0

We have a mail server running Zimbra (ZCS 6.0.8). The server has 5 active public IP addresses in the same subnet. (.226-.230). I currently have A records for each of these (host0.domain.com..host4.domain.com), with the main host.domain.com of the machine pointing to .226.

Our host has ended up being listed on the SORBS DUHL list (even though it's in a server farm). According to them you can get removed quickly by checking that your host has an MX record, an A record, and a PTR record that points back to the hostname given in the MX record.

I tried setting the PTR records so that each of these addresses resolved back to their A record (i.e. .228 had a PTR to host2.domain.com). However, I then got mail being rejected from other servers because when Postfix (under Zimbra control) sends out mail, it uses the main hostname for the HELO - there doesn't seem to be any way to override it. So the PTR records currently say host.domain.com for all 5 IP addresses.

What's the correct way to handle this? Should I have an A record for the domain that points to all the IP addresses (for round-robin handling)? I'm nervous of changes that could cause problems, so I'm wondering what the standard way to handle a multiple-IP-address mail server is.

David Fraser
  • 406
  • 6
  • 12
  • It seems that the multiple-address thing is not an issue with SORBS; they've blocked the whole range and so should unblock it if demonstrated that one IP address is a valid mail server (unfortunately they've cached my old DNS and so their automatic exclusion tool is failing) – David Fraser Nov 29 '10 at 11:09
  • It also seems that HELO can now be configured: http://www.kutukupret.com/2010/01/02/postfix-bind-sender-domain-to-dedicated-outgoing-ip-address/ – David Fraser Nov 29 '10 at 11:12
  • That `HELO` setup requires `postfix-2.7-20091209`; ZCS is on `postfix-2.6.7.2z` – David Fraser Dec 01 '10 at 13:36
  • Ah, Zimbra 7.0b3 now contains `postfix-2.7.1.2z` - hopefully when the final 7.0 is released it will then support the `HELO` syntax – David Fraser Feb 02 '11 at 08:31

1 Answers1

1

If there is no specific reason you want/need a service to listen to multiple addresses, it always makes troubleshooting a lot less complicated if you can decide on one address to bind to. This is a generally good practice, and especially true for protocols such as SMTP which may attempt to match reverse DNS lookups with source addresses at level 7.

Some suggestions:

  • Make the Postfix SMTP client part of Zimbra bind only to your "main" IP. Either you must edit /opt/zimbra/postfix/conf/master.cf.in adding an address to the smtp line like this - see below. (Or to set inet_interfaces using zmlocalconfig, but this doesn't work)

  • Verify that you have a corresponding A and PTR (no round-robin records or anything).

  • Verify that you have servername/hostname & mail domain name setup correctly in Zimbra. Best verified by sending a test email somewhere and then inspecting the mail headers.

  • Make sure you have restart the corresponding daemons when necessary.

Here's the syntax for adjusting the smtp line:

smtp unix - - n - - smtp
-o smtp_bind_address=n.n.n.n

David Fraser
  • 406
  • 6
  • 12
conny
  • 2,259
  • 2
  • 16
  • 14
  • Thanks; the SMTP client part could help us here. (All the A and PTR records are correct; there are no round-robin records). Listening on multiple addresses is not so much the problem as sending from multiple... the "smtp" line in master.cf.in specifies a listening service and so does `inet_interfaces`, but `smtp_bind_address` seems to be the right one to just adjusting client connections – David Fraser Nov 29 '10 at 11:08
  • Unfortunately setting `smtp_bind_address` seemed to prevent our server from delivering any mail at all; will need to investigate/try other options – David Fraser Nov 29 '10 at 14:53
  • 1
    Keep in mind that it's likely you still need to explicitly listen on `127.0.0.1` in addition to the one you intend binding on. Failing that will quite likely stop delivery (as well as look-prevention) from working. – conny Nov 29 '10 at 16:24
  • ..."loop-prevention" of course ;) – conny Nov 30 '10 at 02:42
  • conny - thanks that's interesting; however I still had `inet_interfaces` set to all; would adjusting `smtp_bind_address` cause a problem without explicitly setting `inet_addresses` to list the IP addresses? – David Fraser Nov 30 '10 at 10:05
  • 1
    I've now tested adjusting the smtp 465 and submission lines in master.cf.in; they result in the server listening on only one address, but the client still sends out from multiple addresses – David Fraser Feb 02 '11 at 08:46
  • 1
    Trying to set smtp_bind_address as an option on the outgoing smtp in master.cf.in worked! (It required restarting the whole of Zimbra, not just the mta) – David Fraser Feb 02 '11 at 08:57