Weird NAT issue
I was wondering if anyone could shed some light on this issue and probably point out something really obvious that I am missing completely.
I have just set up a Zimbra server for someone, based on a NAT setup. The router/firewall forwards all requests on port 25 to 192.168.0.170 where the Zimbra server sits with its own DNS server for DNS resolution. Incoming email works fine with incoming email accepted and delivered to the users inboxes. Unfortunately however the server cannot seem to deliver outgoing email at all. It looks up the MX records just fine but when it tries to connect to them it says the following in the deferred mail queue (The below example is for trying to send an email to aol.com)...
connect to aol.com[18.104.22.168]: connection timed out
There are no firewalls or anything that would block it from connecting and the router allows all outgoing connections from LAN IP's with no filtering whatsoever. Another mail server sitting on a different machine can relay email out no problem.
Is it possible this could be a problem with Zimbra somewhere that I am missing or is there something in my NAT setup I need to go back and look at? Any help would be fantastic. Many thanks.
Sure you've got a gateway set?
check for 0.0.0.0 entry
From the server:
telnet 22.214.171.124 25
and try telnetting to some other foreign mailserver port 25 as well, to see if you get response
Yes it has a gateway set and I can even telnet from the server machine to other SMTP servers so it can't be a network or routing issue.
I'm absolutely befuddled as there doesn't seem to be any issue in the logs causing it. Can anyone shed any light on this before people start to gnash their teeth at me. Many thanks.
You know that AOL have restrictions on which mail servers they allow to talk to them, don't you? If you're sending from a 'domestic' type ISP or a dynamic IP you'll probably never be able to send mail to AOL users.
Try some other destinations and see if they work.
Nope it is quite definitely not a domestic IP address and I can relay email from another machine behind the NAT/IP.
The postfix server is never even making the connection, it's just timing out as if the server wasn't there. :(
Well, the same thing happens if I telnet to that IP - it never connects. What do you get if you 'telnet mailin-03.mx.aol.com 25'?
Originally Posted by phoenix
220-rly-mf09.mail.aol.com ESMTP mail_relay_in-mf09.2; Tue, 10 Apr 2007 10:27:57
220-America Online (AOL) and its affiliated companies do not
220- authorize the use of its proprietary computers and computer
220- networks to accept, transmit, or distribute unsolicited bulk
220- e-mail sent from the internet. Effective immediately: AOL
220- may no longer accept connections from IP addresses which
220 have no reverse-DNS (PTR record) assigned.
From same IP address, just a different machine on the NAT which is why you can see its confusing me. :(
This has been resolved. A very strange problem that could potentially be a bug except I can't replicate it so at the moment I am a bit disinclined to file a bug report.
Essentially, Postfix was not performing DNS lookups for the MX info so all outgoing mail was sticking. This despite the fact that the option to do DNS lookups was ticked in the admin console, in both the global settings MTA tab and the server settings MTA tab.
I unticked them to see if this made a difference, it didn't. Reticked them and still nothing. Then just being thorough I rebooted, unticked and reticked and boom. Everything starts working. There was nothing in the log files to suggest anything had ever been wrong.