[SOLVED] Can't receive mail. Not split DNS issue! Please help production server

[gtr33m]

I've recently moved from hmailserver to 5.0.5 Zimbra open source.

It was working fine so I moved all my email data over and set up all the users, mostly using zmprov and imapsync.

Everything was working fine until last night at around midnight when it stopped receiving mail from any source, including local using imapsync.

I did install a new certificate using the instructions at SSL Certificate Problems - Zimbra :: Wiki, but I'm not sure why that would have caused the problem.

I'ts not a split DNS issue. I am behind a firewall, but the firewall has it's own mini DNS and the zimbra server know's it's internal address just fine. This server was up and running perfectly before last night and no changes to the DNS have been made.

In the faint hope that an upgrade would help, I upgraded to 5.07 through the normal upgrade routine. No better, but no worse.

The problem seems to happen when an external mail server tries to connect.
I've tried several online smtp tests and they all resolve correctly, and they all timeout.

A sample of the error I'm getting:

Code:

Resolving hostname...
Connecting...
SMTP -> FROM SERVER:
SMTP -> FROM SERVER: 
SMTP -> ERROR: EHLO not accepted from server: 
SMTP -> FROM SERVER: 
SMTP -> ERROR: HELO not accepted from server: 
Message sending failed.

Some info in case it helps:

/etc/hosts:

Code:

127.0.0.1	localhost.localdomain	localhost
192.168.2.5	server1.medalist.com.au	server1
192.168.2.5	mail.medalist.com.au server1

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

/etc/resolv.conf

Code:

/etc/resolv.conf

dig _domainname_ mx

Code:

; <<>> DiG 9.4.2 <<>> _domainname_ mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55079
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_domainname_.			IN	MX

;; AUTHORITY SECTION:
.			9635	IN	SOA	A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2008072501 1800 900 604800 86400

;; Query time: 146 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Sat Jul 26 17:06:31 2008
;; MSG SIZE  rcvd: 105

dig _domainname_ any

Code:

dig _domainname_ any

zmmtaconfig.log:

Code:

Sat Jul 26 17:39:03 2008  Service archiving is not enabled.  Skipping archiving
Sat Jul 26 17:39:03 2008  Service imapproxy is not enabled.  Skipping imapproxy
Sat Jul 26 17:39:04 2008  Watchdog checking service antivirus
Sat Jul 26 17:39:04 2008  Section amavis did not change skipping
Sat Jul 26 17:39:04 2008  Section antivirus did not change skipping
Sat Jul 26 17:39:04 2008  Section antispam did not change skipping
Sat Jul 26 17:39:04 2008  Section archiving did not change skipping
Sat Jul 26 17:39:04 2008  Section mta did not change skipping
Sat Jul 26 17:39:04 2008  Section sasl did not change skipping
Sat Jul 26 17:39:04 2008  Section webxml did not change skipping
Sat Jul 26 17:39:04 2008  Section mailbox did not change skipping
Sat Jul 26 17:39:04 2008  Section imapproxy did not change skipping
Sat Jul 26 17:39:04 2008  Sleeping for 60.

I'll post zimbra.log as an attachment in the next post (as soon as I can figure out how to get it!)

I'd really prefer not to put the old mail server back up on Monday. It will mean I have to copy all the emails over again and I really don't want to do that.

Thanks,

Mark

[phoenix]

This would, in fact, appear to be a split dns problem as your dig commands find no A or MX records for the server. You also need to modify the hosts file, this:

Code:

192.168.2.5	mail.medalist.com.au server1

should read as this:

Code:

192.168.2.5	mail.medalist.com.au mail

I'm assuming that mail is the name of your Zimbra server?

[gtr33m]

Bill,

Thanks for the reply.

My DNS is hosted externaly by my ISP. It points to mail.medalist.com.au in the mx records.

Internaly my zimbra server is called server1.medalist.com.au

My firewall port forwards everything from IMAP, SSH, POP, and SMTP to the internal address of the Zimbra server.

The firewall also has a mini DNS which resolves local addresses before forwarding any queries it does not know to my ISP's DNS. mail.medalist.com.au and server1.medalist.com.au both point to the internal address.

dig_domainname_any was incorrect:

Code:

; <<>> DiG 9.4.2 <<>> _domainname_ any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8384
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;_domainname_.                  IN      ANY

;; AUTHORITY SECTION:
.                       10800   IN      SOA     A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2008072601 1800 900 604800 86400

;; Query time: 532 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Sun Jul 27 09:27:53 2008
;; MSG SIZE  rcvd: 105

Zimbra.log also attached.

Should I modify my hosts file given that the server name is in fact server1?

Also, I don't understand how it can be a split DNS problem if it worked fine for several days. I haven't modified the DNS, hosts file, or done anything with bind.

When I ping mail.medalist.com.au from the zimbra server it points to the internal ip of 192.168.2.5 which is correct.

Could it be something to do with the MTA trusted networks? I did make a change to try and lock it down a bit better so that it was only a few servers on my internal network that it trusted. The IP of the server is 192.168.2.5

Code:

127.0.0.0/8 192.168.2.5/36 192.168.0.2/36 192.168.0.3/36 192.168.0.4/36 220.233.186.88/36 202.7.95.1/36 220.233.19.72/36

Anything else I can post up which gives more info?

[gtr33m]

I appears that I had indeed stuffed up my Trusted MTA setting.

After doing a bit of reading 36 is an incorrect routing prefix.

After putting it back to default, the server has started accepting mail again.

Before I change this to solved, can anyone help me with the correct setting?

What I'd like to do is secure my zimbra server so that no external spam can be sent from a rogue machine on my network:

1. My zimbra server IP is 192.168.2.5
2. My NAT router is 192.168.2.1
3. I'd like to allow 192.168.0.2- 192.168.0.4 to relay mail without smtp authentication or SSL.
4. I'd like to allow a couple of internet IP addresses to relay mail without smtp authentication or SSL.
5. I want my users to be able to send mail using the zimbra web interface from any location.
6. I'd like my users to be able to send mail using any client when connected to the local subnet 192.168.2.0 - 255.255.255.0 provided they use smtp authentication when sending. I could enforce SSL if required.

I've read the wiki on the subject, and I'm still a little confused (obviously).

Thanks,

Mark

[phoenix]

Does your NAT router have a feature caled 'loopback'? That would be the only way you have zimbra running without DNS A & MX records on a local DNS server.

If you really want to limit the machines on your LAN then the Trusted Networks setting would be the one to use, details for limiting the number of hosts in this nice graphic

I'd strongly advise against allowing any external IP the ability to relay through your machine without authentication unless you trust them 100%.

Your users can use the Web UI from any location (internal or external) and send mail.

The Trusted Networks entry overrides the need for clients to use authentication on port 25 so any entries you put in there can relay without check.. You could get the clients to use the correct port 587 for sending mail. That port requires authentication and is set by modifying this file /opt/zimbra/postfix/master.cf and making the following changes:

Code:

#submission inet n      -       n       -       -       smtpd
#        -o smtpd_etrn_restrictions=reject
#        -o smtpd_client_restrictions=permit_sasl_authenticated,reject

uncomment those lines by removing the # symbol from the beginning(the 'white space' must remain at the beginning of lines 2 & 3). Save the file and restart, you'll need to make that change after each Zimbra upgrade. There is an RFE in bugzilla to add that feature, you might like to voote on it.

[gtr33m]

Bill,

I can only assume that the router has 'loopback' as it is a linksys box so I can't tell for sure. I will install and configure bind9 as per the wiki anyway just to make sure everything functions as expected down the line.

I'll test the port 587 suggestion and see how it works

In the mean time, from the graphic you listed, I believe I can add the trusted servers by adding the {server address}/32, but the default config of 192.168.2.0/24 gives any rogue pc on my local network the ability to send un authenticated. Can I change this entry to 192.168.2.5/32 without upsetting the applecart?

Thanks,

Mark

[phoenix]

Quote:

Originally Posted by gtr33m

Can I change this entry to 192.168.2.5/32 without upsetting the applecart?

That should do what you want, it means that any user that send mail via the Web UI should be OK and if they're using a fat client they will need authentication.

[gtr33m]

Thanks Bill for all your help.

Would it be possible to change the subject of this post to reflect the MTA problem? Might help others in the future.