Page 4 of 4 FirstFirst ... 234
Results 31 to 40 of 40

Thread: [SOLVED] Can relaying be allowed for authenticated users?

  1. #31
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    I got mine working over the weekend (thanks to Bill for helping me think it through), and it may be that my issue (which wasn't where I expected) affects some of the rest of you. Turns out it was due to the way my firewall handled the translation of IP addresses from the DMZ to the public. My settings are as follows:

    My mailserver, mail.tractor-equip.net resolves (as anybody can check with nslookup or dig) to 12.181.168.155. That is actually a secondary IP address on the external ethernet port of my firewall.

    The actual mailserver resides in a DMZ 10.3.2.xxx, which is a subnet that is inaccessible to the outside world.

    I had the firewall set up to do Destination Network Address Translation (DNAT) so that any traffic from the outside world for port 25 (SMTP) or 443 (https) would get translated from 12.181.168.155 to 10.3.2.xxx. (later I added the IMAP and POP ports too) However, I didn't realize it at first, but all the OUTGOING traffic from the mailserver was not coming from that same address, but from the primary WAN address of the firewall (due to another NAT rule). This was preventing any of my external clients from logging in for external pop, IMAP, or SMTP, because the return traffic was not coming from 12.181.168.155.

    Once I set up a second SNAT (Source Network Address Translation) rule to make the outgoing traffic from my mailserver to come from 12.181.168.155 rather than the other WAN address, I was able to log on successfully and both send and receive mail. I tested it from home using a Thunderbird client. Key issue--if you're using DMZ and NAT, be sure the incoming and outgoing traffic are on the same public IP address--and this is a firewall issue, not Zimbra's problem.

    SSS, I would NOT recommend you use the clear text login or non-secure ports for your external access (as you well know already), and I was able to connect without them enabled. My settings are
    • enabling POP, IMAP and SMTP over SSL
    • TLS enabled
    • External Auth enabled
    • cleartext login DISabled.
    Your firewall, of course, has to pass the proper ports for each service: 993 for IMAP-SSL, 995 for POP-SSL, and 465 for SMTP-SSL. I actually block 110 (cleartext POP) and 143 (clear IMAP) at the firewall since they are less secure (but don't block 25 SMTP or you won't get mail from anybody else ).

    I can't speak to other clients, but with Thunderbird enabling SSL for POP, IMAP, and SMTP, and enabling the username and password for SMTP, did the trick.

    Hope this helps,

    Dan

  2. #32
    SSS
    SSS is offline Intermediate Member
    Join Date
    Oct 2007
    Location
    Australia
    Posts
    21
    Rep Power
    7

    Default

    Quote Originally Posted by dwmtractor View Post
    SSS, I would NOT recommend you use the clear text login or non-secure ports for your external access (as you well know already), and I was able to connect without them enabled.
    Yes. I have it enabled for the moment as I'm prepping the Zimbra server to take over from our old qmail based email server which uses basically no authentication. When the zimbra server is in and I've sorted any transition issues I can then look at getting clients switched to using SSL and disabling clear text.

    With regards to IMAP in my previous post, I gave it a test today and with SSL enabled I could successfully send/receive emails ok.

    Quote Originally Posted by dwmtractor View Post
    I can't speak to other clients, but with Thunderbird enabling SSL for POP, IMAP, and SMTP, and enabling the username and password for SMTP, did the trick.
    With those settings on my server I too got Thunderbird and Outlook Express working.

  3. #33
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    We have had at least three posters in this thread state that their issues have been solved, but we have not heard from original poster EdMartin. Ed, are you still having issues, or is yours working now too?

    If we don't hear from Ed in a while I'll mark this thread as solved, but waiting to see how he's doing. . .

  4. #34
    EdMartin is offline Senior Member
    Join Date
    Jun 2007
    Location
    Plantation, FL
    Posts
    59
    Rep Power
    8

    Default

    Sorry for the silence. I've been dealing with other peripheral trauma. Our company changed ISP from BellSouth to AT&T, all our public IPs changed, we lost all DNS access. We just discovered the reason was that AT&T had misconfigured the CISCO router they had supplied us with. I'm still clearing up the debris from all those goings-on. I hope to get back to this issue once calmer waters prevail for a day or two and I can gather my thoughts.

  5. #35
    EdMartin is offline Senior Member
    Join Date
    Jun 2007
    Location
    Plantation, FL
    Posts
    59
    Rep Power
    8

    Default

    To respond to Phoenix's question from a lifetime ago, here's what I get when executing "dig imacs.org mx" from within the office LAN:

    ; <<>> DiG 9.4.1-P1 <<>> imacs.org.mx
    ;; global options: printcmd
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9198
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; QUESTION SECTION:
    ;;imacs.org. IN MX

    ;; ANSWER SECTION:
    imacs.org. 5568 IN MX 10 mail.imacs.org

    ;; ADDITIONAL SECTION:
    mail.imacs.org. 6692 IN A 12.29.155.11

    ;; Query time: 21 msec
    ;; SERVER: 192.168.1.253#53(192.168.1.253)
    ;; WHEN: Wed Dec 5 20:01:09 2007
    ;; MSG SIZE rcvd: 64

    The SERVER mentioned there is the DNS server on our office LAN.

    In the HELO response you highlighted from my zimbra.log snippet, 192.168.99.100 is the IP of my laptop on my home network. Why is that showing up in the Zimbra log, and how do I make the HELO response be something else?

    Frequently in zimbra.log, I see these reports:

    mail postfix/smtpd[4577]: warning: cannot get certificate from file /opt/zimbra/conf/smtpd.crt
    mail postfix/smtpd[4577]: warning: TLS library problem: 4577:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/opt/zimbra/conf/smtpd.crt', 'r'):
    mail postfix/smptd[4577]: warning: TLS library problem: 4577:error:20074002:BIO routine:FILE_CTRL:system lib:bss_file.c:354:
    mail postfic/smtpd[4577]: warning TLS library problem: 4577:error 140DC002:SSL routines:SSL_CTX_USE_certificate_chain_file:system lib:ssl_rsa.c:720:
    mail postfix/smtpd[4577]: cannot load RSA certificate and key data

    The Zimbra mail server has two NIC cards, one with a public IP and the other on the office LAN. I notice zimbra.log references to postfix connecting to and disconnecting from

    mail.imacs.org[192.168.1.150]

    and this IP is on the office LAN. Is that significant? If so, and it's not what it should be, how do I change it?

  6. #36
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    I think you may have just given us the key to your problems, Ed, though I can't be sure because I handle the public/internal IP stuff by a firewall-mediated DMZ on another box, and my Zimbra box has only one ethernet card.

    However, you just told us (and my own nslookup confirms) that when people in the outside world log into your server, they're going to us the ip address 12.29.155.11 for mail.imacs.org. That address is not authorized to relay mail out of the domain, because back at the beginning you gave us your allowed networks:
    Code:
     postconf mynetworks
     
    mynetworks = 127.0.0.0/8 208.62.28.224/27 192.168.1.0/24
    I believe, if you add 12.29.155.11/32 to your allowed networks, relaying may work.

    But I also wonder what the range 208.62.28.224/27 in your mynetworks is for; it's clearly not your mapped public IP, and yet I don't think that range is private either. . .is it a network you want to have relay access?

    Dan

    Dan

  7. #37
    EdMartin is offline Senior Member
    Join Date
    Jun 2007
    Location
    Plantation, FL
    Posts
    59
    Rep Power
    8

    Default

    Sorry. Should have explained. The 208.62.28.224/27 subnet was the public IP block we had from BellSouth. Now that we have changed to AT&T, we have been assigned the 12.29.155.0/27 block. In mynetworks I have already made the switch. Here's the current output:

    zimbra@mail:~$ postconf mynetworks
    mynetworks = 127.0.0.0/8 12.29.155.0/27 192.168.1.0/24

    We allow relaying from that entire subnet because it includes a web farm of web servers that are constantly sending out what are essentially logging messages and web transaction receipts, etc. That side of things is working fine and always has been.

  8. #38
    dwmtractor's Avatar
    dwmtractor is offline Moderator
    Join Date
    Jul 2007
    Location
    San Jose, CA
    Posts
    1,027
    Rep Power
    10

    Default

    Well, given the TLS errors you described above, I'm thinking it might be worth re-creating your certificates (are you using self-signed certs. or commercial ones?) according to this wiki article. Then just in case there are certs there but the permissions are off, you might try running
    Code:
    /opt/zimbra/libexec/zmfixperms
    These are stabs in the dark, but running them won't hurt and it might help if the certs are really not there or inaccessible.

    I wish someone who actually has a Zimbra server with more than one NIC active on that server would jump in here. I have a bad feeling that your issues might involve this piece--either because the server is sending all its outgoing traffic through the "wrong" IP, or some other routing/identity issue. However, since that's not my setup I can't comment with any certainty.

    This issue would become more clear, I suspect, if you try a session (even though we know it'll fail) and then tail your log files to see what errors happen in that timeframe. Failing that, a packet sniffer on the subnet that your users are connecting through might reveal some instructive information. The unfortunate reality is that the errors returned by the client program (or the lack of error message) often has little bearing on what's actually going wrong. . .

  9. #39
    EdMartin is offline Senior Member
    Join Date
    Jun 2007
    Location
    Plantation, FL
    Posts
    59
    Rep Power
    8

    Default

    Well, color me excited! Darned if the darn thing didn't start working after regenerating the (self-signed) certificates -- as you suggested, Dan (and -- many moons ago -- Phoenix). I can now send to and receive from anywhere no matter where I am, whether using the web interface, a standalone IMAP client (to wit, Thunderbird), or the Zimbra Desktop alpha.

    Makes me wonder if I wasn't actually generating those certificates for the first time. Weren't they supposed to have been produced and put in place during ZCS installation? My experience suggests that there must have been some kind of failure in that regard.

    Muchas gracias to all participants in this thread. From my point of view, the saga is over ... unless there are aspects of this scenario that others want to keep going.

    Signed, one happy (non-paying, open source) customer!

  10. #40
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,483
    Rep Power
    56

    Default

    Glad you've got it working. The certificates should be regenerated during an install, it doesn't usually fail but of course anything's possible. You'd have to check in your install logs to see if anything went wrong with the certificates but I doubt it did.

    If this ever happens again I'd suggest looking at the Certificates in Thunderbird (or whatever client is being used) and delete the currently installed certificate, restart the client and accept the certificate.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Page 4 of 4 FirstFirst ... 234

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Importing users with dots
    By Priyantha Bleeker in forum Migration
    Replies: 9
    Last Post: 10-19-2007, 01:14 AM
  2. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  3. Testing restore on OSE with missing users upon completion
    By dmmincrjr in forum Administrators
    Replies: 3
    Last Post: 07-05-2007, 07:29 PM
  4. Replies: 7
    Last Post: 09-29-2006, 10:07 AM
  5. Installation review
    By npollock in forum Administrators
    Replies: 1
    Last Post: 01-14-2006, 10:34 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •