CentOS 7.x Configuring dnsmasq for Zimbra behind NAT to resolve email not delivered to self domains issue
<yambe:breadcrumb self="Configuring dnsmasq for Zimbra behind NAT to resolve email not delivered to self domains issue">CentOS_7.x_Troubleshooting_Zimbra_issues|Troubleshooting Zimbra issues</yambe:breadcrumb>
CentOS 7.x Configuring dnsmasq for Zimbra behind NAT to resolve email not delivered to self domains issue
If Zimbra is behind NAT such as in case of public cloud AWS EC2 or lightsail then MX records might resolve to Zimbra public IP while communication to certain ports on public IP (eg 7025) would get blocked by various firewalls. In such cases even emails to self-domain (eg zimbra.sbarjatiya.com to zimbra.sbarjatiya.com itself) may not get delivered and might end up in mail queue. The related /var/log/maillog might look like:
Feb 13 14:43:36 mail postfix/amavisd/smtpd[4325]: 7385B2C042D7: client=localhost[127.0.0.1] Feb 13 14:43:36 mail postfix/cleanup[4251]: 7385B2C042D7: message-id=<20190213091336.1E6772C042D7@mail.zimbra.sbarjatiya.com> Feb 13 14:43:36 mail postfix/qmgr[32150]: 7385B2C042D7: from=<admin@zimbra.sbarjatiya.com>, size=1714, nrcpt=1 (queue active) Feb 13 14:43:36 mail postfix/smtp[4261]: 42C152C042D8: to=<admin@zimbra.sbarjatiya.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.21, delays=0.05/0.01/0.01/0.14, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 7385B2C042D7) Feb 13 14:44:36 mail postfix/lmtp[4284]: connect to mail.zimbra.sbarjatiya.com[54.144.231.182]:7025: Connection timed out Feb 13 14:44:36 mail postfix/error[5961]: 7385B2C042D7: to=<admin@zimbra.sbarjatiya.com>, relay=none, delay=60, delays=0.01/60/0/0.02, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.zimbra.sbarjatiya.com[54.144.231.182]:7025: Connection timed out)
Public IP ports such as 7025 may not be accessible. To resolve this there are two ways:
- Setup local DNS
- Use firewall for NAT
Setup local DNS
In this case setup DNS for the domain or sub-domain locally. Let it reply to zimbra server with private IP instead of its public IP. For this we are better of using dnsmasq instead of setting up bind which takes more effort.
To setup DNS MASQ on zimbra server use following steps:
- Disable internal Zimbra dnscache using as zimbra user:
- zmdnscachectl stop
- zmprov ms `zmhostname` -zimbraServiceEnabled dnscache
- zmprov ms `zmhostname` -zimbraServiceInstalled dnscache
- Validate that nothing is listening on port 53 using as root user:
- ss -alnp | grep \:53
- Install dnsmasq as root user and configure it:
- Install package
- yum -y install dnsmasq
- Create /etc/dnsmasq.d/zimbra.conf with:
- server=172.26.0.2
- domain=zimbra.sbarjatiya.com
- mx-host=zimbra.sbarjatiya.com,mail.zimbra.sbarjatiya.com,5
- listen-address=127.0.0.1
-
- where, multiple 'server=' lines can be there for upstream DNS.
- Start and enable dnsmasq using:
- systemctl start dnsmasq
- systemctl enable dnsmasq
- Ensure that /etc/hosts is similar to:
- 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
- ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
- 172.26.15.186 mail.zimbra.sbarjatiya.com zimbra.sbarjatiya.com
- Test dnsmasq for local MX record resolution to private IP using:
- dig -t MX @127.0.0.1 zimbra.sbarjatiya.com
- If above resolution to private IP succeeds then configure /etc/sysconfig/network-scripts/ifcfg-eth0 to use local DNS by appending
- DNS1=127.0.0.1
- Restart network
- systemctl restart network
- Validate that /etc/resolv.conf refers to 127.0.0.1
- cat /etc/resolv.conf
- Install package
- The above change will not persist across reboots on AWS instances due to cloud-init. For that refer CentOS 7.x cloud-init or dhclient based DNS configuration
- If there are many emails pending in queue then restart zimbra services as zimbra user:
- zmcontrol restart
Use firewall for NAT
In this case Linux firewall can be used to Intercept outgoing connections going to public IP and DNAT them to private IP. This needs to be explored properly with firewalld
Refer:
- https://www.the-art-of-web.com/system/iptables-nat/
- https://wiki.zimbra.com/wiki/Split_DNS
- https://wiki.zimbra.com/wiki/DNS_caching_service_(dnscache)
- https://dilliganesh.wordpress.com/2018/08/13/how-to-remove-dnscache-from-zimbra-services/
<yambe:breadcrumb self="Configuring dnsmasq for Zimbra behind NAT to resolve email not delivered to self domains issue">CentOS_7.x_Troubleshooting_Zimbra_issues|Troubleshooting Zimbra issues</yambe:breadcrumb>