Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: [SOLVED] Inbound TLS not working

  1. #11
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Hi Scott,

    Sorry for the confusion!

    The sequence of commands I posted essentially replicates interactively how mail servers talk to each other without using TLS.

    Since I can't explain the differing HELO greet strings, I want to see if non-TLS mail sent to the outside IP actually gets to your Zimbra system.

    Just based on what I see (the greet string differences), I suspect the mail system answering on the outside IP is not your Zimbra system.

    Further, since TLS tends either to work or not, it just seems unusual that TLS would work for you on one IP but not on another -- especially when that "other" IP's mail system HELOs with a totally different greet string.

    IOW, something is wonky and before we go messing around, perhaps needlessly, with your nice shiny Zimbra server, let's make absolutely sure the surrounding network configuration is 100% correct.

    S'OK?

    All the best,
    Mark

  2. #12
    Join Date
    Nov 2009
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by skot999 View Post
    Hi Mark - do you mean to make an exception so you can telnet into my zimbra server from yours? (Sorry, I'm new to mail server administration).

    Is there another way I could try this?

    Everything looks fine when I do this from an outside trusted source:
    telnet 'public ip' 587
    Ok, gotchya. What email address can I use: MAIL FROM: XXXXXX

    Thanks!

  3. #13
    Join Date
    Nov 2009
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by skot999 View Post
    Ok, gotchya. What email address can I use: MAIL FROM: XXXXXX

    Thanks!
    Alright - I was able to send the message successfully....

  4. #14
    Join Date
    Nov 2009
    Posts
    25
    Rep Power
    6

    Default

    I'm not sure if this helps but when I connect to telnet 'outside ip' 587 and try to do the same thing...


    220 mail.my_zimbra_domain.com ESMTP Postfix
    HELO reliablenetworks.com
    250 mail.my_zimbra_domain.com
    MAIL FROM: xxxxxx@reliablenetworks.com
    250 2.1.0 Ok
    RCPT TO:sgendron@my_zimbra_domain.com
    554 5.7.1 [<sender ip here]>: Client host rejected: Access denied


    The 'sender ip' being a public ip allowed through the firewall. Sooo, why can I send a test email when I connect to telnet 25, but not 587?

  5. #15
    Join Date
    Nov 2009
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by skot999 View Post
    I'm not sure if this helps but when I connect to telnet 'outside ip' 587 and try to do the same thing...


    220 mail.my_zimbra_domain.com ESMTP Postfix
    HELO reliablenetworks.com
    250 mail.my_zimbra_domain.com
    MAIL FROM: xxxxxx@reliablenetworks.com
    250 2.1.0 Ok
    RCPT TO:sgendron@my_zimbra_domain.com
    554 5.7.1 [<sender ip here]>: Client host rejected: Access denied


    The 'sender ip' being a public ip allowed through the firewall. Sooo, why can I send a test email when I connect to telnet 25, but not 587?
    Ok, some progress here... I disabled SMTP inpection on my firewall..and now have the same greeting when telnet 25:

    220 mail.my_zimbra_domain.com ESMTP Postfix

    mail messages are now coming through ESMTP...still no TLS though.

  6. #16
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    If turning off SMTP fixup on your (Cisco?) firewall "fixed" the HELO, I'd suggest a careful review of your firewall rules as the next step to getting TLS to work on the outside IP.

    Hope that helps,
    Mark

  7. #17
    Join Date
    Nov 2009
    Posts
    25
    Rep Power
    6

    Default

    Quote Originally Posted by LMStone View Post
    If turning off SMTP fixup on your (Cisco?) firewall "fixed" the HELO, I'd suggest a careful review of your firewall rules as the next step to getting TLS to work on the outside IP.

    Hope that helps,
    Mark
    Thanks for your help Mark - I disabled SMTP inspection, and this allowed TLS to pass. As soon as it was disabled, I saw the same HELO greet from the outside. However, I couldn't tell that TLS was working because by default postfix will not write the TLS info in the header. You have to make a small modification to the main.cf config file for TLS to be actually written in the header. Sooo, looks like I'm all set now. Thank you for your help!
    Scott

  8. #18
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Glad it's all working for you now; marking this thread solved.

    In hindsight, I should have asked about SMTP fixup sooner once I suspected a firewall/routing issue, but in years past it was so horribly broken that few admins use it anymore, especially since there are more efficient anti-spam solutions out there now.

    All the best,
    Mark

Similar Threads

  1. TLS not working?
    By 3RiversTechAdmin in forum Installation
    Replies: 9
    Last Post: 04-06-2009, 07:12 AM
  2. Replies: 2
    Last Post: 11-19-2008, 10:37 AM
  3. [SOLVED] Firefox 3 + Zimbra 5 - TLS Interop issue
    By irvingpop in forum Administrators
    Replies: 21
    Last Post: 07-22-2008, 11:53 PM
  4. Replies: 4
    Last Post: 03-17-2008, 07:53 PM
  5. Inbound mail not working after M3 upgrade
    By rhostager in forum Installation
    Replies: 2
    Last Post: 01-12-2006, 05:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •