PMG does not work with zimbra

[JoAnCa]

Hello everyone
Install PMG as a relay for Zimbra, configure both for port 26 and my domain, but it rejects the emails that go out of my domain to other domains, with this error:

NOQUEUE: reject: RCPT from unknown [192.168.xx.xx]: 554 5.7.1 <user@gmail.com>: Relay access denied; from = <user@my.domain> to = <user@gmail.com>

How can i solve this problem?

 

[Stoiko Ivanov]

is the zimbra's IP-address (or a network in which this IP is) configured as trusted network?
(GUI->Configuration->Mail Proxy -> Networks)

I hope this helps!

 

[JoAnCa]

is the zimbra's IP-address (or a network in which this IP is) configured as trusted network?
(GUI->Configuration->Mail Proxy -> Networks)

I hope this helps!

Yes, the network where this zimbra is in GUI-> Configuration-> Mail Proxy -> Networks

 

[Stoiko Ivanov]

please post the complete log for such a mail.

else - Zimbra is configured to send mail to the internal port of PMG? (port 26 is the default internal port, but you can change the ports in the GUI

else - maybe you need to restart zimbra for the relay settings to get applied...

 

[JoAnCa]

please post the complete log for such a mail.

else - Zimbra is configured to send mail to the internal port of PMG? (port 26 is the default internal port, but you can change the ports in the GUI

else - maybe you need to restart zimbra for the relay settings to get applied...

Yes, as already mentioned, configure zimbra to deliver to PMG on port 26, and restart the zimbra server. In the PMG I configured the network where the Zimbra IP is. And this is what the log shows:

Feb 26 08:54:38 mx1 postfix/smtpd[582]: connect from unknown[192.168.0.6]
Feb 26 08:54:38 mx1 postfix/smtpd[582]: NOQUEUE: reject: RCPT from unknown[192.168.0.6]: 554 5.7.1 <jose.2rcv@gmail.com>: Relay access denied; from=<jose@epselpr.co.cu> to=<jose.2rcv@gmail.com> proto=ESMTP helo=<correo.epselpr.co.cu>
Feb 26 08:54:38 mx1 postfix/smtpd[582]: disconnect from unknown[192.168.0.6] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6

 

[Stoiko Ivanov]

please post:

pmgconfig dump
cat /etc/postfix/main.cf
cat /etc/postfix/master.cf

 

[JoAnCa]

please post:

pmgconfig dump
cat /etc/postfix/main.cf
cat /etc/postfix/master.cf

This is the pmgconfig dump:

composed.wl_bounce_relays = mx1.epselpr.co.cu
dns.domain = epselpr.co.cu
dns.fqdn = mx1.epselpr.co.cu
dns.hostname = mx1
ipconfig.int_ip = 192.168.0.16
pmg.admin.advfilter = 1
pmg.admin.avast = 0
pmg.admin.clamav = 1
pmg.admin.custom_check = 0
pmg.admin.custom_check_path = /usr/local/bin/pmg-custom-check
pmg.admin.dailyreport = 1
pmg.admin.demo = 0
pmg.admin.dkim_selector =
pmg.admin.dkim_sign = 0
pmg.admin.dkim_sign_all_mail = 0
pmg.admin.email = admin@epselpr.co.cu
pmg.admin.http_proxy =
pmg.admin.statlifetime = 7
pmg.clamav.archiveblockencrypted = 0
pmg.clamav.archivemaxfiles = 1000
pmg.clamav.archivemaxrec = 5
pmg.clamav.archivemaxsize = 25000000
pmg.clamav.dbmirror = database.clamav.net
pmg.clamav.maxcccount = 0
pmg.clamav.maxscansize = 100000000
pmg.clamav.safebrowsing = 1
pmg.clamav.scriptedupdates = 0
pmg.mail.banner = ESMTP Proxmox
pmg.mail.before_queue_filtering = 0
pmg.mail.conn_count_limit = 50
pmg.mail.conn_rate_limit = 0
pmg.mail.dnsbl_sites =
pmg.mail.dnsbl_threshold = 1
pmg.mail.dwarning = 4
pmg.mail.ext_port = 25
pmg.mail.greylist = 1
pmg.mail.greylist6 = 0
pmg.mail.greylistmask4 = 24
pmg.mail.greylistmask6 = 64
pmg.mail.helotests = 0
pmg.mail.hide_received = 0
pmg.mail.int_port = 26
pmg.mail.max_filters = 32
pmg.mail.max_policy = 5
pmg.mail.max_smtpd_in = 100
pmg.mail.max_smtpd_out = 100
pmg.mail.maxsize = 2097152
pmg.mail.message_rate_limit = 0
pmg.mail.ndr_on_block = 0
pmg.mail.rejectunknown = 0
pmg.mail.rejectunknownsender = 0
pmg.mail.relay = epselpr.co.cu
pmg.mail.relaynomx = 0
pmg.mail.relayport = 25
pmg.mail.relayprotocol = smtp
pmg.mail.smarthost =
pmg.mail.smarthostport = 25
pmg.mail.spf = 1
pmg.mail.tls = 0
pmg.mail.tlsheader = 0
pmg.mail.tlslog = 0
pmg.mail.verifyreceivers = 450
pmg.spam.bounce_score = 0
pmg.spam.clamav_heuristic_score = 3
pmg.spam.languages = all
pmg.spam.maxspamsize = 262144
pmg.spam.rbl_checks = 1
pmg.spam.use_awl = 1
pmg.spam.use_bayes = 1
pmg.spam.use_razor = 1
pmg.spam.wl_bounce_relays =
pmg.spamquar.allowhrefs = 1
pmg.spamquar.authmode = ticket
pmg.spamquar.hostname =
pmg.spamquar.lifetime = 7
pmg.spamquar.mailfrom =
pmg.spamquar.port = 8006
pmg.spamquar.protocol = https
pmg.spamquar.quarantinelink = 0
pmg.spamquar.reportstyle = verbose
pmg.spamquar.viewimages = 1
pmg.virusquar.allowhrefs = 1
pmg.virusquar.lifetime = 7
pmg.virusquar.viewimages = 1
postfix.dnsbl_threshold = 1
postfix.int_ip = 192.168.0.16
postfix.mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/24 192.168.0.0/24 192.168.0.6/32
postfix.transportnets = 192.168.0.6/32
postfix.usepolicy = 1
postgres.version = 11

The main.cf

# auto-generated by proxmox

compatibility_level = 2
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix

# appending .domain is the MUA's job.
append_dot_mydomain = yes

smtpd_banner = $myhostname ESMTP Proxmox
biff = no

delay_warning_time = 4h

best_mx_transport = local
message_size_limit = 2097152
mailbox_size_limit = 51200000

mydomain = epselpr.co.cu
myhostname = mx1.epselpr.co.cu

parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost, $myhostname
mynetworks = 127.0.0.0/8 [::1]/128 192.168.0.0/24 192.168.0.0/24 192.168.0.6/32 172.16.0.6

relay_domains = hash:/etc/pmg/domains

transport_maps = hash:/etc/pmg/transport

relay_transport = smtp:epselpr.co.cu:25

content_filter=scan:127.0.0.1:10024

mail_name = Proxmox

smtpd_helo_restrictions =

postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/postscreen_access



postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce

smtpd_sender_restrictions =
permit_mynetworks
reject_non_fqdn_sender
check_client_access cidr:/etc/postfix/clientaccess
check_sender_access regexp:/etc/postfix/senderaccess
check_recipient_access regexp:/etc/postfix/rcptaccess

smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
reject_non_fqdn_recipient
check_recipient_access regexp:/etc/postfix/rcptaccess check_sender_access regexp:/etc/postfix/senderaccess check_client_access cidr:/etc/postfix/clientaccess check_policy_service inet:127.0.0.1:10022 reject_unknown_recipient_domain reject_unverified_recipient

unverified_recipient_reject_code = 450


smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_message_rate_limit = 0

smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
lmtp_tls_session_cache_database = btree:/var/lib/postfix/lmtp_tls_session_cache

default_destination_concurrency_limit = 40
lmtp_destination_concurrency_limit = 20
relay_destination_concurrency_limit = 20
smtp_destination_concurrency_limit = 20
virtual_destination_concurrency_limit = 20

recipient_delimiter = +

The master.cf

scan unix - - n - 32 lmtp
-o lmtp_send_xforward_command=yes
-o lmtp_connection_cache_on_demand=no
-o disable_dns_lookups=yes

26 inet n - - - 100 smtpd
-o content_filter=scan:127.0.0.1:10023
-o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=

25 inet n - - - 1 postscreen

smtpd pass - - - - 100 smtpd
-o content_filter=scan:127.0.0.1:10024
-o receive_override_options=no_address_mappings
-o smtpd_discard_ehlo_keywords=silent-discard,dsn
-o mynetworks=127.0.0.0/8,192.168.0.16

127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_restriction_classes=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o smtpd_tls_security_level=none
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-o message_size_limit=4194304

pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
-o message_size_limit=4194304

qmgr fifo n - - 300 1 qmgr
rewrite unix - - - - - trivial-rewrite
bounce unix - - - - 0 bounce
defer unix - - - - 0 bounce
flush unix n - - 1000? 0 flush
proxymap unix - - n - - proxymap
smtp unix - - - - - smtp
relay unix - - - - - smtp
showq unix n - - - - showq
error unix - - - - - error
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
verify unix - - - - 1 verify
trace unix - - n - 0 bounce
tlsmgr unix - - - 1000? 1 tlsmgr
anvil unix - - - - 1 anvil
scache unix - - - - 1 scache
discard unix - - - - - discard
retry unix - - - - - error
dnsblog unix - - - - 0 dnsblog
tlsproxy unix - - - - 0 tlsproxy

 

[Stoiko Ivanov]

from the config this should work - to debug further I would:
* listen to PMG's interface with tcpdump - to see how the packets arrive from your zimbra
* if this does not help turn on verbose mode for all smtpd processes in the master.cf:
http://www.postfix.org/DEBUG_README.html
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope this helps!

 

[JoAnCa]

from the config this should work - to debug further I would:
* listen to PMG's interface with tcpdump - to see how the packets arrive from your zimbra
* if this does not help turn on verbose mode for all smtpd processes in the master.cf:
http://www.postfix.org/DEBUG_README.html
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope this helps!

Thank you very much for your help, I will do what you tell me to see if I find the problem

 

[JoAnCa]

Although I don't really understand what tcpdump shows me, I tried with:

tcpdump port 25 -A

And it gave me this result (the fragment that I consider useful):

10:54:19.116524 IP mx1.epselpr.co.cu.smtp > 192.168.0.6.52178: Flags [.], ack 28, win 510, options [nop,nop,TS val 946124682 ecr 372988495], length 0
E..4T.@.@.d.............e[@L<..V...........
8d...;ZO
10:54:19.117474 IP mx1.epselpr.co.cu.smtp > 192.168.0.6.52178: Flags [P.], seq 182:288, ack 117, win 510, options [nop,nop,TS val 946124683 ecr 372988495], length 106: SMTP: 250 2.1.0 Ok
E...T.@.@.dL............e[@.<..............
8d...;ZO250 2.1.0 Ok
554 5.7.1 <jose.2rcv@gmail.com>: Relay access denied
554 5.5.1 Error: no valid recipients

10:54:19.117486 IP 192.168.0.6.52178 > mx1.epselpr.co.cu.smtp: Flags [.], ack 288, win 501, options [nop,nop,TS val 372988496 ecr 946124683], length 0
E..4..@.@...............<...e[AF...........
.;ZP8d..
10:54:19.167723 IP 192.168.0.6.52178 > mx1.epselpr.co.cu.smtp: Flags [P.], seq 117:129, ack 288, win 501, options [nop,nop,TS val 372988547 ecr 946124683], length 12: SMTP: RSET
E..@..@.@...............<...e[AF...........
.;Z.8d..RSET
QUIT

10:54:19.167744 IP mx1.epselpr.co.cu.smtp > 192.168.0.6.52178: Flags [.], ack 129, win 510, options [nop,nop,TS val 946124734 ecr 372988547], length 0
E..4T.@.@.d.............e[AF<..............
8d...;Z.
10:54:19.167785 IP mx1.epselpr.co.cu.smtp > 192.168.0.6.52178: Flags [P.], seq 288:317, ack 129, win 510, options [nop,nop,TS val 946124734 ecr 372988547], length 29: SMTP: 250 2.0.0 Ok
E..QT.@.@.d.............e[AF<..............
8d...;Z.250 2.0.0 Ok
221 2.0.0 Bye

With tcpdump port 26 -A it shows nothing

Could it be that zimbra is not sending through port 26, despite having it configured?

Attached the Zimbra MTA configuration.
The port 25, indicated in the circle, Zimbra does not allow to change it

 

[Stoiko Ivanov]

Could it be that zimbra is not sending through port 26, despite having it configured?

seems like it ...

sadly I'm not fluent in Spanish - so cannot tell you with certainty - but the settings seem correct..
maybe try to reboot the zimbra host? (incase it only reads its config on startup)