Difference between revisions of "Incoming Mail Problems"

(Create IP alias)
m
 
(15 intermediate revisions by 5 users not shown)
Line 1: Line 1:
== Troubleshooting incoming mail ==
+
{{BC|Certified}}
 +
__FORCETOC__
 +
<div class="col-md-12 ibox-content">
 +
=Troubleshooting incoming mail problems=
 +
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|}}
  
 +
==Problem==
 
If you're having trouble receiving mail from outside, you need to find out where the message is failing.
 
If you're having trouble receiving mail from outside, you need to find out where the message is failing.
  
Line 8: Line 13:
 
   tail -f /var/log/zimbra.log
 
   tail -f /var/log/zimbra.log
  
If you see ''nothing'' logged (no connection, nothing) then the problem likely either [[DNS]] or your [[Firewall]].
+
If you see ''nothing'' logged (no connection, nothing) then the problem likely either [[DNS]] or your firewall.
 
+
==Resolution==
== [[Firewall]] ==
+
=== Firewall ===
 
+
To troubleshoot your firewall, it helps to have an account on a system outside of your network.
To troubleshoot your [[firewall]], it helps to have an account on a system outside of your network.
 
  
 
For mail to flow inbound, servers on the internet need to connect to your [[MTA]] on port 25.
 
For mail to flow inbound, servers on the internet need to connect to your [[MTA]] on port 25.
  
== [[DNS]] issues ==
+
=== [[DNS]] issues ===
 
+
The mail domain that your user accounts are created under must have an MX record.  To test this:
The mail [[domain]] that your user accounts are created under must have an [[MX]] record.  To test this:
 
 
   host -t mx ''domain''
 
   host -t mx ''domain''
  
The IP address returned should be the IP (public or private) of your MTA.  If it's the public address, make sure that the [[Firewall]] is forwarding port 25 to the [[MTA]].
+
The IP address returned should be the IP (public or private) of your MTA.  If it's the public address, make sure that the Firewall is forwarding port 25 to the [[MTA]].
 
 
== Mail is delivered to the [[MTA]], but not to the mailbox ==
 
  
 +
=== Mail is delivered to the [[MTA]], but not to the mailbox ===
 
If there is a line in the /var/log/zimbra.log like:
 
If there is a line in the /var/log/zimbra.log like:
 
   postfix/lmtp ... deferred ... connection refused
 
   postfix/lmtp ... deferred ... connection refused
  
There is no connection to port 7025 to perform [[LMTP]] delivery.
+
There is no connection to port 7025 to perform Local Mail Transfer Protocol (LMTP) delivery.
 
 
The host that the [[LMTP]] delivery is made to will be the value of the [[account|account's]] ''zimbraMailHost'' [[attribute]]. 
 
 
 
To test this, telnet ''from the MTA'' to the ''zimbraMailHost'' on port 7025 '''by name''' (not by IP).  If this is resolving to an IP address on your [[Firewall]], make sure the port is forwarded on to the ''zimbraMailHost''.
 
 
 
It is possible that the DNS address that is being resolved by the Postfix MTA does not match the internal IP address of the server.  This can happen when you have an external DNS that is resolving to the firewall, but no internal DNS to handle address resolution within your internal network.  It can also happen when there is no DNS entry at all for your ZCS server.  There are four main ways to get around this problem.
 
 
 
=== Create IP alias ===
 
If your network configuration permits it (and in most cases it dont't cause any problem) create an IP alias for your network card with the IP address of the MX record. This is the simplest solution. The network mask should be 255.255.255.255 if you using IPV4, because this will be a host route. The method of adding IP aliases depends on your distribution so contact the manual of your Linux about how to do it.
 
 
 
=== Split DNS ===
 
In order to handle address resolution for both internal and external hosts, you'll need to configure a split DNS configuration.  A split DNS is a configuration where queries from inside the firewall are directed to a DNS server located inside the firewall, which is authoritative for those internal addresses.  This DNS server will return the "inside" addresses of other servers on the local network, and will forward any requests for "outside" addresses to the main DNS server. You can configure this by setting up the A and MX records for the internal zone within a DNS server  running on the ZCS server. This will cause the local hostnames to resolve to the correct internal addresses. To enable forwarding, include a line similar to this in your named.conf (BIND 9):
 
 
 
  forwarders { ip_addr [port ip_port] ; [ ip_addr [port ip_port] ; ... ] };
 
 
 
Where ip_addr refers to the main DNS server for your organization.
 
  
=== MTA Relay ===
+
This is nearly always caused by a host that is configured on private IP Space (or using NAT) and that does not have an interface for the public IP address the server resides on. This can be easily fixed by simply using native IP address lookups for lmtp rather than DNS.  Alternatively, you could have your internal network's domain name configured to lookup differently internally than it does externally.  Using that method is beyond the scope of this document.
An alternative to setting up a DNS server is to un-check "Enable DNS Lookups" on the MTA tab under Server configuration on the Zimbra Admin console. This requires a relay MTA to be configured somewhere that will accept all outbound email.
 
  
=== zimbraMailTransport ===
+
==== Zimbra Collaboration 8.5 or above ====
A third option is to change the zimbraMailTransport attribute for your mail users. Normally, it will be similar to this:
+
ZCS 8.5 or above onwards this attribute is now in ldap - zimbraMtaLmtpHostLookup
 +
  zmprov ms mtaserver.com zimbraMtaLmtpHostLookup native
  
   zimbraMailTransport: lmtp:zimbra1.east.zimbra.com:7025
+
In case that you are using Single Server, be aware always of the Global Config as well:
 +
   zmprov mcf zimbraMtaLmtpHostLookup native
  
If you change it to be similar to this:
+
Once this is done, you'll need to restart the mta:
 +
  zmmtactl restart
  
  zimbraMailTransport: lmtp:[zimbra1.east.zimbra.com]:7025
+
==== Zimbra Collaboration 8.0 or previous ====
 +
To lookup lmtp addresses natively instead of by DNS, simply modify the following localconfig values on all mta's:
 +
  zmlocalconfig -e postfix_lmtp_host_lookup=native
  
the system will attempt to resolve the hostname using the hosts table instead of DNS. You could also change the hostname to an IP address in this situation. Generally, messing with the zimbraMailTransport settings is not recommended because of the operational headache involved in changing the setting for every new user created on your system and making sure they all stay current and correct. You're better off running a small local DNS.
+
Once this is done, you'll need to restart the mta:
 +
  zmmtactl restart
 +
=== Expected behavior ===
 +
Postfix will now lookup IP's for lmtp natively rather than in DNS, so you'll just need to ensure the host is properly configured in /etc/hosts and things will work correctly.
  
[[Category:MTA]]
+
{{Article Footer|ZCS 8.7, 8.6, 8.0|1/13/2012}}
[[Category:Troubleshooting]]
+
{{NeedSME|Jorge|SME2|Copyeditor}}
 +
[[Category:Troubleshooting MTA]]

Latest revision as of 17:32, 18 January 2018

Troubleshooting incoming mail problems

   KB 1336        Last updated on 2018-01-18  




0.00
(0 votes)

Problem

If you're having trouble receiving mail from outside, you need to find out where the message is failing.

When sending your test message, check the Log Files, especially /var/log/zimbra.log, on your MTA server.

It's often helpful to tail the logfile as you send the message:

 tail -f /var/log/zimbra.log

If you see nothing logged (no connection, nothing) then the problem likely either DNS or your firewall.

Resolution

Firewall

To troubleshoot your firewall, it helps to have an account on a system outside of your network.

For mail to flow inbound, servers on the internet need to connect to your MTA on port 25.

DNS issues

The mail domain that your user accounts are created under must have an MX record. To test this:

 host -t mx domain

The IP address returned should be the IP (public or private) of your MTA. If it's the public address, make sure that the Firewall is forwarding port 25 to the MTA.

Mail is delivered to the MTA, but not to the mailbox

If there is a line in the /var/log/zimbra.log like:

 postfix/lmtp ... deferred ... connection refused

There is no connection to port 7025 to perform Local Mail Transfer Protocol (LMTP) delivery.

This is nearly always caused by a host that is configured on private IP Space (or using NAT) and that does not have an interface for the public IP address the server resides on. This can be easily fixed by simply using native IP address lookups for lmtp rather than DNS. Alternatively, you could have your internal network's domain name configured to lookup differently internally than it does externally. Using that method is beyond the scope of this document.

Zimbra Collaboration 8.5 or above

ZCS 8.5 or above onwards this attribute is now in ldap - zimbraMtaLmtpHostLookup

 zmprov ms mtaserver.com zimbraMtaLmtpHostLookup native

In case that you are using Single Server, be aware always of the Global Config as well:

 zmprov mcf zimbraMtaLmtpHostLookup native

Once this is done, you'll need to restart the mta:

 zmmtactl restart

Zimbra Collaboration 8.0 or previous

To lookup lmtp addresses natively instead of by DNS, simply modify the following localconfig values on all mta's:

 zmlocalconfig -e postfix_lmtp_host_lookup=native

Once this is done, you'll need to restart the mta:

 zmmtactl restart

Expected behavior

Postfix will now lookup IP's for lmtp natively rather than in DNS, so you'll just need to ensure the host is properly configured in /etc/hosts and things will work correctly.

Verified Against: ZCS 8.7, 8.6, 8.0 Date Created: 1/13/2012
Article ID: https://wiki.zimbra.com/index.php?title=Incoming_Mail_Problems Date Modified: 2018-01-18



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by Jorge SME2 Copyeditor Last edit by Jorge de la Cruz
Jump to: navigation, search