Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: [SOLVED] Zimbra with NAT-FORWARD

  1. #11
    Join Date
    Jan 2010
    Posts
    21
    Rep Power
    5

    Default Made progress

    Now I have rebuild the entire firewall using SNAT and DNAT insteed of MASQUERADE (to prevent "wrong" packages headers to came to my server with my internal firewall address. Now everyone come as THEY are. ;-) )

    BUT - yeap..a catch ..again

    Still no INBOUND mail from the WORLD.
    No - the world is not my clients with OUTLOOK EXPRESS.. i MEAN - GOOGLE, HOTMAIL, and what-so-ever other MTA.

    I've tested it:.

    From OUTSIDE !

    telnet smtp.mydomain.com.br

    (waited a LOOONG time for initial presentation)
    220 smtp.mydomain.com.br ESMTP Postfix
    helo localhost - #just to test
    250 smtp.mydomain.com.br
    mail from:user@mydomain.com.br
    250 2.1.0 Ok
    rcpt to:consultoria@mydomain.com.br
    CONECTION CLOSED BY FOREING HOST


    no "NO RELAY AUTHORIZED" error.. just DROP the connection like that?


    Am I missing something?
    Can I paste here my firewall script? (of course, not the real IP's been used.)

  2. #12
    Join Date
    Jan 2010
    Posts
    21
    Rep Power
    5

    Default

    Quote Originally Posted by Nascimento View Post

    Still no INBOUND mail from the WORLD.
    No - the world is not my clients with OUTLOOK EXPRESS.. i MEAN - GOOGLE, HOTMAIL, and what-so-ever other MTA.
    Forgot to say that: if I put my VALID ip RANGE at the trusted host, or ONLY my firewall IP at the trusted host - I do receive INBOUND emails and INTERNAL - normally - everything OKAY. JUst one thing - that causes my smtp to understand it and behave as an OPEN RELAY again.. .-.-

    Lol.. what an fight, hun?
    Man - i need to learn more about zimbra. I know that - sorry guys.

  3. #13
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by Nascimento View Post
    Forgot to say that: if I put my VALID ip RANGE at the trusted host, or ONLY my firewall IP at the trusted host - I do receive INBOUND emails and INTERNAL - normally - everything OKAY. JUst one thing - that causes my smtp to understand it and behave as an OPEN RELAY again.. .-.-

    Lol.. what an fight, hun?
    Man - i need to learn more about zimbra. I know that - sorry guys.
    This isn't a Zimbra problem, I believe it's caused by the firewall. You can certainly post your firewall rules and I'll have a look but, as I said earlier, I'm not an expert with iptables.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #14
    Join Date
    Jan 2010
    Posts
    21
    Rep Power
    5

    Default

    # FIREWALL EXTERNAL IP = 200.78.75.165/32

    INT_LAN=192.168.0/24
    EXT_LAN=200.78.75.0/24
    EXT_IFACE=eth1
    INT_IFACE=eth0

    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD DROP

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p udp --dport 53 -j ACCEPT
    iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT
    iptables -A INPUT -p tcp --dport 1194 -j ACCEPT
    iptables -A INPUT -p tcp -s $INT_LAN --dport 10000 -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp -s $INT_LAN -j ACCEPT

    iptables -A FORWARD -i lo -j ACCEPT
    iptables -A FORWARD -s $INT_LAN -d 0.0.0.0/0 -j ACCEPT
    iptables -A FORWARD -s 0.0.0.0/0 -d $INT_LAN -j ACCEPT

    # M.T.A Firewall OUTPUT
    iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 25 -j DNAT --to 192.168.0.49:25
    iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 80 -j DNAT --to 192.168.0.49:80
    iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 110 -j DNAT --to 192.168.0.49:110
    iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 143 -j DNAT --to 192.168.0.49:143
    iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 465 -j DNAT --to 192.168.0.49:465
    iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 993 -j DNAT --to 192.168.0.49:993
    iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 995 -j DNAT --to 192.168.0.49:995
    iptables -t nat -A OUTPUT -p tcp -d 200.78.75.165 --dport 7025 -j DNAT --to 192.168.0.49:7025

    # - M.T.A Zimbra = 192.168.0.49

    iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 25 -j DNAT --to 192.168.0.49:25
    iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 80 -j DNAT --to 192.168.0.49:80
    iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 110 -j DNAT --to 192.168.0.49:110
    iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 143 -j DNAT --to 192.168.0.49:143
    iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 465 -j DNAT --to 192.168.0.49:465
    iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 993 -j DNAT --to 192.168.0.49:993
    iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 995 -j DNAT --to 192.168.0.49:995
    iptables -t nat -A PREROUTING -p tcp -d 200.78.75.165 --dport 7025 -j DNAT --to 192.168.0.49:7025

    iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j SNAT --to-source 200.78.75.165

    iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 25 -j SNAT --to 200.78.75.165:25
    iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 80 -j SNAT --to 200.78.75.165:80
    iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 110 -j SNAT --to 200.78.75.165:110
    iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 143 -j SNAT --to 200.78.75.165:143
    iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 465 -j SNAT --to 200.78.75.165:465
    iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 995 -j SNAT --to 200.78.75.165:995
    iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.49 --sport 7025 -j SNAT --to 200.78.75.165:7025



    -------

    Any ideas about what am I forgetting to do? This is the relevant rules that affect my MTA over NAT behavior.

    Thnkx for the helping!


    Nascimento
    Last edited by Nascimento; 02-02-2010 at 07:55 AM.

  5. #15
    Join Date
    Jan 2010
    Posts
    21
    Rep Power
    5

    Default Some other test's

    Guys, think the problem is at Zimbra MTA Server -

    I have installed Zimbra at my NOTEBOOK (don't laught) and had it tested behin my firewall at the SAME conditions - and IT WORKS PERFECTLY.

    As I've told before; this MTA is working into a Gentoo Linux with chroot inside an Debian 4 on in.

    I dont know whatever the old sys admin guy had to do (ruin) into zimbra to make that work - but I'm gonna buy a new machine and re-install all Zimbra Services on that - getting only the accounts and e-mail backups.

    Start over seems the more reliable choice - cause this client is suffering too much with that problem.

    Things that made me choose that:

    - Zimbra only send mail if I put firewall internal IP on trusted network behind a MASQUERADE - so ALL inbound connections hits me with Firewall INternal IP - making ZImbra behave as an OPEN RELAY for a IPTABLES MASQUERADE.

    - When iptables use SNAT and DNAT - all inbound connections receive a RESET in the middle of transaction:

    telnet smtp.mydomain.com.br
    SMTP ... OK
    mail from:test@mydomain.com.br
    SMTP OK
    rcpt to:existing_user@mydomain.com.br
    CONNECTION CLOSED BY FOREING HOST

    And at Zimbra tcpdump shows a reset in all inbound.

    - Making a DIFF using the same versions between main zimbra files, there's a LOT of modifications made by hand.

    All of that could be avoided if people just read the documentation's locate at Zimbra Main Site.

    Well - I'm closing that post and suggest to the new-commers that do not try to make it work at "any cost" in your favorite Gnu/Linux flavour - 'cause any costs could be really too much.

    Thnk you all for the help!
    ------------------------------

    Very gratefull,


    Daniel Nascimento

Similar Threads

  1. /tmp filling
    By Nutz in forum Administrators
    Replies: 8
    Last Post: 02-22-2008, 02:00 AM
  2. Major Issue - 5.0RC2 NE to 5.0GA NE failed
    By DougWare in forum Installation
    Replies: 7
    Last Post: 01-06-2008, 09:56 PM
  3. Replies: 22
    Last Post: 12-02-2007, 05:05 PM
  4. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 04:48 PM
  5. dspam logrotate errors
    By michaeln in forum Users
    Replies: 7
    Last Post: 02-19-2007, 12:45 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •