subdomain handling? mail to world broken, mail to parent domain OK.

[Static Electrician]

I have an ubuntu 6.06 server that I have installed zimbra on -- everything appears to be working (status in GUI and zmcontrol) but I cannot mail outside of my domain. Mail from my host, zim.sub.domain.edu to users in my domain, sub.domain.edu, works fine (and back). Mail from zim.sub.domain.edu to e.g. hotmail or gmail or yahoo breaks, and mail from outside in times out. I can telnet to an outside mx on port 25 and send mail via SMTP commands.

My domain is sub.domain.edu and I have setup my server to be zim.sub.domain.com. I do not want zimbra to handle mail for all my domain, just zim.sub.domain.com (ie, all my users to have user@zim.sub.domain.com addresses). As such, I have not created MX records in my DNS for my domain, since mail to the machine will get routed correctly via regular DNS. sub.domain.com is my delegated domain from domain.edu, and zim.sub.domain.edu is a host in my domain (not a sub-domain in and of itself). I have other machines setup like this and they're working fine.

The only other thing I can think of is that my IP addressing is messing it up -- all my machines (including zim) are 172.16.x.x private addresses, and NAT'd/MIP'd at my firewall if they need a public IP. This machine /does/ have a public IP via Mapped IP (all internal records point to the private IP, all public records point to the public IP, FW does the translating from outside->in, inside->out.

Suggestions or thoughts?

[uxbod]

ZCS can become confused if no MX is present, so I would recommend running a Split DNS - Zimbra :: Wiki

If you believe the configuration is okay as is then please post the following :-

Code:

cat /etc/hosts
cat /etc/resolv.conf
cat /etc/nsswitch.conf
dig zim.sub.domain.com mx
dig zim.sub.domain.com ns
host `hostname` <- note backticks

[Static Electrician]

Thank you for your help. Since this is a public forum, I have sanitized output, replacing my domain name and the public IP of my public DNS server (it's not sub.domain.edu or 256.256.256.85 -- hostname and non-routable addresses are otherwise correct)

Quote:

zimbra@zim:~$ cat /etc/hosts
127.0.0.1 localhost
172.16.8.29 zim.sub.domain.edu zim

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

zimbra@zim:~$ cat /etc/resolv.conf
search sub.domain.edu
nameserver 172.16.16.241
nameserver 172.16.16.239
nameserver 256.256.256.85
zimbra@zim:~$
zimbra@zim:~$ dig zim.sub.domain.edu mx

; <<>> DiG 9.3.2 <<>> zim.sub.domain.edu mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41378
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;zim.sub.domain.edu. IN MX

;; AUTHORITY SECTION:
sub.domain.edu. 3600 IN SOA pdc-01.sub.domain.edu. admin. 16070 900 600 86400 900

;; Query time: 16 msec
;; SERVER: 172.16.16.241#53(172.16.16.241)
;; WHEN: Tue Apr 1 20:05:42 2008
;; MSG SIZE rcvd: 83

zimbra@zim:~$ dig zim.sub.domain.edu ns

; <<>> DiG 9.3.2 <<>> zim.sub.domain.edu ns
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35509
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;zim.sub.domain.edu. IN NS

;; AUTHORITY SECTION:
sub.domain.edu. 3600 IN SOA pdc-01.sub.domain.edu. admin. 16070 900 600 86400 900

;; Query time: 17 msec
;; SERVER: 172.16.16.241#53(172.16.16.241)
;; WHEN: Tue Apr 1 20:05:48 2008
;; MSG SIZE rcvd: 83


zimbra@zim:~$ host `hostname`
zim.sub.domain.edu has address 172.16.8.29
zimbra@zim:~$

pdc-01 is my internal Active Directory DC doing DNS for my LAN; IP address is 172.16.16.241 (ie, it's in the resolv.conf).

I don't believe a split DNS will help matters as that will break mail from zim.sub.domain.edu to my other users in sub.domain.edu, no? (i.e., sub.domain.edu (non-zimbra) users' mail will need to be found via the real MX for sub.domain.edu, not the "faked" one that would be handed out by spoofing via Views (or setting up a DNS server on the zimbra box itself) for zimbra. I'll set one up if you really think this will help, but I have other machines setup without this (a red hat box running qmail, no MX entry only an A entry in the DNS. )

I essentially already have a "split dns" setup; my LAN IP's have their DNS served by my Domain Controllers and the IP addresses are all internal; public DNS requests are handled by my nameservers (the only place it shows up in the above is the 256.256.256.85 entry in /etc/resolv.conf) and the majority of my LAN clients do not use this nameserver (the DC's forward to it though) so I don't know if I should remove it from the resolv.conf.

[carlsanders]

OK, jumping in late here.

I run a split dns and split e-mail. My external e-mail is on a DMZ. DNS has:

mailserver.domain.com, with an external IP.

My firewall does the NAT from outside to DMZ. I forward e-mail from my DMZ
e-mail server to my internal, zimbra e-mail server. My external DNS has
zimbra.domain.com. My firewall takes https requests and sends them to my
internal zimbra server with a NAT'd IP.

My internal dns has:

internalname.domain.com, with an internal IP.

I just added a cname record to my internal dns:

mailserver in cname internalname

So, while external users are reaching my zimbra server via an external IP,
the domain name is the same as my internal users: zimbra.domain.com

Hope this helps. I find the split e-mail solution to be quite elegant. I use
postfix, and it allows me to forward to any given IP of an e-mail server based on
the domain in question.

PS Zimbra's admin section allows one to change the IP of the outgoing mail
server. Perhaps this will help...

[Static Electrician]

Quote:

Originally Posted by carlsanders

So, while external users are reaching my zimbra server via an external IP,
the domain name is the same as my internal users: zimbra.domain.com

This is what I've got going on myself; I have two sets of DNS servers -- a public master/slave set that does DNS for my domain and my internal (LAN) domain controllers doing DNS via Windows' Active Directory DNS component. I have the same entry (zim.sub.domain.edu as an A entry, opposed to CNAME in your setup) in both internal and public DNS servers, but with different IPs depending on which record people will need (i.e., LAN users don't need my FW's NAT'd address for the zimbra box and internet users can't route to the zimbra box's "real" 172.16.x.x address).

Perhaps I should setup zim.sub.domain.edu as it's own domain so that I can create MX records? I can't create MX records for it in my sub.domain.edu domain since this will break my sub.domain.edu mail.

[phoenix]

I don't know if you noticed but your hosts file is incorrect, the following entry should be in there (not the one you have):

Code:

127.0.0.1 localhost.localdomain localhost

[carlsanders]

OK, I think I'm starting to understand your issue.

First, near as I can tell, you *have* to have an MX record for your zimbra
e-mail server. It is married to dns, and won't e-mail out, no matter what,
until you have an MX record in dns.

My installation wouldn't take until I gave the install "domain.com" instead
of "host.domain.com". When I gave it domain.com, it essentially did a
nslookup set type=MX query on "domain.com", and pulled all valid MX records
out of the given dns server records.

[Static Electrician]

OK, I've got this working now. I had to create a new subdomain and make zim.sub.domain.edu the A and MX entries in it. Problem solved, thanks for the help; possibly the docs should make mention of this (for folks who don't want zimbra to handle _all_ their mail, as the docs seem to assume)?

Thanks uxbod and carlsanders and pheonix (although I did not have to change the localhost entry in hosts).

[phoenix]

Quote:

Originally Posted by Static Electrician

Thanks uxbod and carlsanders and pheonix (although I did not have to change the localhost entry in hosts).

You should change your hosts file to the format I've mentioned, it may bite you later if you don't.