[SOLVED] Domain rejects

[drwho18]

Ok, I have a lot of experience with sendmail, but the postfix/zimbra mta is all new to me. We have a mailfoundry appliance, and I've disabled anti-spam/anti-virus on the zimbra service (for load reasons). The mailfoundry auto-learns what domain to forward to smtp destination IP's that I specify for it, this worked fine with sendmail, however my zimbra/postfix is apparently not responding properly when the mailfoundry ask it if it host the domain, it appears to the mailfoundry that zimbra accepts the domain. The mailfoundry then adds the domain automatically to the smtp host, this is bad. Is there any way to change this behavior, so Zimbra only accepts mail for domains it actually host?

[uxbod]

By default ZCS will reject email for non-deliverable mail addresses. So, I reckon the issue is that your ZimbraMtaMyNetworks - Zimbra :: Wiki is allowing the invalid domain as a relayed one.

[drwho18]

Nope, that's not the case. What else could be causing Zimbra to think it host domains that it doesn't? It is rejecting plenty of mail.

zmprov getServer nfs.tc3net.com | grep zimbraMtaMyNetworks
zimbraMtaMyNetworks: 127.0.0.0/8 10.40.40.0/24 64.112.192.0/26 10.20.20.0/24 64.112.192.0/19

[drwho18]

Any help on this? I just got word back from the vendor of my mail appliance, they say the following.

"Make sure that your mail server is only accepting domains that it actually controls. One thing that can cause this behavior is if the mail server is setup in to trusting of a mode for other servers on its network and since the mailfoundry is on its network it may just be assuming anything attempted from the appliance should be valid and accepting it. I am not sure where that kind of setting would be on your mail server but I have seen this behavior before and it typically is just a minor permission change thats needed.

Auto domains will work correctly with any server that will give a correct 250 OK for domains it actually controls and a 550 denied for domains it does not. "

I do have the device set up as the zimbraDNSCheckHostname and zimbraMtaRelayHost, and it is also included in the networks I have specified for relay. With my previous sendmail system it was also part of an allowed relay network, it was also specified as a smarthost, and all my local domains were specified in sendmail.cw, I think I just need to figure out how all this works in postfix.

EDIT: Pretty much what you said UxBod, but I'm not sure how my previous sendmail setups worked fine when the mailfoundry was allowed to relay.

[drwho18]

Ok, I did some awkward subnetting with mynetworks to exclude the Mailfoundry MX device from being able to relay, and that appears to have resolved the Domain discovery issue between it and Zimbra.

[uxbod]

Cool At least it keeps your networking hand in Glad it is okay now though.

On a serious note can your front-end MTA now perform LDAP lookups ?

[drwho18]

I've not tried, the mailfoundry has an Exchange plugin feature which also says it does LDAP lookups, but I'm not familiar enough with the zimbra schema to know if it's a generic enough lookup to work. It does work with Exchange server customers that we have fine.

A typical Auth DN for Active Directory might look like CN=Auth E. User,CN=Users,DC=winserver,DC=mailfoundry,DC=com . A typical Search Base for Active Directory could be CN=Users,DC=winserver,DC=mailfoundry,DC=com.

Although I did a test with a valid address and it said it was successful, and it said an invalid one was invalid. It only works for my main Domain though, none of the aliased ones seem to work.