helo reliablenetworks.com
mail from: <my_email_address@reliablenetworks.com>
rcpt to: <your_email_address@your_zimbra_domain>
data:
Testing, 1, 2, 3
. Sorry to be stubborn on this one point!
All the best,
Mark
__________________
___________________________________ L. Mark Stone, CIO "Uptime. All the time."
477 Congress Street | Portland, ME 04101-3431 | (207) 772-5678
proactive maintenance and monitoring | technology consulting
Zimbra groupware | EMR implementations | private cloud hosting
|
05-12-2010, 01:26 PM
| | |
Quote:
Originally Posted by LMStone Hi Scott,
I'm not quite there yet because I can't explain why the HELO greet string is totally different when telnetting to the outside IP.
If you don't mind sending me the private IP, I would propose trying to do a manual smtp transaction by running the following commands from one of our zimbra servers (you could do this yourself too, you just need to do it from a mail server with proper public DNS records): Code: telnet your_outside_IP 25
helo reliablenetworks.com
mail from: <my_email_address@reliablenetworks.com>
rcpt to: <your_email_address@your_zimbra_domain>
data:
Testing, 1, 2, 3
. Sorry to be stubborn on this one point!
All the best,
Mark | Hi Mark - do you mean to make an exception so you can telnet into my zimbra server from yours? (Sorry, I'm new to mail server administration).
Is there another way I could try this?
Everything looks fine when I do this from an outside trusted source:
telnet 'public ip' 587 | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
