Troubleshooting Course Content Rough Drafts-Identify And Resolve Mail Flow Issues: Difference between revisions
(6 intermediate revisions by the same user not shown) | |||
Line 48: | Line 48: | ||
zmprov gs `zmhostname` zimbraMtaRelayHost | zmprov gs `zmhostname` zimbraMtaRelayHost | ||
</pre></code> | |||
- DNS MX records correct? | |||
<code><pre>host -t mx yourdomain.com</pre></code> | |||
IP Address correct? | |||
<code><pre>host -t a mail.yourdomain.com</pre></code> | |||
- Are there any errors in the /var/log/zimbra.log file? | |||
<code><pre> | |||
grep -i user001@yahoo.com /var/log/zimbra.log | |||
</pre></code> | </pre></code> | ||
Line 78: | Line 89: | ||
==Troubleshooting Tools== | ==Troubleshooting Tools== | ||
===mailq=== | |||
Command showing current activity in the mail queue. Run the command as the zimbra user. | |||
<code><pre> | |||
mailq | |||
or | |||
/opt/zimbra/postfix/sbin/mailq | |||
</pre></code> | |||
===postqueue=== | |||
See, http://www.postfix.org/postqueue.1.html | |||
<code><pre>/opt/zimbra/postfix/sbin/postqueue</pre></code> | |||
* /opt/zimbra/libexec/zmmsgtrace | ===zmqstat=== | ||
Display how many messages in each queue | |||
<code><pre>sudo /opt/zimbra/libexec/zmqstat</pre></code> | |||
===zmmsgtrace=== | |||
Tool for tracing email transactions | |||
<code><pre> | |||
*Examples* | |||
/opt/zimbra/libexec/zmmsgtrace -s john@yahoo.com -r sales@domain.com | |||
/opt/zimbra/libexec/zmmsgtrace --id 1550989059.5.1424814781558.JavaMail.zimbra@mail.domain.com | |||
/opt/zimbra/libexec/zmmsgtrace --id 405795848.214.1424764809961.JavaMail.zimbra@kingr1.us.zimbralab.com /var/log/zimbra.log-2015*.gz | |||
Usage: | |||
zmmsgtrace [options] [<mail-syslog-file>...] | |||
--id|i "msgid" # case sensitive regex | |||
--sender|s "user@domain" # case insensitive regex | |||
--recipient|r "user@domain" # case insensitive regex | |||
--srchost|F "hostname_or_ip" # case insensitive regex | |||
--desthost|D "hostname_or_ip" # case insensitive regex | |||
--time|t "start_ts,end_ts" # YYYYMM[DD[HH[MM[SS]]]] | |||
--year "YYYY" # file year if no YYYY in file | |||
--nosort # do not sort @ARGV files by mtime | |||
--debug verbose output useful for debugging | |||
--help display a brief help message | |||
--man display the entire man page | |||
</pre></code> | |||
===zmdailyreport=== | |||
Getting email a report of the email activity. | |||
<code><pre>/opt/zimbra/libexec/zmdailyreport</pre></code> | |||
===zimbra.log=== | |||
The number one place to look when there are signs of trouble from the Zimbra MTA service. | |||
<code><pre> | |||
egrep -i 'error|warn|fatal' /var/log/zimbra.log | |||
zegrep -i 'error|warn|fatal' /var/log/zimbra.log-2015*.gz | |||
tail -f /var/log/zimbra.log | |||
</pre></code> | |||
==Real World case examples== | ==Real World case examples== |
Latest revision as of 21:16, 1 April 2015
ROUGH DRAFT ROUGH DRAFT ROUGH DRAFT ROUGH DRAFT
Exercises
Problem1: Incoming email from the Internet is not getting delivered to my Zimbra server. Why?
You setup your Zimbra server, now it's time to test email flow. You sent a test message from your Yahoo! email account, but you are not seeing the email message in your Zimbra account.
Things to check
- DNS MX Records setup correctly? Check the DNS MX records for the domain on the zimbra machine.
Run the following command from inside the zimbra machine
host -t mx domain.com
You would see something similar to
domain.com mail is handled by 10 mail.domain.com.
IP address correct?
host -t a mail.domain.com
Contents of the /etc/hosts file correct?
*Example*
127.0.0.1 localhost.localdomain localhost
192.168.1.17 mail.domain.com mail
- Firewall blocking smtp connections to the zimbra machine externally?
telnet mail.domain.com 25
- IPTables turned on?
iptables -L -n
Problem2: Outbound email from my Zimbra account is not getting delivered to my Yahoo email account. Why?
You want to test sending a message to another address external to your Zimbra setup, and you are sending a email message to your Yahoo! account, but it did not deliver to your Yahoo! account.
Things to check
- Can you telnet to an external smtp hostname?
telnet smtp.hp.com 25
- Are you using a zimbraMtaRelayHost?
zmprov gacf zimbraMtaRelayHost
zmprov gs `zmhostname` zimbraMtaRelayHost
- DNS MX records correct?
host -t mx yourdomain.com
IP Address correct?
host -t a mail.yourdomain.com
- Are there any errors in the /var/log/zimbra.log file?
grep -i user001@yahoo.com /var/log/zimbra.log
Problem3: Zimbra MTA services will not start! zmcontrol status displays MTA not started.
Upon setting up your Zimbra machine, you checked the status.
zmcontrol status
And you noticed the following.
postfix is not running
So you try starting Zimbra MTA service.
zmmtactl start
But you still see postfix is not running from the zmcontrol status command.
If Zimbra's MTA service is down, and not starting, is there anything listening on port 25?
lsof -i :25
Are there errors with Zimbra's MTA Permissions?
postfix check
Generally Postfix uses a lot of directories and files with special user/group permissions. Postfix is especially picky if a file permission is incorrect, and can potentially prevent email flow. The postfix check command is handy to use to do a fast check.
postfix check
postsuper: fatal: scan_dir_push: open directory defer/F: Permission denied
Troubleshooting Tools
mailq
Command showing current activity in the mail queue. Run the command as the zimbra user.
mailq
or
/opt/zimbra/postfix/sbin/mailq
postqueue
See, http://www.postfix.org/postqueue.1.html
/opt/zimbra/postfix/sbin/postqueue
zmqstat
Display how many messages in each queue
sudo /opt/zimbra/libexec/zmqstat
zmmsgtrace
Tool for tracing email transactions
*Examples*
/opt/zimbra/libexec/zmmsgtrace -s john@yahoo.com -r sales@domain.com
/opt/zimbra/libexec/zmmsgtrace --id 1550989059.5.1424814781558.JavaMail.zimbra@mail.domain.com
/opt/zimbra/libexec/zmmsgtrace --id 405795848.214.1424764809961.JavaMail.zimbra@kingr1.us.zimbralab.com /var/log/zimbra.log-2015*.gz
Usage:
zmmsgtrace [options] [<mail-syslog-file>...]
--id|i "msgid" # case sensitive regex
--sender|s "user@domain" # case insensitive regex
--recipient|r "user@domain" # case insensitive regex
--srchost|F "hostname_or_ip" # case insensitive regex
--desthost|D "hostname_or_ip" # case insensitive regex
--time|t "start_ts,end_ts" # YYYYMM[DD[HH[MM[SS]]]]
--year "YYYY" # file year if no YYYY in file
--nosort # do not sort @ARGV files by mtime
--debug verbose output useful for debugging
--help display a brief help message
--man display the entire man page
zmdailyreport
Getting email a report of the email activity.
/opt/zimbra/libexec/zmdailyreport
zimbra.log
The number one place to look when there are signs of trouble from the Zimbra MTA service.
egrep -i 'error|warn|fatal' /var/log/zimbra.log
zegrep -i 'error|warn|fatal' /var/log/zimbra.log-2015*.gz
tail -f /var/log/zimbra.log
Real World case examples
OS MTA vs. Zimbra MTA
When a Linux OS is installed, the OS will include either Postfix or Sendmail. You must be aware that if the OS installs Postfix, the binary paths will be different.
[root@mail ~] which postfix
/usr/sbin/postfix
[zimbra@mail ~] which postfix
~/bin/postfix
See the difference? Make sure when you are running postfix commands like postconf, that you are running the commands as the zimbra user, not root.
Also, make sure to disable the OS MTA from the start up sequence.
chkconfig postfix off
or
update-rc.d -f /etc/init.d/postfix remove
Mail Loops back to myself
Typically a bounce message would look something like this:
This is the mail system at host mail.yourdomain.com.
I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to postmaster.
If you do so, please include this problem report. You can
delete your own text from the attached returned message.
The mail system
<jsmith@mail.yourdomain.com>: mail for mail.yourdomain.com loops
back to myself
What this means is that someone tried to send a message to jsmith@mail.yourdomain.com, however the Zimbra system is smart enough to have looked up the MX (mail exchange) records for the domain. It notes that it in fact is the destination server for the mail, but the domain of mail.yourdomain.com was not created.
LMTP delivery resolving to a public IP not the Private IP
Scenario would involve the zimbra MTA with the private IP, i.e. 192.168.1.17; however, mail is not getting delivered internally.
In the /var/log/zimbra.log file would show this:
relay=mail.yourdomain.com[17.218.128.55]:7025 **INCORRECT**
relay=mail.yourdomain.com[192.168.1.17]:7025 **CORRECT**
If this happens to you, try the following.
ZCS8.5 & ZCS8.6
zmprov mcf zimbraMtaLmtpHostLookup native
zmmtactl restart
Older zimbra versions
zmlocalconfig -e postfix_lmtp_host_lookup=native
zmmtactl restart
Relay Access Denied
You may have seen a bounce message like this.
From: System Administrator
Sent: Friday, August 28, 2014 12:00 PM
To: John Smith
Subject: Undeliverable: test
Your message did not reach some or all of the intended recipients.
Subject: RE: Sales
Sent: 8/28/2014 12:00 PM
The following recipient(s) cannot be reached:
'Susan Smith' on 8/28/2014 12:00 PM
554 5.7.1 <ssmith@domain.com>: Relay access denied
Usually this is caused by zimbra MTA's mynetworks setting was not correct. Running the following commands from the MTA as the zimbra user, are the results the same?
zmprov gs zimbra-mta.yourdomain.com zimbraMtaMyNetworks
zmprov gacf zimbraMtaMyNetworks
postconf | grep mynetworks
Remember, zimbraMtaMyNetworks should contain the network addresses of the localhost IP, and the IP from the network interface i.e. eth0 192.168.1.17 lo 127.0.0.1 would look like this...
postconf mynetworks
mynetworks = 127.0.0.0/8 192.168.1.0/24
zmprov gs zimbra-mta.yourdomain.com zimbraMtaMyNetworks
zimbraMtaMyNetworks: 127.0.0.0/8 192.168.1.0/24
Things to consider regarding zimbraMtaMyNetworks and "relay access denied" issues
- End users that are using email clients like Thunderbird, or Outlook must use smtp authentication if they want to relay email through the zimbra-MTA.
If they don't enter a username/password in their email client, there will be a "relay access denied" error in the /var/log/zimbra.log file.
- Never configure zimbraMtaMyNetworks to relay public IP networks, i.e. adding 140.108.26.0/24 zimbraMtaMyNetworks. This means ANYONE on the 140.108.26.0 subnet can relay email without authentication, which is bad and would make the zimbra-MTA an open relay for the 140.108.26.0 subnet.
Unknown sender
Symptom: Checking outgoing mail and I am seeing email that is coming from zimbra that are coming from users that do not exist in the LDAP server.
ZCS-8.0.x
1. zmlocalconfig -e postfix_enable_smtpd_policyd=yes
2. zmlocalconfig -e postfix_smtpd_reject_unlisted_recipient=yes
3. zmlocalconfig -e postfix_smtpd_reject_unlisted_sender=yes
4. zmprov mcf +zimbraMtaRestriction "check_policy_service unix:private/policy"
5. zmmtactl restart
6. zmconfigdctl restart
ZCS-8.6.x
1. zmprov mcf zimbraMtaEnableSmtpdPolicyd TRUE
2. zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
3. zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
4. zmprov mcf +zimbraMtaRestriction "check_policy_service unix:private/policy"
5. zmmtactl restart
6. zmconfigdctl restart
Know the difference between zimbraMtaRelayHost and zimbraSmtpHostname
zimbraMtaRelayHost: Used by the zimbra MTA, postfix's value for postconf relayhost.
zimbraSmtpHostname: Used by the zimbra user store node not running MTA service.
Short Quiz
1. Adding a pubic network subnet to zimbraMtaMyNetworks is recommended.
2. You can configure Zimbra MTA settings as the root user.
3. To send messages outbound from Zimbra MTA, you do not need to configure zimbraMtaRelayHost setting.
4. You need to uninstall the OS MTA in order for Zimbra's MTA to work properly.
5. Zimbra MTA traffic is logged to the /opt/zimbra/log/mailbox.log file
Short Quiz Answers - No peeking
1. *FALSE*
Adding a public network subnet will allow anyone on the same subnet to relay email without authentication.
This is not good.
2. *FALSE*
Must be the "zimbra" user when making changes to the MTA service.
3. *TRUE*
Trick question: You do not need to configure the zimbraMtaRelayHost
setting unless your network provider is blocking outbound smtp traffic, then you will need a relayhost.
4. *FALSE*
You can simply disable the OS MTA from the OS startup sequence.
5. *FALSE*
Zimbra MTA traffic is logged to the /var/log/zimbra.log file.