Mail not being delivered

[EnglishDude]

Upgraded my router - all the settings/port forwarding/stuff all exactly are the same, everything else works fine apart from Zimbra. I had a few problems with a couple server services not starting, but now they all work fine:

Code:

zimbra@destiny:~$ zmcontrol status
Host xxxxxx.org
        antispam                Running
        antivirus               Running
        ldap                    Running
        logger                  Running
        mailbox                 Running
        mta                     Running
        snmp                    Running
        spell                   Running
zimbra@destiny:~$

All seems OK. Mail gets delivered, scanned and then Zimbra attempts to send the email to itself to store into the mailbox, then it fails. I've sent an email to myself:

Code:

stella:~ piers$ telnet destiny 25
Trying 192.168.1.2...
Connected to destiny.10sca.intranet.
Escape character is '^]'.
220 xxxxxx.org ESMTP Postfix
HELO xxxxxx.org
250 xxxxxx.org
MAIL FROM: xx@xxxxxx.org
250 Ok
RCPT TO: xx@xxxxxx.org
250 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
test
test
.
250 Ok: queued as 1A0D8143DB
quit
221 Bye
Connection closed by foreign host.
stella:~ piers$

But the logs show...

Code:

Feb 25 16:09:33 destiny postfix/smtpd[7308]: 1A0D8143DB: client=stella.10sca.intranet[192.168.1.19]
Feb 25 16:09:35 destiny postfix/cleanup[6688]: 1A0D8143DB: message-id=<20070225160933.1A0D8143DB@xxxxxx.org>
Feb 25 16:09:35 destiny postfix/qmgr[6647]: 1A0D8143DB: from=<ed@xxxxxx.org>, size=339, nrcpt=1 (queue active)
Feb 25 16:09:35 destiny amavis[6826]: (06826-05) ESMTP::10024 /opt/zimbra/amavisd/tmp/amavis-20070225T160312-06826: <ed@xxxxxx.org> -> <ed@xxxxxx.org> SIZE=339 Received: from xxxxxx.org ([127.0.0.1]) by localhost (xxxxxx.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <ed@xxxxxx.org>; Sun, 25 Feb 2007 16:09:35 +0000 (GMT)
Feb 25 16:09:36 destiny amavis[6826]: (06826-05) Checking: 4kHSChqWGeCb [192.168.1.19] <ed@xxxxxx.org> -> <ed@xxxxxx.org>
Feb 25 16:09:37 destiny postfix/smtpd[7308]: disconnect from stella.10sca.intranet[192.168.1.19]
Feb 25 16:09:38 destiny postfix/smtpd[7613]: connect from localhost.localdomain[127.0.0.1]
Feb 25 16:09:38 destiny postfix/trivial-rewrite[6686]: warning: do not list domain xxxxxx.org in BOTH mydestination and virtual_mailbox_domains
Feb 25 16:09:38 destiny postfix/smtpd[7613]: 6AF3A143DC: client=localhost.localdomain[127.0.0.1]
Feb 25 16:09:38 destiny postfix/cleanup[7231]: 6AF3A143DC: message-id=<20070225160933.1A0D8143DB@xxxxxx.org>
Feb 25 16:09:38 destiny postfix/qmgr[6647]: 6AF3A143DC: from=<ed@xxxxxx.org>, size=1159, nrcpt=1 (queue active)
Feb 25 16:09:38 destiny postfix/trivial-rewrite[6686]: warning: do not list domain xxxxxx.org in BOTH mydestination and virtual_mailbox_domains
Feb 25 16:09:38 destiny amavis[6826]: (06826-05) FWD via SMTP: <ed@xxxxxx.org> -> <ed@xxxxxx.org>, 250 2.6.0 Ok, id=06826-05, from MTA([127.0.0.1]:10025): 250 Ok: queued as 6AF3A143DC
Feb 25 16:09:38 destiny postfix/smtpd[7613]: disconnect from localhost.localdomain[127.0.0.1]
Feb 25 16:09:38 destiny amavis[6826]: (06826-05) Passed CLEAN, LOCAL [192.168.1.19] [192.168.1.19] <ed@xxxxxx.org> -> <ed@xxxxxx.org>, Message-ID: <20070225160933.1A0D8143DB@xxxxxx.org>, mail_id: 4kHSChqWGeCb, Hits: -0.035, queued_as: 6AF3A143DC, 2625 ms
Feb 25 16:09:38 destiny postfix/smtp[7064]: 1A0D8143DB: to=<ed@xxxxxx.org>, relay=127.0.0.1[127.0.0.1], delay=8, status=sent (250 2.6.0 Ok, id=06826-05, from MTA([127.0.0.1]:10025): 250 Ok: queued as 6AF3A143DC)
Feb 25 16:09:38 destiny postfix/qmgr[6647]: 6AF3A143DC: to=<ed@xxxxxx.org>, relay=none, delay=0, status=deferred (delivery temporarily suspended: connect to xxxxxx.org[xxx.xxx.xxx.xxx]: Connection refused)
Feb 25 16:09:38 destiny postfix/qmgr[6647]: 1A0D8143DB: removed

As you can see the line:

Feb 25 16:09:38 destiny postfix/qmgr[6647]: 6AF3A143DC: to=<ed@xxxxxx.org>, relay=none, delay=0, status=deferred (delivery temporarily suspended: connect to xxxxxx.org[xxx.xxx.xxx.xxx]: Connection refused)

This is not good. What have I done wrong, and how do I fix this problem please? I've checked port forwarding and it *seems* to be working - using GRC's website (I know, but it's useful in checking whether ports are open or not) it shows port 9021 to be open, 7025 to be closed, but 7026 is stealthed, which to me seems to be working... or am I mistaken? Mail is starting to pile up on the server, and I can't receive email for anything

[phoenix]

The usual reasons for non-delivery are: /etc/hosts file incorrect; no (or incorrect) DNS A & MX records.

If you're on a LAN do you have a split-DNS set-up? Is this a public domain name? Can you resolve the server by DNS i.e. 'dig yourdomain.com any' - does it show the correct redords?

[EnglishDude]

It was working fine until I changed the router. Nothing else was changed. I don't have any split-DNS setup, and using "dig" on my domain works fine. Thanks very much for your help so far.

[phoenix]

What router did you change from/to? Let's see some output from dig.

[padrino121]

I just dealt with this very problem yesterday when moving routers. Are you using NAT because that problem is generally indicative of a NAT setup?

[EnglishDude]

I changed from a complete computer running IPCop to a Buffalo WBMR-G54. Both setup uses NAT. I'm not 100% sure if port forwarding works fine on the new router tho, as a port scan from GRC shows port 7025 to be closed, while 9021 is open. Maybe it's meant to be that, as port 7026 is stealthed as I haven't opened that port on the router.

Output from dig is: (I hope it's OK to put domain names and IP addresses on here...)

Code:

piers@destiny:~$ dig biased.org

; <<>> DiG 9.2.4 <<>> biased.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5111
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;biased.org.                    IN      A

;; ANSWER SECTION:
biased.org.             259200  IN      A       81.5.181.70

;; AUTHORITY SECTION:
biased.org.             259200  IN      NS      ns0.giggleworthy.co.uk.
biased.org.             259200  IN      NS      ns2.giggleworthy.co.uk.

;; ADDITIONAL SECTION:
ns0.giggleworthy.co.uk. 259200  IN      A       195.149.5.82
ns2.giggleworthy.co.uk. 259200  IN      A       81.5.181.70

;; Query time: 39 msec
;; SERVER: 192.168.1.2#53(192.168.1.2)
;; WHEN: Sun Feb 25 20:43:59 2007
;; MSG SIZE  rcvd: 130

piers@destiny:~$

[padrino121]

I changed from a complete computer running IPCop to a Buffalo WBMR-G54. Both setup uses NAT. I'm not 100% sure if port forwarding works fine on the new router tho, as a port scan from GRC shows port 7025 to be closed, while 9021 is open. Maybe it's meant to be that, as port 7026 is stealthed as I haven't opened that port on the router.

You might be in a similar situation to me. I have always used NAT as well but my new router doesn't have any concept of loopback, basically looping external connections back around to the internal IP without having them actually hit the external IP. With my new device I had to use a split DNS setup so postfix would lookup my local IP in DNS and not the external IP (/etc/hosts doesn't cut it). If you have the option for a loopback that is the easy way to fix it. If not I would suggest a split DNS setup so you don't deal with filter what should be internal ports on your external IP.

[phoenix]

Yep, padrino121 is correct. You can't have your public IP address in a DNS server behind a NAT router - you need a split-DNS set-up. Zimbra (postfix) doesn't know how to deliver to the LAN IP address and your current router doesn't do 'loopback' (which is probably why the other router did work). Most home routers don't do loopback anyway.

[EnglishDude]

Great, thanks very much for all your help!

I'm now a bit confused on how exactly to make a split-DNS setup. I'm currently reading this page on how to make a split-DNS setup, but I don't fully understand how it works, as my DNS server contains the record for biased.org, and sends it to other DNS servers, which in turn propogates it around the world. Obviously, the world don't need to know my internal addresses, so how does this work, exactly? Or is there a better guide around I can use?

Acutally, reading around a bit, I seem to need to set up the server to direct internal lookups to a different file to what external lookups are allowed, using "forwarders" apparently, but still not sure how to set it all up, as I already have forwarders defined which are external servers which seems to be my own ISP nameservers.

What should I do now?

Thanks so much for your help again!

[phoenix]

OK, first thing is you mention 'forwarders' as being your ISPs DNS servers - they shouldn't be. You don't need forwarders, you should only use root servers in your DNS set-up.

Who has the nameserver 'giggleworthy.co.uk', is it you or a hosted DNS service? Is it also behind a NAT device? Describe your DNS set-up for me, please.