sending emails after upgarde to Zimbra 8.7.5: connection refused and domain has no MX record

[adelmerhej]

Hello,

i just upgraded zcs 8.7.1 to 8.7.5 NE as a result, MTA turned suddenly to open relay and my IP was blacklisted.
to solved this issue asap i changed my IP to another IP within my range of allowed IPs and secured postfix with the following commands:

1. zmprov mcf zimbraMtaEnableSmtpdPolicyd TRUE
2. zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
3. zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
4. zmprov mcf +zimbraMtaRestriction "check_policy_service unix:private/policy"
5. zmmtactl restart
6. zmconfigdctl restart

knowing i can ping, resolve and ssh IP but cannot telnet port 25

Mar 30 11:45:30 mail postfix/smtp[15484]: connect to gmail-smtp-in.l.google.com[74.125.140.27]:25: Connection refused
Mar 30 11:45:30 mail postfix/smtp[15484]: connect to alt1.gmail-smtp-in.l.google.com[108.177.14.27]:25: Connection refused
Mar 30 11:45:30 mail postfix/smtp[15484]: connect to alt2.gmail-smtp-in.l.google.com[74.125.200.27]:25: Connection refused
Mar 30 11:45:30 mail postfix/smtp[15484]: connect to alt3.gmail-smtp-in.l.google.com[64.233.188.27]:25: Connection refused
Mar 30 11:45:30 mail postfix/smtp[15484]: connect to alt4.gmail-smtp-in.l.google.com[74.125.28.27]:25: Connection refused

any thought or help will be appreciated

thank you

[tonster]

Hello,

i just upgraded zcs 8.7.1 to 8.7.5 NE as a result, MTA turned suddenly to open relay and my IP was blacklisted.
to solved this issue asap i changed my IP to another IP within my range of allowed IPs and secured postfix with the following commands:

1. zmprov mcf zimbraMtaEnableSmtpdPolicyd TRUE
2. zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
3. zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
4. zmprov mcf +zimbraMtaRestriction "check_policy_service unix:private/policy"
5. zmmtactl restart
6. zmconfigdctl restart

knowing i can ping, resolve and ssh IP but cannot telnet port 25

Mar 30 11:45:30 mail postfix/smtp[15484]: connect to gmail-smtp-in.l.google.com[74.125.140.27]:25: Connection refused
Mar 30 11:45:30 mail postfix/smtp[15484]: connect to alt1.gmail-smtp-in.l.google.com[108.177.14.27]:25: Connection refused
Mar 30 11:45:30 mail postfix/smtp[15484]: connect to alt2.gmail-smtp-in.l.google.com[74.125.200.27]:25: Connection refused
Mar 30 11:45:30 mail postfix/smtp[15484]: connect to alt3.gmail-smtp-in.l.google.com[64.233.188.27]:25: Connection refused
Mar 30 11:45:30 mail postfix/smtp[15484]: connect to alt4.gmail-smtp-in.l.google.com[74.125.28.27]:25: Connection refused

any thought or help will be appreciated

thank you

Clearly, something is preventing you from accessing outbound on port 25. This is not a zimbra problem. You should also look into the cause of the open relay. An upgrade would not suddenly make you an open relay unless you had something wrong in the configuration somewhere. Check zimbraMtaMyNetworks and make sure you don't have any external networks allowed to relay without authentication. More likely, one of your users had a bad password and that was the cause.

[adelmerhej]

Clearly, something is preventing you from accessing outbound on port 25. This is not a zimbra problem. You should also look into the cause of the open relay. An upgrade would not suddenly make you an open relay unless you had something wrong in the configuration somewhere. Check zimbraMtaMyNetworks and make sure you don't have any external networks allowed to relay without authentication. More likely, one of your users had a bad password and that was the cause.

[/quote]

Thank you, you described pretty well the issue,
in fact yes it was a firewall issue mainly but the inconvenient is straight after upgrade i start to face this issue.
now after changing ZimbraMTA:

Code: Select all

zmprov ms zimbra.example.com zimbraMtaMyNetworks '127.0.0.0/8 10.10.130.10/32'

it works but i'm not able to receive emails, i think it's NAT issue likely
i checked and changed the passwords and the password policy for all users.
but the strange in that i'm having in zimbra.log huge rejection of emails, is there any solution for that?


any clue how to prevent it?
thank you

[adelmerhej]

Sorry, I'd need to see the errors to be more helpful.

i'm sorry i didnt knew how to post a snapshot, i just notice i have to attach within the attachment section
please see the attached file.

[tonster]

Sorry, I'd need to see the errors to be more helpful.

[adelmerhej]

Sorry, I'd need to see the errors to be more helpful.

i'm sorry i didnt knew how to post a snapshot, i just notice i have to attach within the attachment section
please see the attached file.

copy and paste? http://www.pastebin.com is a good place to paste logfiles.

i think i dont have the permission yet to share img or so, well i hope you can see the link on pastebin:
https://pastebin.com/7b6U16Jn

[tonster]

Sorry, I'd need to see the errors to be more helpful.

i'm sorry i didnt knew how to post a snapshot, i just notice i have to attach within the attachment section
please see the attached file.

copy and paste? http://www.pastebin.com is a good place to paste logfiles.