Can't receive email right after Installation, zimbra.log just says connect disconnect

[gargatok]

Hi everyone, I went through many forums about this issue, still I didn't find any solution.

I have a server on a public IP, still behind a firewall. Relevant ports are open to the world, like 25, 7071, 80, 443.

I have a fresh open source Zimbra installation:
Release 7.1.3_GA_3346.UBUNTU10_64 UBUNTU10_64 FOSS edition.

host $(hostname)
mydomain.com has address x.x.x.x
mydomain.com mail is handled by 10 mail.mydomain.com

I try to send a test email to my fresh installation, I get back this:
The mail system

<admin@mydomain.com>: host mail.mydomain.com[x.x.x.x]
said: 554 Relaying denied. (in reply to RCPT TO command)

I also tried to add another domain, with mx and a records set in the admin console, I get back totally the same error. Also tried to use multiple servers to send mail to my zimbra server, I got the same problem.

in zimbra.log I only have this:
Nov 4 21:05:23 myhost postfix/smtpd[20546]: connect from anotherdomain.com[y.y.y.y]
Nov 4 21:05:23 myhost postfix/smtpd[20546]: disconnect from anotherdomain.com[y.y.y.y]

Anyone have any clue about this issue? I'm starting to wonder if that could be maybe a 7.1.3 bug or something.

Thank you!
Cheers
Gergely

[phoenix]

Quote:

Originally Posted by gargatok

Hi everyone, I went through many forums about this issue, still I didn't find any solution.

The solution has been mentioned many times in the forums.

Quote:

Originally Posted by gargatok

I have a server on a public IP, still behind a firewall. Relevant ports are open to the world, like 25, 7071, 80, 443.

If you're behind a NAT router or firewall then you'll need a Split DNS set-up.

Quote:

Originally Posted by gargatok

I'm starting to wonder if that could be maybe a 7.1.3 bug or something.

No, it's not a bug it's a configuration issue.

BTW, you really don't want your Administration port 7071 open to the internet - that's not good security practice.

[gargatok]

Hi Bill, thank you for the quick reply.

I read about the Split DNS configuration before, and tought about it, and decided my scenario does not relate to that. The machine I'm talking about does only have one public ip, no private network IP-s, it works like a machine on the internet without firewall.
This is why I pasted the response of host $(hostname) to show that my reasoning is correct. Can you tell me what I miss here?

Thank you!

[LHammonds]

Quote:

Originally Posted by gargatok

I have a server on a public IP, still behind a firewall.

I have a fresh open source Zimbra installation:
Release 7.1.3_GA_3346.UBUNTU10_64 UBUNTU10_64 FOSS edition.

554 Relaying denied. (in reply to RCPT TO command)

I have documented the exact same install here and it works perfectly behind a hardware firewall.

Your 1st sentence there makes me raise an eyebrow. Server has a public IP....yet behind a firewall...are you talking about a hardware firewall or the software firewall on the Ubuntu server? If hardware, then I think you need to utilize the split-dns method and have your server on a private IP and have the firewall route the external IP to your internal IP. That might be your hangup right there.

LHammonds

[gargatok]

Quote:

Originally Posted by LHammonds

I have documented the exact same install here and it works perfectly behind a hardware firewall.

Your 1st sentence there makes me raise an eyebrow. Server has a public IP....yet behind a firewall...are you talking about a hardware firewall or the software firewall on the Ubuntu server? If hardware, then I think you need to utilize the split-dns method and have your server on a private IP and have the firewall route the external IP to your internal IP. That might be your hangup right there.

LHammonds

Well, its some governmental 'firewall',that I can not control. Works like this: there is the governmental office, that has some servers. One of the server is the one I operate.We requested a public IP to it, which we got, and we needed to tell the firewall operators what ports to open, which they did open.I don't know how this works,what I know, its not a traditional firewall in the office, acting as a gateway,having private ip network inside.This machine has one ip, is directly on the internet, and has some ports open, the others filtered, and I have total control over that machine, I installed it, etcetc.It does not form part of a private network,so I don't see the need of a split dns.
I would like to debug somehow this situation, which I find quite embarrassing.Mostly because there is no error message from the zimbra side.All the split dns issues, had error messages, that led to split dns.It only has connect, disconnect.The relaying denied message comes on the client smtp side,which tries to send the message to zimbra.

Cheers
Gergely

[phoenix]

Quote:

Originally Posted by gargatok

I would like to debug somehow this situation,....

Go to the Split DNS article and run all the commands in the 'Verify....' section and post the results in this thread. The likelihood is that you'll need to set-up the Split DNS.

[LHammonds]

Ok, I understand where you are coming from a bit better now.

We are going to need to look at your configuration and output from various commands. Feel free to replace sensitive numbers with similar but bogus numbers but be careful to ensure they are consistent. Take a look at my "assumptions" section of the thread I linked to for an idea of what I'm talking about. I replaced my "real" data with those in red but was sure to keep it consistent. Then again, after you go through the stuff below, you might find your problem.

What does your hosts file look like? cat /etc/hosts

What does your resolv file look like? cat /etc/resolv.conf

What is output of the hostname commands?
hostname
hostname -f
host $(hostname)

What is your ethernet card settings? ifconfig eth0

Can you ping Google with zero packet loss? ping Google (press CTRL+C to stop)

Is your DNS server running? /etc/init.d/bind9 status

Stop your DNS server. /etc/init.d/bind9 stop
Start your DNS server. /etc/init.d/bind9 start
Now examine /var/log/daemon.log starting from the bottom and see if all your zones are loading correctly.

What is the output of nslookup? nslookup mail.mydomain.com

What is the output of dig? Does it show NOERROR and all the correct entries? dig mydomain.com mx

Keep in mind that I'm new to Linux and Zimbra and may not actually be able to help...but the above helped me troubleshoot my setup problems until I got it all working right. Who knows, someone more knowledgeable may come along an know the answer once these results are laid out.

LHammonds

[gargatok]

I made everything you requested, I think that covers what Bill wanted. There is no DNS server on the machine itself, so I skipped those parts.

cat /etc/hosts
127.0.0.1 localhost.localdomain localhost
x.x.x.x mail.mydomain.com mail

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
search mydomain.com
nameserver 193.6.238.2
nameserver 193.6.238.6

hostname
mail

hostname -f
mail.mydomain.com

ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:25:90:31:21:f6
inet addr:x.x.x.x Bcast:x.x.x.xz Mask:255.255.255.240
inet6 addr: fe80::225:90ff:fe31:21f6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:63114 errors:0 dropped:0 overruns:0 frame:0
TX packets:44889 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:38603923 (38.6 MB) TX bytes:12473239 (12.4 MB)
Memory:fafe0000-fb000000


ping Google
PING Google (209.85.148.105) 56(84) bytes of data.
64 bytes from fra07s07-in-f105.1e100.net (209.85.148.105): icmp_seq=1 ttl=51 time=45.6 ms
64 bytes from fra07s07-in-f105.1e100.net (209.85.148.105): icmp_seq=2 ttl=51 time=18.6 ms
64 bytes from fra07s07-in-f105.1e100.net (209.85.148.105): icmp_seq=3 ttl=51 time=18.9 ms
64 bytes from fra07s07-in-f105.1e100.net (209.85.148.105): icmp_seq=4 ttl=51 time=19.0 ms
64 bytes from fra07s07-in-f105.1e100.net (209.85.148.105): icmp_seq=5 ttl=51 time=18.6 ms
64 bytes from fra07s07-in-f105.1e100.net (209.85.148.105): icmp_seq=6 ttl=51 time=19.0 ms
64 bytes from fra07s07-in-f105.1e100.net (209.85.148.105): icmp_seq=7 ttl=51 time=18.8 ms
64 bytes from fra07s07-in-f105.1e100.net (209.85.148.105): icmp_seq=8 ttl=51 time=18.8 ms
64 bytes from fra07s07-in-f105.1e100.net (209.85.148.105): icmp_seq=9 ttl=51 time=18.8 ms

nslookup mail.mydomain.com
Server: 193.6.238.2
Address: 193.6.238.2#53

Non-authoritative answer:
Name: mail.mydomain.com
Address: x.x.x.x

dig mydomain.com mx

; <<>> DiG 9.7.0-P1 <<>> mydomain.com mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22354
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;mydomain.com. IN MX

;; ANSWER SECTION:
mydomain.com. 150 IN MX 10 mail.mydomain.com.

;; AUTHORITY SECTION:
mydomain.com. 45 IN NS ns.deninet.hu.
mydomain.com. 45 IN NS ns.serverpages.eu.

;; ADDITIONAL SECTION:
mail.mydomain.com. 122 IN A x.x.x.x
ns.deninet.hu. 45 IN A 195.70.35.5
ns.serverpages.eu. 45 IN A 79.172.211.90

;; Query time: 43 msec
;; SERVER: 193.6.238.2#53(193.6.238.2)
;; WHEN: Sat Nov 5 18:35:16 2011
;; MSG SIZE rcvd: 152

[LHammonds]

This is the only thing that I could see (however, I only have recent experience in setting up a split-dns scenario)

/etc/resolv.conf

- missing line = "domain mydomain.com"

I guess you are not running a local DNS server and replying completely upon the external DNS servers? You might see a performance boost by setting up a DNS server on your local machine, although I wouldn't know how much of a boost...I just know that any lookups the server has to do will be much faster internally rather than waiting on an external service which also causes latency just in the travel time as well as their server load at the particular time.

LHammonds

[gargatok]

Well guys, thank you very much for your answers, and kind help.

I learnt a lot about zimbra, during my struggles, which would not happen if everything went well from the beginning. The governmental firewall blocked mails to domain names that were not in the allowed list. I found this out, by debugging postfix messages at both sides, and they did not correspond...

Anyways Phoenix,LHammonds, thanks!

Cheers
Gergely