Split-domain setup not accepting mail to distribution lists

[groupwhere]

On Sunday, we configured split-domain per https://wiki.zimbra.com/wiki/Split_Domain since we are migrating to GMail. Everything worked afaict except that any mail to a distribution list sent on port 25 was rejected with a 451 4.3.5 Server configuration error;
I am not 100% sure where to look. I did some local queries based on the contents of the new ldap-splitdomain.cf and was thinking that I need to modify it to add zimbraMailAlias to the result attribute line. The file currently reads:

Code: Select all

server_host = ldap://mail.our.localdomain:389
server_port = 389
search_base =
query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress
result_filter = OK
version = 3
start_tls = yes
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = BINDPASS
timeout = 30

We are running an old version, 8.0.6 GA 5922 on CentOS6, if that helps.

[groupwhere]

Same issue on our test setup running 8.8.12_GA_3794 on CentOS 7. I just noticed the part in https://wiki.zimbra.com/wiki/Split_Domain where it says:

For the /opt/zimbra/conf/ldap-splitdomain.cf just copy the /opt/zimbra/conf/ldap-vam.cf (virtual alias maps) and removed the catchall entry and add the result_filter = OK. (May be missing the local alias maps, but at least in our case, its unused.)

So, any idea how to add them back? I attempted to create an ldap cf to use with postfix_alias_maps or zimbraMtaAliasMap, but it won't take (does not get added to main.cf).

[groupwhere]

I had big hopes for this but it did not work. Ran zmprov mcf zimbraMtaAliasMaps lmdb:/etc/aliases,proxy:ldap:/opt/zimbra/conf/ldap-dl.cf to implement, which did get populated into main.cf

/opt/zimbra/conf/ldap-dl.cf:

Code: Select all

server_host = ldap://mail.our.localdomain:389
server_port = 389
search_base =
query_filter = (&(|(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailAlias,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress
result_filter = OK
version = 3
start_tls = yes
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = BINDPASS
timeout = 30

[thiago.snovarski]

Hello groupwhere!

I'm having this same problem with my split-domain, I get error 451 4.3.5 Server configuration error; when sent to a distribution list.

Did you manage to find a solution?

Thanks!

[L. Mark Stone]

Hello groupwhere!

I'm having this same problem with my split-domain, I get error 451 4.3.5 Server configuration error; when sent to a distribution list.

Did you manage to find a solution?

Thanks!

Since you are replying to three-year-old post, please post the output of zmcontrol -v and, like the original posters, what specific changes you have made to your system, so we can try to help.

[thiago.snovarski]

Hello groupwhere!

I'm having this same problem with my split-domain, I get error 451 4.3.5 Server configuration error; when sent to a distribution list.

Did you manage to find a solution?

Thanks!

Since you are replying to three-year-old post, please post the output of zmcontrol -v and, like the original posters, what specific changes you have made to your system, so we can try to help.

Thanks for the feedback!

My Zimbra has a split-domain for: mydomain.com
And another domain that I don't have split-domain. This other one that I'm having errors to receive emails destined for the distribution list.

Code: Select all

Nov 18 17:17:37 mail postfix/smtpd[21695]: connect from smtp2.sabesp.com.br[200.144.74.175]
Nov 18 17:17:37 mail postfix/smtpd[21695]: NOQUEUE: filter: RCPT from smtp2.sabesp.com.br[200.144.74.175]: <mkanai@sabesp.com.br>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<mkanai@sabesp.com.br> to=<licitacao@imply.com.br> proto=ESMTP helo=<sabesp.com.br>
Nov 18 17:17:37 mail postfix/smtpd[21695]: NOQUEUE: filter: RCPT from smtp2.sabesp.com.br[200.144.74.175]: <mkanai@sabesp.com.br>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<mkanai@sabesp.com.br> to=<licitacao@imply.com.br> proto=ESMTP helo=<sabesp.com.br>
Nov 18 17:17:37 mail postfix/smtpd[21695]: warning: unknown smtpd restriction: "OK"
Nov 18 17:17:37 mail postfix/smtpd[21695]: NOQUEUE: reject: RCPT from smtp2.sabesp.com.br[200.144.74.175]: 451 4.3.5 Server configuration error; from=<mkanai@sabesp.com.br> to=<licitacao@imply.com.br> proto=ESMTP helo=<sabesp.com.br>
Nov 18 17:17:37 mail postfix/cleanup[18174]: CE539B2E2AB4: message-id=<20221118201737.CE539B2E2AB4@mail.imply.com>
Nov 18 17:17:37 mail postfix/smtpd[21695]: disconnect from smtp2.sabesp.com.br[200.144.74.175] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6
Nov 18 17:17:37 mail postfix/qmgr[11589]: CE539B2E2AB4: from=<double-bounce@mail.imply.com>, size=1057, nrcpt=2 (queue active)

[L. Mark Stone]

Please post the output of:

Code: Select all

zmprov gs `zmhostname` zimbraMtaRestriction zimbraMtaSmtpdClientRestrictions zimbraMtaSmtpdDataRestrictions zimbraMtaSmtpdSenderRestrictions

I'm looking at this line in your output:

Code: Select all

Nov 18 17:17:37 mail postfix/smtpd[21695]: warning: unknown smtpd restriction: "OK"

[thiago.snovarski]

Here is the requested output:

Code: Select all

zimbra@mail:~$ zmprov gs `zmhostname` zimbraMtaRestriction zimbraMtaSmtpdClientRestrictions zimbraMtaSmtpdDataRestrictions zimbraMtaSmtpdSenderRestrictions
# name mail.mydomain.com
zimbraMtaRestriction: check_recipient_access ldap:/opt/zimbra/conf/ldap-splitdomain.cf
zimbraMtaRestriction: check_recipient_access ldap:/opt/zimbra/conf/ldap-vam.cf
zimbraMtaRestriction: reject_invalid_helo_hostname
zimbraMtaRestriction: reject_non_fqdn_helo_hostname
zimbraMtaRestriction: reject_non_fqdn_sender
zimbraMtaRestriction: reject_unknown_client_hostname
zimbraMtaRestriction: reject_unknown_helo_hostname
zimbraMtaRestriction: reject_unknown_reverse_client_hostname
zimbraMtaRestriction: reject_unknown_sender_domain
zimbraMtaRestriction: reject_rbl_client psbl.surriel.com
zimbraMtaRestriction: reject_rbl_client dnsbl.spfbl.net
zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
zimbraMtaRestriction: reject_rbl_client b.barracudacentral.org
zimbraMtaSmtpdClientRestrictions: reject_unauth_pipelining
zimbraMtaSmtpdDataRestrictions: reject_unauth_pipelining

[L. Mark Stone]

OK, please post the output of of the two ldap-*.cf files, redacting the "bind_pw" attribute.

Also, FWIW, your other restrictions will result in a lot of false positives.

[thiago.snovarski]

Code: Select all

zimbra@mail:~$ cat /opt/zimbra/conf/ldap-splitdomain.cf
server_host = ldap://mail.mydomain.com:389
server_port = 389
search_base =
query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress
result_filter = OK
version = 3
start_tls = yes
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = **********
timeout = 30

Code: Select all

zimbra@mail:~$ cat /opt/zimbra/conf/ldap-vam.cf
server_host = ldap://mail.mydomain.com:389
server_port = 389
search_base =
query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraOldMailAddress=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
version = 3
start_tls = yes
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = **************
timeout = 30
special_result_attribute = member