0

We've got a vServer running Zimbra and a web server, each of them having its own IP address. 

1.1.1.11 - vServer, running:
-- 1.1.1.12/mx1.ipsum.com - Zimbra mail server
-- 1.1.1.13 - web server

Receiving e-mails is fine, but since few weeks Zimbra puts the vServer's IP address to the mail-header instead of using the designated mail server IP: 

Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=1.1.1.11; helo=mx1.ipsum.com; envelope-from=lorem@ipsum.com; receiver=dolor.sit@amit.com

This causes a HELO/Reverse-DNS mismatch (Reverse DNS entry for 1.1.1.12 points to mx1.ipsum.com, but 1.1.1.11 points to vserver.ipsum.com). In result, many mail servers reject mails sent from our server mx1.ipsum.com, i.e. saying "550 MAIL APPEARED TO BE SPAM OR FORGED. WRONG HELO AND DNS" So I would like to tell Zimbra to use the correct mail server IP 1.1.1.12. In the Zimbra admin panel, of course the correct IP 1.1.1.12 is set.

I added these lines to /opt/zimbra/postfix/conf/main.cf:

inet_interfaces = 1.1.1.12, 127.0.0.1
smtp_bind_address = 1.1.1.12

Result: Sending as well as receiving stops completely, all messages get queued. Here's what was logged in zimbra.log while this happened: 

Sep 18 14:32:24 mx1 postfix/smtpd[11496]: connect from localhost.localdomain[127.0.0.1]
Sep 18 14:32:24 mx1 postfix/smtpd[11496]: NOQUEUE: filter: RCPT from localhost.localdomain[127.0.0.1]: <office@ipsum.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<office@ipsum.com> to=<vbn@gov.si> proto=ESMTP helo=<mx1.ipsum.com>
Sep 18 14:32:24 mx1 postfix/smtpd[11496]: 2549C197F8382: client=localhost.localdomain[127.0.0.1]
Sep 18 14:32:24 mx1 postfix/cleanup[11497]: 2549C197F8382: message-id=<1049454665.7423.1411043544059.JavaMail.zimbra@ipsum.com>
Sep 18 14:32:24 mx1 postfix/qmgr[7424]: 2549C197F8382: from=<office@ipsum.com>, size=3899, nrcpt=1 (queue active)
Sep 18 14:32:24 mx1 postfix/smtpd[11496]: disconnect from localhost.localdomain[127.0.0.1]
Sep 18 14:32:24 mx1 amavis[3400]: (!)DENIED ACCESS from IP 1.1.1.12, policy bank 'ORIGINATING'
Sep 18 14:32:43 mx1 postfix/submission/smtpd[11504]: connect from unknown[152.18.171.1]
Sep 18 14:32:45 mx1 postfix/submission/smtpd[11504]: Anonymous TLS connection established from unknown[152.18.171.1]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)
Sep 18 14:32:47 mx1 postfix/submission/smtpd[11504]: NOQUEUE: filter: RCPT from unknown[152.18.171.1]: <admin@ipsum.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<admin@ipsum.com> to=<dolor.sit@amit.com> proto=ESMTP helo=<[192.168.43.166]>
Sep 18 14:32:47 mx1 postfix/submission/smtpd[11504]: 57672197F8396: client=unknown[152.18.171.1], sasl_method=PLAIN, sasl_username=admin
Sep 18 14:32:48 mx1 postfix/cleanup[11497]: 57672197F8396: message-id=<541AD0EA.1040607@ipsum.com>
Sep 18 14:32:48 mx1 postfix/qmgr[7424]: 57672197F8396: from=<admin@ipsum.com>, size=570, nrcpt=1 (queue active)
Sep 18 14:32:48 mx1 postfix/smtp[10083]: 57672197F8396: to=<dolor.sit@amit.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.7, delays=1.7/0/0/0, dsn=4.4.2, status=deferred (lost connection with 127.0.0.1[127.0.0.1] while receiving the initial server greeting)
Sep 18 14:32:49 mx1 postfix/submission/smtpd[11504]: disconnect from unknown[152.18.171.1]
Sep 18 14:32:48 mx1 amavis[3400]: (!)DENIED ACCESS from IP 1.1.1.12, policy bank 'ORIGINATING'

I also tried adding 

inet_interfaces = all

or just 

smtp_bind_address = 1.1.1.12

without an inet_interfaces line. Same result, all mails get queued.

SMTP Banner and general settings seem to be alright according to mxtoolbox.com:

Connecting to 1.1.1.12

220 mx1.ipsum.com ESMTP Postfix [874 ms]
EHLO MXTB-PWS3.mxtoolbox.com
250-mx1.ipsum.com
250-PIPELINING
250-SIZE 16777216
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN [749 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 Ok [749 ms]
RCPT TO: <test@example.com>
554 5.7.1 <test@example.com>: Relay access denied [749 ms]

MXTB-PWS3v2 12184ms

Test mx record

:~$ host -t mx ipsum.com
ipsum.com mail is handled by 10 mx1.ipsum.com.

Test ptr:

:~$ host mx1.ipsum.com
mx1.ipsum.com has address 1.1.1.12

Test rDNS:

:~$ host 1.1.1.12
1.1.1.12.in-addr.arpa domain name pointer mx1.ipsum.com.

Any suggestions how to get Zimbra back on track using the 1.1.1.12 mail server IP instead of the vServer IP address?

user2092982
  • 31
  • 1
  • 1
  • 7

1 Answers1

2

Here the complete picture of your email flow

Zimbra webmail -> postfix -> amavis -> postfix -> internet

Now, your email got stuck in queue because amavisd reject it. Why?

Some background

Amavisd in zimbra use policy bank to control who can telnet to amavisd daemon. When zimbra initialize configuration after installed, zimbra synchronize config to amavisd and config. * It tells postfix to submit email (for scanning) to amavisd with IP 1.1.1.11 and * It tells amavisd to only accept email from IP 1.1.1.11

So that's why amavisd rejected it. You change smtp_bind_address in postfix, but you don't change policy bank setting in amavisd.conf

Solution

Set @mynetworks directive in /opt/zimbra/conf/amavisd.conf by adding IP 1.1.1.12/32. It will tell amavisd policy bank to accept email from 1.1.1.12

masegaloeh
  • 17,978
  • 9
  • 56
  • 104