[SOLVED] Not receiving external mail

[infosyst]

New install...internal mail works ok, but I'm not getting any external messages. I can send externally ok. I have read through a lot of similar problems, as well as Wiki articles but have not yet been able to resolve my problem.

My server is on a private network behind an Astaro Security Gateway which is configured to forward port 25 to the mail server.

My domain is hosted on an ISP. I have set the mx record for domain.org to mail.domain.org. The A record for mail.domain.org is set to the public IP on my firewall.

Here is some config info:

cat /etc/hosts

Code:

127.0.0.1	localhost.localdomain	localhost
192.168.232.7	mail.domain.org	mail

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

cat /etc/resolv.conf

Code:

search domain.org
nameserver 192.168.232.7

dig domain.org mx

Code:

; <<>> DiG 9.4.2-P2 <<>> domain.org mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13898
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;domain.org.		IN	MX

;; ANSWER SECTION:
domain.org.	604800	IN	MX	10 mail.domain.org.

;; AUTHORITY SECTION:
domain.org.	604800	IN	NS	mail.domain.org.

;; ADDITIONAL SECTION:
mail.domain.org.	604800	IN	A	192.168.232.7

;; Query time: 0 msec
;; SERVER: 192.168.232.7#53(192.168.232.7)
;; WHEN: Thu Jul 30 16:25:17 2009
;; MSG SIZE  rcvd: 86

dig domain.org any

Code:

; <<>> DiG 9.4.2-P2 <<>> domain.org any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45704
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;domain.org.		IN	ANY

;; ANSWER SECTION:
domain.org.	604800	IN	SOA	mail.domain.org. admin.domain.org. 90731 604800 86400 2419200 604800
domain.org.	604800	IN	NS	mail.domain.org.
domain.org.	604800	IN	MX	10 mail.domain.org.
domain.org.	604800	IN	A	192.168.232.7

;; ADDITIONAL SECTION:
mail.domain.org.	604800	IN	A	192.168.232.7

;; Query time: 0 msec
;; SERVER: 192.168.232.7#53(192.168.232.7)
;; WHEN: Thu Jul 30 16:28:18 2009
;; MSG SIZE  rcvd: 144

hostname `host`

Code:

mail.domain.org has address 192.168.232.7

Thanks!

[uxbod]

Code:

host `hostname`

What happens if you telnet to port 25 from outside the firewall to your server ?

Code:

su - zimbra
zmcontrol -v
zmcontrol status

Do you see any email connections in /var/log/zimbra.log from external ?

[borngunners]

I will like a follow-up on the solution of this problem, because I am having exactly the same problem with basically the almost the same setup. Forwarded port 25 and all necessary ports to the public ip of my zimbra server. I am unable to telnet the fqdn and the public ip on port 25 from outside. I am able to access webmail from outside using the fqdn. There must be something some where stoping us from receiveing email from the outside. I thought it was my firewall, but after being able to telnet something else from outside and block it there after, I am beginning to suspect that it is zimbra. Especially with a second person complaining it now.

[infosyst]

Actually, host `hostname` is actually posted above, I just typed it wrong in my post.

I tried connecting my DSL line directly to the Zimbra box and configured the public IP on it. Once I did that, my external mail came through, so it appears to be a firewall issue in my case. The ASG has an SMTP proxy that I am trying to go through. I am going to contact Astaro about it and see if we can figure out why the configuration isn't working.

Any tips on what the firewall config should look like with an SMTP proxy?

[borngunners]

In other words, you are using the public ip on the zimbra box now instead of the private ip configuration on the box?

[infosyst]

Quote:

Originally Posted by borngunners

In other words, you are using the public ip on the zimbra box now instead of the private ip configuration on the box?

Yes, I setup the second interface on my Zimbra server with the public IP, but just as a test. I still need to get it working through my firewall for added security and so that I can use the firewalls built-in AS/AV filtering.

[infosyst]

It's working now! I had to configure some policy routes and SNAT.

[borngunners]

You mean some policy route on the firewall? Can you post me the policy route that you use. In other words, can you explain a little bit further.

Thanks,

[infosyst]

Yes, I had to use policy routes because the SMTP traffic is going out through an interface on my firewall other than my primary interface. These are the two policy routes that I am using on the Astaro box:

Interface Route
Source Network: Internal Network
Service: SMTP
Destination Network: Any
Target Interface: DSL Interface

Gateway Route
Source Network: DSL Network
Service: Any
Destination Network: Any
Gateway: DSL Gateway from provider

I also had to setup NAT masquerading between the internal network and the DSL network and SNAT rules between my server and the DSL interface. Again, this is because I am not using my primary external firewall interface for the SMTP traffic.