Need help rescuing a ZCS server

[zapstar]

Hi All,

First off let me say that I am still learning my way through Zimbra Server. I come form an Exchange Admin background so I am familiar with e-mail server basics.

I have had Zimbra installed for about 8 months now (on Ubuntu 8.04 LTS) and generally running well.

A little while ago I changed ISP's and my new one blocks inbound SMTP on port 25. So I thought I'd get clever and use DynDNS's Mailhop service and just bring it in on an alternate port.

All looked fine in terms of config DynDNS service pointing at TCP 587, firewall open on port 587, NAT configured to direct to internal mail server, Zimbra server responding on port 587 (from internal port scan).

However inbound e-mail was not happening (received these when MailHop was trying to deliver - 554 5.7.1 <mxout-145-iad.mailhop.org[216.146.32.145]>: Client host rejected: Access denied (in reply to RCPT TO command))

I configured up a bunch of stuff in the admin console to try and tell Zimbra that this host was OK to send stuff to me on that port but to no avail.

At this point Zimbra still worked fine but just did not send/receive mail (ie was able to connect to admin console, start/stop server successfully)


I have also been having issues trying to send mail outbound from my ISP even after configuring Zimbra to use my ISP's 0 MX recorded server as an outbound relay.

So I then bought an outbound mailhop service from DynDNS and followed this article to configure the connection for a smart relay... Outgoing SMTP Authentication - Zimbra :: Wiki

After completing the last of the zmlocalconfig commands I did a start/stop of the Zimbra server. started getting LDAP errors. Then did a full server reboot and Zimbra would not start.

Doing a zmcontrol status shows the following:

zimbra@phantom:~/bin$ ./zmcontrol status
Unable to determine enabled services from ldap.
Enabled services read from cache. Service list may be inaccurate.
Host localhost
antispam Stopped
zmmtaconfigctl is not running
zmamavisdctl is not running
antivirus Stopped
zmmtaconfigctl is not running
zmamavisdctl is not running
zmclamdctl is not running
ldap Stopped
ldap_url and ldap_master_url cannot be the same on an ldap replica

I have serached this out in the forums and I cannot see anywhere that replicates my circumstances.

Can anyone help out firstly with getting the server to actually start again and then maybe assist in getting the server talking to the external mailhop server/s ?

[phoenix]

The first thing to mention is that Port 587 requires authentication, have you enabled that on the mailhop service? For that to happen you should create a valid account on your server for mailhop to authenticate against, do not add their IP to your mynetworks setting.

Are you certain that the Firewall isn't causing this problem and that AppArmor is disabled?

I'm also assuming that this is a single server and you havn't installed the Zimbra Proxy, is that correct? You can confirm that with the following commands:

Code:

zmproxyctl status
zmprov gs `zmhostname` | grep zimbraServiceEnabled
zmprov gs `zmhostname` | grep zimbraServiceInstalled

The problem you describe at the end of your post is symptomatic of a DNS and/or host problem so we'll start with that. Post the output of the following commands run on your ZImbra server:

Code:

cat /etc/hosts
cat /etc/resolv/conf
dig yourdomain.com any
dig yourdomain.com ma
host `hostname` <- use that exact command with backticks not single quotes

[zapstar]

Thanks Phoenix,

Output from zmproxyctl:

zimbra@phantom:~/bin$ ./zmproxyctl status
zmnginxctl is not running
zimbra@phantom:~/bin$

Pretty sure proxy is not running as it is a standalone server config.

Since posting I have also come across the following..

The localconfig.xml file in /opt/zimbra/conf directory had somehow become owned by root with no perms for anyone to access it let alone Zimbra.

I have rectified this and restarted OK. All services started first time.

DNS seems to be working fine as I am using this for other things and it is obviously looking up and resolving correctly.

Nonetheless... the output

zimbra@phantom:~/conf$ cat /etc/hosts
127.0.0.1 localhost
192.168.0.1 phantom.chrisanddani.net phantom

zimbra@phantom:~/conf$ cat /etc/resolv.conf
search chrisanddani.net
nameserver 127.0.0.1

zimbra@phantom:~/conf$ dig chrisanddani.net any

; <<>> DiG 9.4.2-P2 <<>> chrisanddani.net any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21989
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;chrisanddani.net. IN ANY

;; ANSWER SECTION:
chrisanddani.net. 1440 IN SOA phantom.chrisanddani.net.chrisanddani.net. admin.chrisanddani.net. 200911176 28800 3600 604800 38400
chrisanddani.net. 1440 IN NS phantom.chrisanddani.net.
chrisanddani.net. 1440 IN MX 10 phantom.chrisanddani.net.
chrisanddani.net. 1440 IN A 192.168.0.1

;; ADDITIONAL SECTION:
phantom.chrisanddani.net. 1440 IN A 192.168.0.1

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jun 20 20:25:16 2010
;; MSG SIZE rcvd: 171

zimbra@phantom:~/conf$ dig chrisanddani.net ma

; <<>> DiG 9.4.2-P2 <<>> chrisanddani.net ma
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59138
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;chrisanddani.net. IN A

;; ANSWER SECTION:
chrisanddani.net. 1440 IN A 192.168.0.1

;; AUTHORITY SECTION:
chrisanddani.net. 1440 IN NS phantom.chrisanddani.net.

;; ADDITIONAL SECTION:
phantom.chrisanddani.net. 1440 IN A 192.168.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jun 20 20:27:44 2010
;; MSG SIZE rcvd: 88

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19099
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ma. IN A

;; AUTHORITY SECTION:
ma. 1778 IN SOA ns1.iam.net.ma. dnsmaster.iam.net.ma. 2010061901 900 450 3600000 1800

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jun 20 20:27:44 2010
;; MSG SIZE rcvd: 78

zimbra@phantom:~/conf$ host `hostname`
phantom.chrisanddani.net has address 192.168.0.1


regards,


Chris

[phoenix]

Your hosts file is incorrect, the following line:

Code:

127.0.0.1 localhost

should look like this:

Code:

127.0.0.1 localhost.localdomain localhost

Shutdown Zimbra, make that change and the run the following comand (as root):

Code:

/opt/zimbra/libexec/zmfixperms

When you've done that restart Zimbra and see what errors you get in the log files.

[zapstar]

Hi Bill,

little change following the update in the hosts file and the zmpermfix... but I have not gone and inspected all the perms as I have no idea what if anything has changed.

In terms of log out put I think this is a success... kinda

Jun 21 22:17:21 phantom postfix/qmgr[18693]: 9F8FB6DA2E3: from=<chris@chrisanddani.net>, size=1169, nrcpt=1 (queue active)
Jun 21 22:17:21 phantom amavis[17380]: (17380-01) FWD via SMTP: <user@chrisanddani.net> -> <work.email@company.com.au>,BODY=7BIT 250 2.0.0 Ok, id=17380-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9F8FB6DA2E3
Jun 21 22:17:21 phantom postfix/smtp[2260]: cannot load Certificate Authority data: disabling TLS support
Jun 21 22:17:21 phantom postfix/smtp[2260]: warning: TLS library problem: 2260:error:02001002:system library:fopen:No such file or directory:bss_file.c:126:fopen('/opt/zimbra/postfix/cert.pem','r'):
Jun 21 22:17:21 phantom postfix/smtp[2260]: warning: TLS library problem: 2260:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:129:
Jun 21 22:17:21 phantom postfix/smtp[2260]: warning: TLS library problem: 2260:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:274:
Jun 21 22:17:21 phantom amavis[17380]: (17380-01) Passed CLEAN, LOCAL [192.168.0.1] [192.168.0.1] <user@chrisanddani.net> -> <work.email@company.com.au>, Message-ID: <22551455.01277122640268.JavaMail.root@phantom>, mail_id: vLfJh0GpdTkA, Hits: 1.608, size: 674, queued_as: 9F8FB6DA2E3, 1008 ms
Jun 21 22:17:21 phantom postfix/smtp[2258]: 88A636DA2E1: to=<work.email@company.com.au>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.2, delays=0.07/0.1/0.01/1, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=17380-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9F8FB6DA2E3)
Jun 21 22:17:21 phantom postfix/qmgr[18693]: 88A636DA2E1: removed
Jun 21 22:17:21 phantom amavis[17380]: (17380-01) extra modules loaded: /opt/zimbra/zimbramon/lib/i486-linux-gnu-thread-multi/auto/Net/SSLeay/autosplit.ix, /opt/zimbra/zimbramon/lib/i486-linux-gnu-thread-multi/auto/Net/SSLeay/randomize.al, IO/Socket/SSL.pm, Net/LDAP/Extension.pm, Net/SSLeay.pm

But having re-read that it may have gone from Spamfilter to MTA and stopped there... for now.

There is obviously something lacking in my Zimbra setup re a cert... but this link appears to say it may be needed...
DynDNS.com - Support -- Knowledge Base -- Mail Servers And MailHop Outbound

[zapstar]

OK.. so now that outbound works... sort of, I need to get inbound working.

I get these in my logs:

Jun 28 19:28:06 phantom zmmailboxdmgr[5876]: status requested
Jun 28 19:28:06 phantom zmmailboxdmgr[5876]: status OK
Jun 28 19:28:21 phantom postfix/smtpd[6436]: connect from mxout-093-ewr.mailhop.org[216.146.33.93]
Jun 28 19:28:22 phantom postfix/smtpd[6436]: NOQUEUE: reject: RCPT from mxout-093-ewr.mailhop.org[216.146.33.93]: 554 5.7.1 <mxout-093-ewr.mailhop.org[216.146.33.93]>: Client host rejected: Access denied; from=<double-bounce@mail-04-ewr.dyndns.com> to=<nfo@chrisanddani.net> proto=ESMTP helo=<mail-04-ewr.dyndns.com>
Jun 28 19:28:33 phantom zmmailboxdmgr[6966]: status requested
Jun 28 19:28:33 phantom zmmailboxdmgr[6966]: status OK


What do I need to configure on Zimbra to get inbound mail ? It seems that it is bouncing everything including email to valid addresses as well as mail invalid ones.

Thoughts ?