Results 1 to 10 of 10

Thread: [SOLVED] Split DNS - Firewall - Loops back to myself

Hybrid View

  1. #1
    Join Date
    Sep 2009
    Posts
    6
    Rep Power
    6

    Default [SOLVED] Split DNS - Firewall - Loops back to myself

    I am having trouble setting up the split DNS - Zimbra behind a firewall configuration.

    Problem = All outgoing email errors - domain loops back to myself.

    I have tried to follow the WIKI on split DNS and various post on this - but still no luck.

    I have a CentOS 5.3 Firewall box - basic loaded with Webmin.

    Right now the Firewall only forwards ports 25 and 7025 to the Zimbra server.

    I have a CentOS 5.3 Zimbra Server (open source version)

    I am able to receive email to the domain without a problem.

    DNS settings at godaddy:
    Point to firewall external IP
    MX record points to mail.domain.net

    firewall FQDN:
    firewall.domain.net

    Zimbra server FQDN:
    mail.domain.net

    firewall DNS has no entries for the Zimbra server, just Default DNS config, no entries the HOSTS file for the Zimbra Server, the Resolve file point to the two external DNS servers from my ISP.

    Zimbra server:

    The Resolv.conf file on the Zimbra server points to itself for resolution then the firewall server.

    Zimbra server:

    Host file:
    has just the three lines:
    search mail.domain.net (local host FQDN)
    127.0.0.1
    10.1.1.55 mail.domain.net mail

    Has CentOS default DNS configuration with one additional record for the Zimbra server:

    @ IN SOA mail.domain.net. admin.domain.net.
    serial, refresh.....
    @ IN NS mail.domain.net.
    IN MX 10 mail.domain.net.
    IN A 10.1.1.55
    mail.domain.net. IN A 10.1.1.55


    Zimbra settings:

    MTA - have tried localhost, mail.domain.net, 127.0.0.1 - with and without DNS lookup. In no combination have I been able to send out email.

    Any one have some suggestions.

  2. #2
    Join Date
    Mar 2006
    Location
    Massachusetts
    Posts
    965
    Rep Power
    10

    Default

    OK, a couple of things I notice right off the bat.

    The Resolv.conf file on the Zimbra server points to itself for resolution then the firewall server.
    You do realize that with this setup your firewall will only come into play for name resolution when DNS is not running on your Zimbra server. Not sure this is what you want. Make sure you have the forwarders option in the named.conf on your Zimbra server

    Host file:
    has just the three lines:
    search mail.domain.net (local host FQDN)
    127.0.0.1
    10.1.1.55 mail.domain.net mail
    The search line goes in the /etc/resolv.conf, not /etc/hosts. If you do move it to the resolv.conf file you probably want it to read "search domain.net". Also the 127.0.0.1 line should include something like "localhost.localdomain localhost"

    From your Zimbra server can you ping/lookup other domains?

  3. #3
    Join Date
    Sep 2009
    Posts
    6
    Rep Power
    6

    Default

    Thanks for your reply.....

    Sorry mistyped = the search entry is in the resolve file:
    search mail.domain.net (FQDN of the Zimbra server)

    The 127.0.0.1 is correct:
    127.0.0.1 localhost.localdomain localhost

    As for the resolv.conf on the Zimbra server - what should be? I thought it should point to itself and then to the firewall.

    From the Zimbra server I can both ping and resolve other domain names
    I can also telnet:
    telnet mail.externaldomain.com 25

    and send a helo message.

    Anything else you would need to know?

    Lee

  4. #4
    Join Date
    Sep 2009
    Posts
    6
    Rep Power
    6

    Default

    I have forwarders on the Zimbra server pointing to the Firewall internal IP address -- is this the problem? What should the forwarders point to?

    Lee

  5. #5
    Join Date
    Mar 2006
    Location
    Massachusetts
    Posts
    965
    Rep Power
    10

    Default

    As for the resolv.conf on the Zimbra server - what should be? I thought it should point to itself and then to the firewall.
    This isn't necessarily wrong, but I don't think it is what you want. The server entries in the resolv.conf are read in succession. If you are doing name resolution and the first server in the list is listening for requests then it will never drop to the second server in the list, even if the first server doesn't know how to resolve the request.

    I have forwarders on the Zimbra server pointing to the Firewall internal IP address -- is this the problem? What should the forwarders point to?
    The forwarders should point to whatever server you use for name resolution outside of your network.

    If you can ping, telnet, and resolve to other domains from your Zimbra server then DNS might not be the issue. What are you seeing in your logs when you get a failure?

  6. #6
    Join Date
    Sep 2009
    Posts
    6
    Rep Power
    6

    Default

    Error shows:
    before the error - it appears the email is being sent out 127.0.0.1... because that is what the relay=127.0.0.1; it passed through the virus checks and so on using 127.0.0.1

    Warning, remote host (external domain.com xxx.xxx.xxx.xxx.) greeted me with my own host name mail.domain.net ..... then says error external domain.com loops back to myself.

    It is like the MTA-Postfix resovles all external domains to the local MTA,localhost or server?????

    Also, in this setup what should the settings under MTA be? I have tried 127.0.0.1;FQDN,localhost... ?????

  7. #7
    Join Date
    Sep 2009
    Posts
    6
    Rep Power
    6

    Default

    One last thing I see here at the end of the messages:

    disconnect from unknown[10.1.1.98]

    That is the LAN IP of the firewall server!!!

    This is key isn't it?? Just don't know how to fix it.. LOL

  8. #8
    Join Date
    Mar 2006
    Location
    Massachusetts
    Posts
    965
    Rep Power
    10

    Default

    Not sure, but this is beginning to sound like a firewall issue to me. Can you explain your firewall setup a bit more? Does it allow all outgoing traffic?

  9. #9
    Join Date
    Sep 2009
    Posts
    6
    Rep Power
    6

    Default

    Thanks for all your help... yes, it was a firewall issue. I had setup the LAN side on our normal network. Even though the Zimbra box was using as it's gateway and DNS the test firewall box, our regular network setup was messing it up. I changed the Firewall box and Zimbra servers to be on their own LAN network, then set up the Split DNS per the WIKI - bamn a couple of reboots later and it was working perfectly. I am still puzzled how our other firewall was messing up the Zimbra box, if it was all pointing to the other firewall.. What I think is that when I first installed CentOS on the Zimbra box, it was DHCP client by default of course, and I then installed Zimbra.. then I went back and changed all the IP setting to static and gateway through the test firewall. Appears that was a major error. I didn't actually have to re-install Zimbra to get it working, but I would warn folks wanting to setup a test - do so in a Clean environment.

    Thanks again for all your help - I did use your information to figure out how to get it all running.

    Lee

  10. #10
    Join Date
    Mar 2006
    Location
    Massachusetts
    Posts
    965
    Rep Power
    10

    Default

    Glad you got it all worked out. I'll mark this thread as solved. Post back if you have more issues.

    John

Similar Threads

  1. Replies: 5
    Last Post: 08-28-2009, 09:35 AM
  2. Split DNS / CentOS 5 / x64
    By powrrrplay in forum Installation
    Replies: 10
    Last Post: 08-27-2009, 08:22 AM
  3. loops back to myself
    By cubitus91 in forum Installation
    Replies: 16
    Last Post: 05-12-2008, 12:49 PM
  4. Replies: 15
    Last Post: 04-14-2008, 12:29 PM
  5. mail error - loops back to myself
    By infocentric in forum Installation
    Replies: 1
    Last Post: 11-20-2007, 02:02 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •