[SOLVED] Zimbra behind NAT (mail loops back to myself)

[fish]

Hi guys,

I am trying to migrate an existing zimbra-installation to a virtual machine which has no external ip (nat).
On the vm-host, I used some iptables for port-forwarding:

Code:

iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to 172.16.84.128:22
iptables -t nat -A PREROUTING -p tcp --dport 60080 -j DNAT --to 172.16.84.128:60080
iptables -t nat -A PREROUTING -p tcp --dport 60443 -j DNAT --to 172.16.84.128:60443
iptables -t nat -A PREROUTING -p tcp --dport 7071 -j DNAT --to 172.16.84.128:7071
iptables -t nat -A PREROUTING -p tcp --dport 7025 -j DNAT --to 172.16.84.128:7025
iptables -t nat -A PREROUTING -p tcp --dport 143 -j DNAT --to 172.16.84.128:143
iptables -t nat -A PREROUTING -p tcp --dport 993 -j DNAT --to 172.16.84.128:993
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to 172.16.84.128:25
iptables -t nat -A PREROUTING -p tcp --dport 465 -j DNAT --to 172.16.84.128:465

As you can see, 172.16.84.128 is the ip of my zcs-vm.

At first I want to say, that mail delivering seems to work, but sending mails does not.
I am always getting the following error:

Quote:

mail for web.de loops back to myself

I guess it has something to do with the /etc/hosts so I want to show you may /etc/hosts:

Code:

127.0.0.1       localhost.localdomain   localhost
172.16.84.128   zimbravm.nilsbecker.net zimbravm
172.16.84.128   avenger.nilsbecker.net  avenger

zimbravm is the hostname of the vm. avenger was my old server, so many zimbra-configs still refer to avenger.nilsbecker.net. I know that there are possiblities to change the zimbra-hostname, but I've made some bad experinces with changing the zimbra-hostname.

I know that there are some threads discussion the "loops back to myself"-error, but they didn't help me.

Thanks in advance.
Great regards,
fish

[phoenix]

A Zimbra server behind NAT need a Split DNS set-up.

[fish]

Thanks phoenix for the quick response.
I tried to config dnsmasq and the dig-results seem to be as described in the wiki but it doesn't work anyway.

my dnsmasq.conf

Code:

server=8.8.8.8
server=208.67.222.222
domain=nilsbecker.net
mx-host=nilsbecker.net,mail.nilsbecker.net,5
mx-host=nilsbecker.net,zimbravm.nilsbecker.net,5
mx-host=nilsbecker.net,avenger.nilsbecker.net,5
listen-address=127.0.0.1

dig nilsbecker.net any

Code:

 <<>> DiG 9.7.0-P1 <<>> nilsbecker.net any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13997
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;nilsbecker.net.                        IN      ANY

;; ANSWER SECTION:
nilsbecker.net.         0       IN      MX      5 avenger.nilsbecker.net.
nilsbecker.net.         0       IN      MX      5 zimbravm.nilsbecker.net.

;; ADDITIONAL SECTION:
avenger.nilsbecker.net. 0       IN      A       172.16.84.128
zimbravm.nilsbecker.net. 0      IN      A       172.16.84.128

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Feb 13 15:21:57 2011
;; MSG SIZE  rcvd: 141

host $(hostname)

Code:

zimbravm.nilsbecker.net has address 172.16.84.128

The result when I try to send a mail:

Quote:

This is the mail system at host avenger.nilsbecker.net.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

: mail for web.de loops back to myself



Reporting-MTA: dns; avenger.nilsbecker.net
X-Postfix-Queue-ID: 6A5CA19B052
X-Postfix-Sender: rfc822; XXX@nilsbecker.net
Arrival-Date: Sun, 13 Feb 2011 15:18:14 +0100 (CET)

Final-Recipient: rfc822; XXX@web.de
Original-Recipient: rfc822;XXX@web.de
Action: failed
Status: 5.4.6
Diagnostic-Code: X-Postfix; mail for web.de loops back to myself

It would be great if someone could help me.
Thanks in advance.

Great regards,
fish

[phoenix]

If you read the Split DNS 'Verify...' section you'll see that you have one too many lines in the hosts file, remove the extra line.

Why do you think you need two MX records with the same priority pointing at the same server (you don't, BTW)?

[fish]

Two MX-records do not make sense - I agree with that. I just added the second record because I was getting desperated
But it does not work with one mx-record anyway.

My /etc/hosts has an additional line because zimbravm is a copy of avenger. So for example sldapd will try to connect to ldap://avenger.nilsbecker.net:389 which will not work because it is the wrong server. Instead of connection to avenger it shell connect to zimbravm.
I know that zmsetservername (ZmSetServerName - Zimbra :: Wiki) should be able to change this - but as I said in my first post - I made some bad experiences when I tried to change the servername in the past.

Great regards,
fish

[phoenix]

Quote:

Originally Posted by fish

My /etc/hosts has an additional line because zimbravm is a copy of avenger. So for example sldapd will try to connect to ldap://avenger.nilsbecker.net:389 which will not work because it is the wrong server. Instead of connection to avenger it shell connect to zimbravm.
I know that zmsetservername (ZmSetServerName - Zimbra :: Wiki) should be able to change this - but as I said in my first post - I made some bad experiences when I tried to change the servername in the past.

It might have helped if you'd mentioned this in the first place. You can't copy a server into a VM and expect it to work correctly, the fact it's trying to connect to another LDAP server might be a clue that all is not well. You need to rename this server and get it set-up correctly. Do you still have the original server up and running?

[fish]

Quote:

Originally Posted by phoenix

It might have helped if you'd mentioned this in the first place. You can't copy a server into a VM and expect it to work correctly, the fact it's trying to connect to another LDAP server might be a clue that all is not well. You need to rename this server and get it set-up correctly. Do you still have the original server up and running?

Your response-time is impressive. Thanks for your support.
I guess I mentioned the vm-thing in my initial post, but anyway.
The "old" physical server does not run anymore. I changed the hostname of the vm to avenger.nilsbecker.net (which is the hostname of the old, physical server).

I edited to /etc/hosts to

Code:

127.0.0.1       localhost.localdomain   localhost
172.16.84.128   avenger.nilsbecker.net  avenger

and "dig nilsbecker.net any" now shows the following result:

Code:

; <<>> DiG 9.7.0-P1 <<>> any nilsbecker.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58935
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;nilsbecker.net.                        IN      ANY

;; ANSWER SECTION:
nilsbecker.net.         0       IN      MX      5 avenger.nilsbecker.net.

;; ADDITIONAL SECTION:
avenger.nilsbecker.net. 0       IN      A       172.16.84.128

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Feb 13 17:12:17 2011
;; MSG SIZE  rcvd: 86

But unfortunatly the error still exists.
Any other ideas?

Great regards,
fish

[fish]

Little bit more input for the experts here:

Code:

Feb 13 20:32:57 avenger postfix/smtpd[11728]: connect from unknown[172.16.84.1]
Feb 13 20:32:57 avenger postfix/smtpd[11728]: setting up TLS connection from unknown[172.16.84.1]
Feb 13 20:32:57 avenger postfix/smtpd[11728]: Anonymous TLS connection established from unknown[172.16.84.1]: TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)
Feb 13 20:32:58 avenger postfix/smtpd[11728]: A0FD519B642: client=unknown[172.16.84.1], sasl_method=PLAIN, sasl_username=XXX@nilsbecker.net
Feb 13 20:32:58 avenger postfix/cleanup[11769]: A0FD519B642: message-id=<4D5831E9.4000600@nilsbecker.net>
Feb 13 20:32:58 avenger postfix/qmgr[10997]: A0FD519B642: from=, size=589, nrcpt=1 (queue active)
Feb 13 20:32:58 avenger postfix/smtpd[11728]: disconnect from unknown[172.16.84.1]
Feb 13 20:32:59 avenger postfix/smtpd[11790]: connect from localhost.localdomain[127.0.0.1]
Feb 13 20:32:59 avenger postfix/smtpd[11790]: 8A9C819B647: client=localhost.localdomain[127.0.0.1]
Feb 13 20:32:59 avenger postfix/cleanup[11769]: 8A9C819B647: message-id=<4D5831E9.4000600@nilsbecker.net>
Feb 13 20:32:59 avenger postfix/qmgr[10997]: 8A9C819B647: from=, size=1059, nrcpt=1 (queue active)
Feb 13 20:32:59 avenger postfix/smtp[11778]: A0FD519B642: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=1, delays=0.2/0.02/0.03/0.77, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=10763-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8A9C819B647)
Feb 13 20:32:59 avenger postfix/qmgr[10997]: A0FD519B642: removed
Feb 13 20:32:59 avenger postfix/smtpd[11793]: connect from unknown[172.16.84.1]
Feb 13 20:32:59 avenger postfix/smtp[11791]: warning: host mx-ha02.web.de[217.72.192.188]:25 greeted me with my own hostname avenger.nilsbecker.net
Feb 13 20:32:59 avenger postfix/smtp[11791]: warning: host mx-ha02.web.de[217.72.192.188]:25 replied to HELO/EHLO with my own hostname avenger.nilsbecker.net
Feb 13 20:32:59 avenger postfix/smtp[11791]: 8A9C819B647: to=, relay=mx-ha02.web.de[217.72.192.188]:25, delay=0.14, delays=0.02/0.05/0.07/0, dsn=5.4.6, status=bounced (mail for web.de loops back to myself)
Feb 13 20:32:59 avenger postfix/smtpd[11793]: disconnect from unknown[172.16.84.1]
Feb 13 20:32:59 avenger postfix/cleanup[11769]: B693F19B642: message-id=<20110213193259.B693F19B642@avenger.nilsbecker.net>
Feb 13 20:32:59 avenger postfix/qmgr[10997]: B693F19B642: from=<>, size=2987, nrcpt=1 (queue active)
Feb 13 20:32:59 avenger postfix/bounce[11795]: 8A9C819B647: sender non-delivery notification: B693F19B642
Feb 13 20:32:59 avenger postfix/qmgr[10997]: 8A9C819B647: removed
Feb 13 20:33:01 avenger postfix/lmtp[11799]: B693F19B642: to=, relay=avenger.nilsbecker.net[172.16.84.128]:7025, delay=1.4, delays=0.03/0.03/0.07/1.3, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Feb 13 20:33:01 avenger postfix/qmgr[10997]: B693F19B642: removed

FYI: 172.16.84.1 is the ip address ofthe vm-host.

Maybe it's something wrong with my postconf?!

Code:

alias_maps = hash:/etc/aliases
always_add_missing_headers = yes
bounce_notice_recipient = postmaster
bounce_queue_lifetime = 5d
broken_sasl_auth_clients = yes
command_directory = /opt/zimbra/postfix/sbin
config_directory = /opt/zimbra/postfix-2.7.2.2z/conf
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /opt/zimbra/postfix/libexec
delay_warning_time = 0h
disable_dns_lookups = no
header_checks =
in_flow_delay = 1s
lmtp_connection_cache_destinations =
lmtp_connection_cache_time_limit = 4s
lmtp_host_lookup = dns
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /opt/zimbra/postfix/sbin/mailq
manpage_directory = /opt/zimbra/postfix/man
maximal_backoff_time = 4000s
message_size_limit = 204800000
minimal_backoff_time = 300s
mydestination = localhost
myhostname = avenger.nilsbecker.net
mynetworks = 127.0.0.0/8 172.16.84.0/24 188.138.88.0/24
newaliases_path = /opt/zimbra/postfix/sbin/newaliases
non_smtpd_milters =
notify_classes = resource,software
propagate_unmatched_extensions = canonical
queue_directory = /opt/zimbra/data/postfix/spool
queue_run_delay = 300s
recipient_delimiter =
relayhost =
sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
sendmail_path = /opt/zimbra/postfix/sbin/sendmail
setgid_group = postdrop
smtpd_client_restrictions = reject_unauth_pipelining
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_milters =
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, permit
smtpd_reject_unlisted_recipient = no
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sender_restrictions =
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf

FYI: I already tried to use avenger.nilsbecker.net as $mydestination.

Does anybody have a clue what's wrong here?

Thanks in advance,
fish

[fish]

Hi all,

I am still having the problem. I also installed zcs-7.0 on a plain virtual machine now. I set up the Split-DNS with DNSMasq before I installed Zimbra but it does not work as well. Still getting the "loops back to myself"-error.

Because I am really desperat, I am now willing to PAY 50 Euro for those of you who get my zimbra-server in the nat-vm to work. (Hope paying for support does not offend against any forums-rules).

I'll give you full admin-access to the vm and will show you the iptables I use to masquerade the traffic from the host to the vm.
Fell free to contact me with a PM, so we can talk about the details.

Great Regards,
fish

[Tripple]

I've seen this error on one of my server too.
I had to log in the admin console and fix some aliasses.