Hya everyone.

I have a little problem back there with a miss configuration doing OPEN RELAY at Zimbra - and now I have crumbled in that again:.

First of all - My firewall it is doing NAT over Zimbra, just like that:

external.ip.160 --> firewall | forward port 25 --> 192.168.0.4 (zimbra LAN ip)

My smtp solves to my external.ip.160 with all mx records - it's everything okay with my DNS's.

I have some doubts about Forwarding that port 25 -

When the WORLD tries to send an e-mail to my server, if i don't put my FIREWALL internal ip (Ex:. 192.168.0.1 - remember that Zimbra is 192.168.0.4!) into the trusted networks, the WORLD can't send me e-mails.

Well, i've checked the logs and everything hits my server as the internal ip from Firewall.

Is this a "NAT job" going wrong? 'Cause it was supposed to hit that with external.ip.160 (firewall external forwarding port 25 to internal zimbra server)

Pasting my relevant firewall rules:

my.external.ip.160 --> ip on eth0 - FIREWALL
192.168.0.1 --> ip on eth1 - FIREWALL
192.168.0.4 --> zimbra MTA ip

EXT= eth0 #external iface
INT = eth1 #internal iface

iptables -t nat -A PREROUTING -p tcp -i $EXT -d my.external.ip.160 --dport 25 -j DNAT --to 192.168.0.4:25
iptables -t nat -A PREROUTING -p tcp -i $EXT -d my.external.ip.160 --dport 80 -j DNAT --to 192.168.0.4:80
iptables -t nat -A PREROUTING -p tcp -i $EXT -d my.external.ip.160 --dport 110 -j DNAT --to 192.168.0.4:110
iptables -t nat -A PREROUTING -p tcp -i $EXT -d my.external.ip.160 --dport 143 -j DNAT --to 192.168.0.4:143
iptables -t nat -A PREROUTING -p tcp -i $EXT -d my.external.ip.160 --dport 465 -j DNAT --to 192.168.0.4:465
iptables -t nat -A PREROUTING -p tcp -i $EXT -d my.external.ip.160 --dport 993 -j DNAT --to 192.168.0.4:993
iptables -t nat -A PREROUTING -p tcp -i $EXT -d my.external.ip.160 --dport 995 -j DNAT --to 192.168.0.4:995
iptables -t nat -A PREROUTING -p tcp -i $EXT -d my.external.ip.160 --dport 7025 -j DNAT --to 192.168.0.4:7025

and some rulez so the FIREWALL itself can connect to the zimbra services.


iptables -t nat -A OUTPUT -p tcp -d my.external.ip.160--dport 25 -j DNAT --to 192.168.0.4:25
iptables -t nat -A OUTPUT -p tcp -d my.external.ip.160--dport 80 -j DNAT --to 192.168.0.4:80
iptables -t nat -A OUTPUT -p tcp -d my.external.ip.160--dport 110 -j DNAT --to 192.168.0.4:110
iptables -t nat -A OUTPUT -p tcp -d my.external.ip.160--dport 143 -j DNAT --to 192.168.0.4:143
iptables -t nat -A OUTPUT -p tcp -d my.external.ip.160--dport 465 -j DNAT --to 192.168.0.4:465
iptables -t nat -A OUTPUT -p tcp -d my.external.ip.160--dport 993 -j DNAT --to 192.168.0.4:993
iptables -t nat -A OUTPUT -p tcp -d my.external.ip.160--dport 995 -j DNAT --to 192.168.0.4:995
iptables -t nat -A OUTPUT -p tcp -d my.external.ip.160--dport 7025 -j DNAT --to 192.168.0.4:7025


and of course, my POSTROUTING is working perfectly. no problems with that.

But how is that, closing the "trusted networks" with only '127.0.0.1 192.168.0.4/32'; my MTA stops receiving EMAIL? - no problem sending it.

Well - no log to show 'cause no email arrives. Only if I manage to put firewall internal ip (192.168.0.1) into trusted network, and with that open my relay again and going under that nightmare all night long.. .-.-'

PLz.. help?
Do I have to set up a bridge or something? - to get only valid ip addresses into my MTA?

Thnkx for the help!!!

Daniel Nascimento