Zimbra uses other IP than assigned, causing HELO/Reverse-DNS mismatch
Here the complete picture of your email flow
Zimbra webmail -> postfix -> amavis -> postfix -> internet
Now, your email got stuck in queue because amavisd reject it. Why?
Some background
Amavisd in zimbra use policy bank to control who can telnet to amavisd daemon. When zimbra initialize configuration after installed, zimbra synchronize config to amavisd and config. * It tells postfix to submit email (for scanning) to amavisd with IP 1.1.1.11 and * It tells amavisd to only accept email from IP 1.1.1.11
So that's why amavisd rejected it. You change smtp_bind_address in postfix, but you don't change policy bank setting in amavisd.conf
Solution
Set @mynetworks directive in /opt/zimbra/conf/amavisd.conf by adding IP 1.1.1.12/32. It will tell
amavisd policy bank to accept email from 1.1.1.12
Related videos on Youtube
01 : 00 : 29
06 : 15
07 : 05
06 : 20
02 : 31
user2092982
Updated on September 18, 2022Comments
-
user2092982 almost 2 years
We've got a vServer running Zimbra and a web server, each of them having its own IP address.
1.1.1.11 - vServer, running: -- 1.1.1.12/mx1.ipsum.com - Zimbra mail server -- 1.1.1.13 - web serverReceiving e-mails is fine, but since few weeks Zimbra puts the vServer's IP address to the mail-header instead of using the designated mail server IP:
Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=1.1.1.11; helo=mx1.ipsum.com; [email protected]; [email protected]This causes a HELO/Reverse-DNS mismatch (Reverse DNS entry for 1.1.1.12 points to mx1.ipsum.com, but 1.1.1.11 points to vserver.ipsum.com). In result, many mail servers reject mails sent from our server mx1.ipsum.com, i.e. saying "550 MAIL APPEARED TO BE SPAM OR FORGED. WRONG HELO AND DNS" So I would like to tell Zimbra to use the correct mail server IP 1.1.1.12. In the Zimbra admin panel, of course the correct IP 1.1.1.12 is set.
I added these lines to /opt/zimbra/postfix/conf/main.cf:
inet_interfaces = 1.1.1.12, 127.0.0.1 smtp_bind_address = 1.1.1.12Result: Sending as well as receiving stops completely, all messages get queued. Here's what was logged in zimbra.log while this happened:
Sep 18 14:32:24 mx1 postfix/smtpd[11496]: connect from localhost.localdomain[127.0.0.1] Sep 18 14:32:24 mx1 postfix/smtpd[11496]: NOQUEUE: filter: RCPT from localhost.localdomain[127.0.0.1]: <[email protected]>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mx1.ipsum.com> Sep 18 14:32:24 mx1 postfix/smtpd[11496]: 2549C197F8382: client=localhost.localdomain[127.0.0.1] Sep 18 14:32:24 mx1 postfix/cleanup[11497]: 2549C197F8382: message-id=<[email protected]> Sep 18 14:32:24 mx1 postfix/qmgr[7424]: 2549C197F8382: from=<[email protected]>, size=3899, nrcpt=1 (queue active) Sep 18 14:32:24 mx1 postfix/smtpd[11496]: disconnect from localhost.localdomain[127.0.0.1] Sep 18 14:32:24 mx1 amavis[3400]: (!)DENIED ACCESS from IP 1.1.1.12, policy bank 'ORIGINATING' Sep 18 14:32:43 mx1 postfix/submission/smtpd[11504]: connect from unknown[152.18.171.1] Sep 18 14:32:45 mx1 postfix/submission/smtpd[11504]: Anonymous TLS connection established from unknown[152.18.171.1]: TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) Sep 18 14:32:47 mx1 postfix/submission/smtpd[11504]: NOQUEUE: filter: RCPT from unknown[152.18.171.1]: <[email protected]>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[192.168.43.166]> Sep 18 14:32:47 mx1 postfix/submission/smtpd[11504]: 57672197F8396: client=unknown[152.18.171.1], sasl_method=PLAIN, sasl_username=admin Sep 18 14:32:48 mx1 postfix/cleanup[11497]: 57672197F8396: message-id=<[email protected]> Sep 18 14:32:48 mx1 postfix/qmgr[7424]: 57672197F8396: from=<[email protected]>, size=570, nrcpt=1 (queue active) Sep 18 14:32:48 mx1 postfix/smtp[10083]: 57672197F8396: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.7, delays=1.7/0/0/0, dsn=4.4.2, status=deferred (lost connection with 127.0.0.1[127.0.0.1] while receiving the initial server greeting) Sep 18 14:32:49 mx1 postfix/submission/smtpd[11504]: disconnect from unknown[152.18.171.1] Sep 18 14:32:48 mx1 amavis[3400]: (!)DENIED ACCESS from IP 1.1.1.12, policy bank 'ORIGINATING'I also tried adding
inet_interfaces = allor just
smtp_bind_address = 1.1.1.12without an inet_interfaces line. Same result, all mails get queued.
SMTP Banner and general settings seem to be alright according to mxtoolbox.com:
Connecting to 1.1.1.12 220 mx1.ipsum.com ESMTP Postfix [874 ms] EHLO MXTB-PWS3.mxtoolbox.com 250-mx1.ipsum.com 250-PIPELINING 250-SIZE 16777216 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN [749 ms] MAIL FROM: <[email protected]> 250 2.1.0 Ok [749 ms] RCPT TO: <[email protected]> 554 5.7.1 <[email protected]>: Relay access denied [749 ms] MXTB-PWS3v2 12184msTest mx record
:~$ host -t mx ipsum.com ipsum.com mail is handled by 10 mx1.ipsum.com.Test ptr:
:~$ host mx1.ipsum.com mx1.ipsum.com has address 1.1.1.12Test rDNS:
:~$ host 1.1.1.12 1.1.1.12.in-addr.arpa domain name pointer mx1.ipsum.com.Any suggestions how to get Zimbra back on track using the 1.1.1.12 mail server IP instead of the vServer IP address?