CentOS 7.x Configuring dnsmasq for Zimbra behind NAT to resolve email not delivered to self domains issue

From Notes_Wiki
Revision as of 12:26, 2 April 2019 by Saurabh (talk | contribs)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

<yambe:breadcrumb self="Configuring dnsmasq for Zimbra behind NAT to resolve email not delivered to self domains issue">CentOS_7.x_Troubleshooting_Zimbra_issues|Troubleshooting Zimbra issues</yambe:breadcrumb>

CentOS 7.x Configuring dnsmasq for Zimbra behind NAT to resolve email not delivered to self domains issue

If Zimbra is behind NAT such as in case of public cloud AWS EC2 or lightsail then MX records might resolve to Zimbra public IP while communication to certain ports on public IP (eg 7025) would get blocked by various firewalls. In such cases even emails to self-domain (eg zimbra.sbarjatiya.com to zimbra.sbarjatiya.com itself) may not get delivered and might end up in mail queue. The related /var/log/maillog might look like:

Feb 13 14:43:36 mail postfix/amavisd/smtpd[4325]: 7385B2C042D7: client=localhost[127.0.0.1]
Feb 13 14:43:36 mail postfix/cleanup[4251]: 7385B2C042D7: message-id=<20190213091336.1E6772C042D7@mail.zimbra.sbarjatiya.com>
Feb 13 14:43:36 mail postfix/qmgr[32150]: 7385B2C042D7: from=<admin@zimbra.sbarjatiya.com>, size=1714, nrcpt=1 (queue active)
Feb 13 14:43:36 mail postfix/smtp[4261]: 42C152C042D8: to=<admin@zimbra.sbarjatiya.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.21, delays=0.05/0.01/0.01/0.14, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7385B2C042D7)
Feb 13 14:44:36 mail postfix/lmtp[4284]: connect to mail.zimbra.sbarjatiya.com[54.144.231.182]:7025: Connection timed out
Feb 13 14:44:36 mail postfix/error[5961]: 7385B2C042D7: to=<admin@zimbra.sbarjatiya.com>, relay=none, delay=60, delays=0.01/60/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.zimbra.sbarjatiya.com[54.144.231.182]:7025: Connection timed out)

Public IP ports such as 7025 may not be accessible. To resolve this there are two ways:

  1. Setup local DNS
  2. Use firewall for NAT


Setup local DNS

In this case setup DNS for the domain or sub-domain locally. Let it reply to zimbra server with private IP instead of its public IP. For this we are better of using dnsmasq instead of setting up bind which takes more effort.

To setup DNS MASQ on zimbra server use following steps:

  1. Disable internal Zimbra dnscache using as zimbra user:
    zmdnscachectl stop
    zmprov ms `zmhostname` -zimbraServiceEnabled dnscache
    zmprov ms `zmhostname` -zimbraServiceInstalled dnscache
  2. Validate that nothing is listening on port 53 using as root user:
    ss -alnp | grep \:53
  3. Install dnsmasq as root user and configure it:
    1. Install package
      yum -y install dnsmasq
    2. Create /etc/dnsmasq.d/zimbra.conf with:
      server=172.26.0.2
      domain=zimbra.sbarjatiya.com
      mx-host=zimbra.sbarjatiya.com,mail.zimbra.sbarjatiya.com,5
      listen-address=127.0.0.1
      where, multiple 'server=' lines can be there for upstream DNS.
    3. Start and enable dnsmasq using:
      systemctl start dnsmasq
      systemctl enable dnsmasq
    4. Ensure that /etc/hosts is similar to:
      127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
      ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
      172.26.15.186 mail.zimbra.sbarjatiya.com zimbra.sbarjatiya.com
    5. Test dnsmasq for local MX record resolution to private IP using:
      dig -t MX @127.0.0.1 zimbra.sbarjatiya.com
    6. If above resolution to private IP succeeds then configure /etc/sysconfig/network-scripts/ifcfg-eth0 to use local DNS by appending
      DNS1=127.0.0.1
    7. Restart network
      systemctl restart network
    8. Validate that /etc/resolv.conf refers to 127.0.0.1
      cat /etc/resolv.conf
  4. The above change will not persist across reboots on AWS instances due to cloud-init. For that refer CentOS 7.x cloud-init or dhclient based DNS configuration
  5. If there are many emails pending in queue then restart zimbra services as zimbra user:
    zmcontrol restart


Use firewall for NAT

In this case Linux firewall can be used to Intercept outgoing connections going to public IP and DNAT them to private IP. This needs to be explored properly with firewalld


Refer:


<yambe:breadcrumb self="Configuring dnsmasq for Zimbra behind NAT to resolve email not delivered to self domains issue">CentOS_7.x_Troubleshooting_Zimbra_issues|Troubleshooting Zimbra issues</yambe:breadcrumb>