ZimbraMtaMyNetworks

From Zimbra :: Wiki

Jump to: navigation, search

Contents

Enabling Mail Submission/Relaying from Remote Networks

What is the problem

The default postfix configuration allows relaying only for the local networkNote 1, but you can configure postfix to allow relaying unconditionally for arbitrary hosts or networks.

When you want to do this

  • You would like to allow machines that are not on the local network to send mail through the zimbra server
  • You are observing "Relay Access Denied" errors in the MTA log (/var/log/zimbra.log) for hosts or subnets that you trust for relaying.
  • You are observing "Relay Access Denied" errors in the MTA log (/var/log/zimbra.log) for the zimbra server itself.

Checking the current configuration

Note: For the examples here, we will assume the hostname of the zimbra server is "zimbra.example.com" with an IP address of 10.10.130.10.

Get the current value from postconf:

# su - zimbra
$ postconf mynetworks
mynetworks = 127.0.0.0/8 10.10.130.0/23 

This shows that postfix will relay for all machines with 10.10.130.x and 10.10.131.x IP addresses.

Check next whether this is set in the server configuration in the zimbra ldap:

zmprov gs zimbra.example.com zimbraMtaMyNetworks

Up until at least ZCS 4.5.5, this is unset by default; in a future release, this will probably be set. If set, this value will propagate to postconf's mynetworks when the MTA is restarted.

Examples

Note: For the examples here, we will assume the hostname of the zimbra server is "zimbra.example.com" with an IP address of 10.10.130.10.

Note: Make sure that the localhost "127.0.0.0/8" network is included.

Making sure the LAN interface of the zimbra server itself is allowed

If you see lines like this one in /var/log/zimbra.log when a webmail user (for example, "user@example.com") tries to send mail (for example, to "somebody@domain.com"):

Jun 28 06:39:23 zimbra postfix/smtpd[31788]: NOQUEUE: reject: 
RCPT from zimbra.example.com[10.10.130.10]: 554 <somebody@domain.com>: 
Relay access denied; from=<user@example.com> to=<somebody@domain.com> 
proto=SMTP helo=<zimbra.example.com>

You probably see this as well:

postconf mynetworks
mynetworks = 127.0.0.0/8

If you want to allow all the other machines on the 10.10.130.x network to relay, configure the server like this:

zmprov ms zimbra.example.com zimbraMtaMyNetworks '127.0.0.0/8 10.10.130.0/24'
postfix reload

If you don't want to allow relaying for the network, but only for the zimbra server itself, configure the server like this:

zmprov mos zimbra.example.com zimbraMtaMyNetworks '127.0.0.0/8 10.10.130.10/32'
postfix reload

Allowing relaying for a remote machine

Let's say you have a single machine on a remote network (for example, an automated mailing list manager with the IP address 10.10.200.25), and the current settings look like this:

postconf mynetworks
mynetworks = 127.0.0.0/8 10.10.130.0/24

Add the remote machine like this:

zmprov ms zimbra.example.com zimbraMtaMyNetworks '127.0.0.0/8 10.10.130.0/24 10.10.200.25/32'
postfix reload

Allowing relaying for a remote network

Let's say you have POP or IMAP users on a remote network (for example, 192.168.1.x, with a netmask of 255.255.255.0), and the current settings look like this:

postconf mynetworks
mynetworks = 127.0.0.0/8 10.10.130.0/24

Add the remote network like this:

zmprov ms zimbra.example.com zimbraMtaMyNetworks '127.0.0.0/8 10.10.130.0/24 192.168.1.0/24'
postfix reload

Possible Problems

Make sure you specify the network properly. If you see an error like this in /var/log/zimbra.log, take a look at the subnet notation guide linked below, and compare the CIDR suffixes (/27) with the network address suffixes (.198).

Jul 17 20:29:12 zimbra postfix/smtpd[5092]: fatal: non-null host address bits in "10.10.130.198/27", perhaps you should use "10.10.130.192/27" instead


Additional Reading

postconf mynetworks

private networks address space - wikipedia article, RFC 1918

subnet notation

Personal tools