[SOLVED] Split DNS - Firewall - Loops back to myself

[ldoran@goccs.com]

I am having trouble setting up the split DNS - Zimbra behind a firewall configuration.

Problem = All outgoing email errors - domain loops back to myself.

I have tried to follow the WIKI on split DNS and various post on this - but still no luck.

I have a CentOS 5.3 Firewall box - basic loaded with Webmin.

Right now the Firewall only forwards ports 25 and 7025 to the Zimbra server.

I have a CentOS 5.3 Zimbra Server (open source version)

I am able to receive email to the domain without a problem.

DNS settings at godaddy:
Point to firewall external IP
MX record points to mail.domain.net

firewall FQDN:
firewall.domain.net

Zimbra server FQDN:
mail.domain.net

firewall DNS has no entries for the Zimbra server, just Default DNS config, no entries the HOSTS file for the Zimbra Server, the Resolve file point to the two external DNS servers from my ISP.

Zimbra server:

The Resolv.conf file on the Zimbra server points to itself for resolution then the firewall server.

Zimbra server:

Host file:
has just the three lines:
search mail.domain.net (local host FQDN)
127.0.0.1
10.1.1.55 mail.domain.net mail

Has CentOS default DNS configuration with one additional record for the Zimbra server:

@ IN SOA mail.domain.net. admin.domain.net.
serial, refresh.....
@ IN NS mail.domain.net.
IN MX 10 mail.domain.net.
IN A 10.1.1.55
mail.domain.net. IN A 10.1.1.55


Zimbra settings:

MTA - have tried localhost, mail.domain.net, 127.0.0.1 - with and without DNS lookup. In no combination have I been able to send out email.

Any one have some suggestions.

[soxfan]

OK, a couple of things I notice right off the bat.

Quote:

The Resolv.conf file on the Zimbra server points to itself for resolution then the firewall server.

You do realize that with this setup your firewall will only come into play for name resolution when DNS is not running on your Zimbra server. Not sure this is what you want. Make sure you have the forwarders option in the named.conf on your Zimbra server

Quote:

Host file:
has just the three lines:
search mail.domain.net (local host FQDN)
127.0.0.1
10.1.1.55 mail.domain.net mail

The search line goes in the /etc/resolv.conf, not /etc/hosts. If you do move it to the resolv.conf file you probably want it to read "search domain.net". Also the 127.0.0.1 line should include something like "localhost.localdomain localhost"

From your Zimbra server can you ping/lookup other domains?

[ldoran@goccs.com]

Thanks for your reply.....

Sorry mistyped = the search entry is in the resolve file:
search mail.domain.net (FQDN of the Zimbra server)

The 127.0.0.1 is correct:
127.0.0.1 localhost.localdomain localhost

As for the resolv.conf on the Zimbra server - what should be? I thought it should point to itself and then to the firewall.

From the Zimbra server I can both ping and resolve other domain names
I can also telnet:
telnet mail.externaldomain.com 25

and send a helo message.

Anything else you would need to know?

Lee

[ldoran@goccs.com]

I have forwarders on the Zimbra server pointing to the Firewall internal IP address -- is this the problem? What should the forwarders point to?

Lee

[soxfan]

Quote:

As for the resolv.conf on the Zimbra server - what should be? I thought it should point to itself and then to the firewall.

This isn't necessarily wrong, but I don't think it is what you want. The server entries in the resolv.conf are read in succession. If you are doing name resolution and the first server in the list is listening for requests then it will never drop to the second server in the list, even if the first server doesn't know how to resolve the request.

Quote:

I have forwarders on the Zimbra server pointing to the Firewall internal IP address -- is this the problem? What should the forwarders point to?

The forwarders should point to whatever server you use for name resolution outside of your network.

If you can ping, telnet, and resolve to other domains from your Zimbra server then DNS might not be the issue. What are you seeing in your logs when you get a failure?

[ldoran@goccs.com]

Error shows:
before the error - it appears the email is being sent out 127.0.0.1... because that is what the relay=127.0.0.1; it passed through the virus checks and so on using 127.0.0.1

Warning, remote host (external domain.com xxx.xxx.xxx.xxx.) greeted me with my own host name mail.domain.net ..... then says error external domain.com loops back to myself.

It is like the MTA-Postfix resovles all external domains to the local MTA,localhost or server?????

Also, in this setup what should the settings under MTA be? I have tried 127.0.0.1;FQDN,localhost... ?????

[ldoran@goccs.com]

One last thing I see here at the end of the messages:

disconnect from unknown[10.1.1.98]

That is the LAN IP of the firewall server!!!

This is key isn't it?? Just don't know how to fix it.. LOL

[soxfan]

Not sure, but this is beginning to sound like a firewall issue to me. Can you explain your firewall setup a bit more? Does it allow all outgoing traffic?

[ldoran@goccs.com]

Thanks for all your help... yes, it was a firewall issue. I had setup the LAN side on our normal network. Even though the Zimbra box was using as it's gateway and DNS the test firewall box, our regular network setup was messing it up. I changed the Firewall box and Zimbra servers to be on their own LAN network, then set up the Split DNS per the WIKI - bamn a couple of reboots later and it was working perfectly. I am still puzzled how our other firewall was messing up the Zimbra box, if it was all pointing to the other firewall.. What I think is that when I first installed CentOS on the Zimbra box, it was DHCP client by default of course, and I then installed Zimbra.. then I went back and changed all the IP setting to static and gateway through the test firewall. Appears that was a major error. I didn't actually have to re-install Zimbra to get it working, but I would warn folks wanting to setup a test - do so in a Clean environment.

Thanks again for all your help - I did use your information to figure out how to get it all running.

Lee

[soxfan]

Glad you got it all worked out. I'll mark this thread as solved. Post back if you have more issues.

John