Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 20316 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMTP Relay Naming Issue

RobPurcell

A few years ago I set up a Zimbra mail server behind Sophos UTM using Email Protection. Configuration for incoming mail went smoothly, but I ran into an issue with outgoing mail when using the UTM for relaying. It's been a few years so I'm a little foggy on the details, but the problem as I remember it was that the host name configured in Zimbra was mail.domain.com, which was the same name as the UTM SMTP relay. Because the two names were the same, when Zimbra sent mail to the relay it was rejected. The UTM and the mail server argued over having the same name. I resolved the issue by renaming the mail server to mail.domain.local so they didn't argue, and then set up a second domain on Zimbra for mail.domain.com.  With this configuration everything works, but I've never been happy with it. I feel that there may be a more elegant way of doing things. Changing the SMTP hostname on the UTM doesn't seem like a good option since it's checked by receiving mail servers and should match RDNS and such. Perhaps I could leave the mail server name mail.domain.com and then modify the email header configuration in Zimbra to use a different name, but I've not looked into how that might be accomplished in Zimbra. 

 
I'm about to set up a new mail server so I'm reconsidering my configuration. Does anybody have a better way of dealing with the issue than what I've found?


This thread was automatically locked due to age.
Parents
  • 0

    The hostname on the UTM doesn't really matter. The main thing for spam filters is that there is an actual rdns entry for that domain. It doesn't really matter what it is as long as there is one.

    You will find multiple instances of this all over the web eg mx records not matching domain names.

  • 0 in reply to Louis-M

    Perhaps I didn't explain the issue well enough since DNS, RDNS, MX records and such are not involved at the point where I had a problem.

     
    Under normal circumstances when Zimbra sends outgoing mail it is handed to the Sophos UTM relay where it's processed and then sent to the outside world. My point of failure was between Zimbra and the UTM when Zimbra was trying to hand off mail to the UTM. At this point DNS records don't come into play since Zimbra is sending to the UTM via IP address (or locally defined DNS record).
     
    I assume that there's a normal SMTP dialogue going on between Zimbra and the UTM when handing over outgoing mail, and I believe the failure was caused by both the UTM and Zimbra thinking they were mail.domain.com. At least the error messages that I saw lead me to believe so. I changed the SMTP hostname in the UTM to something else and then it accepted mail from Zimbra, but doing so changed the banner on my outgoing mail which could lead to bounced or rejected messages.
     
    After determining that both the UTM and Zimbra could not have the same SMTP hostname I used my correct SMTP hostname, the one that matches RDNS, in the UTM, and then used mail.domain.local as the Zimbra SMTP hostname. That way the UTM and Zimbra would communicate correctly since they no longer had the same name.
     
    One problem with this approach is that the Zimbra server now has a fictitious name, and my real domain name is configured as a secondary domain. It works the way it's configured, but in my opinion it's not an elegant solution and I'm looking for perhaps a better way to do things.
  • 0 in reply to RobPurcell

    As mentioned, I've never had an issue with mail which uses a different banner. Never had mail bounced back.

    mxtoolbox might give you a warning that it doesn't match but I've always had mail go through. Now no rdns entry or the ip coming from a dynamic range is a different kettle of fish but the banner not matching generally doesn't affect things.

    In fact, where i@m typing this from has 4 domains behind the UTM which all accept/send mail without issue.

    Going back to the UTM, until they change something within it or you just forego the UTM, you will be stuck with one rdns banner

  • 0 in reply to RobPurcell

    Hi, Rob - first time you've posted here - welcome to the UTM Community!

    I admit that I haven't read most of the above, so I apologize if my comments are off-target...

    For example, I would name the UTM secure.domain.com and follow the approach suggested in Basic Exchange setup with SMTP Proxy.  As long as secure.domain.com resolves to the sending IP and you have a corresponding rDNS entry in place, mail sent from the Proxy will pass FCrDNS ("Strict rDNS").

    We would need to see the log entries that led you to the conclusion that there was a naming issue.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi team,

    Any solution for above issue. I am facing same issue with Zimbra and smtp relay name. Please suggest if we have any solution. Thanks

  • 0 in reply to Satya T

    What problem do you have Saya, because I sow your problem is with XG

  • 0 in reply to Satya T

    I'm the OP and have not spent any more time trying to find a more elegant solution to the problem, but it's easy enough to avoid. The key is that you can not use the same SMTP host name for both Zimbra and the UTM. For example, you can not use mail.xyzcompany.com for both Zimbra and the UTM. However, you can use xyzcompany.local for Zimbra and mail.xyzcompany.com for the UTM. I've been running this way for years, but I'm about due for a new mail server and I plan to look for a different method, such as modifying the SMTP headers in Zimbra.

    Note that when using a fictitious domain name such as .xyzcompany.local in Zimbra that it's the primary domain, and your real domain such as xyzcompany.com is a secondary domain. So when setting up Zimbra make believe that it's xyzcompany.local, then add your real domain such as xyzcompany.com as an additional domain. If using UTM 9 then go to Email Protection - SMTP - Advanced, and then scroll down to the Advanced Settings area. For SMTP hostname use your real hostname, such as mail.xyzcompany.com. If you are using XG then I don't have a clue how to configure it.
     
    Don't forget to set RNDS to match whatever you put in the UTM. My reason for modifying Zimbra rather than the UTM host name is that RDNS was already set and I didn't want to change it, but it could be done the other way around as well.
  • 0 in reply to RobPurcell

    Thanks RobPurcell. now i changed my mail server to mail.domain.local but now i am getting other different problem. i am using 3 domains in my mail server but in Sophos we have added one domain in smtp hostname . few doamins mails are rejecting due to rdns is not matching as i have 3 domains if sender domain rdns is not matching mails rejecting.

  • 0 in reply to Satya T

    Maybe this is as dns mx record problem

  • 0 in reply to Satya T

    MX.DOMAIN1.COM points to utm.example.com
    MX.DOMAIN12.COM points to utm.example.com

    utm.example.com should accept emails for domains @MX.DOMAIN1.COM and @MX.DOMAIN2.COM and route to zimbra mailserver. Zimbra mailserver should accept too both domains. And send the emails with a connector to utm.example.com (internal IP)

    Dont define different hostnames based on different domains for utm.exapmle.com

  • 0 in reply to Ol Deda

    The IP of the UTM proxy should have an RDNS entry for that IP. Most people would have to contact their ISP to get this changed. Once changed, you would normally enter this into the UTM Proxy.

    The UTM proxy would then do the routing to X amount of domains behind it. It doesn't matter what these are called.

    When a anti-spam solution runs a check, it will look for the RDNS entry of the sending mail server which in this case is the UTM and the RDNS entry will match.

    Think about users using a hosted anti=spam solution or a smart host. Mail comes via that host which certainly won't be their domain name. eg mail from mydomain.com will appear to come from antispam.trendmicro.com and only the RDNS for that server is important in this case.

    Now when you get to SPF, DMARC's etc, you will care fully have to look at these. eg in the above case, that antispam.trendmicro.com is allowed to send for mydomain.com etc.

    And of course, your MX records will have to use the UTM MX records rather than their domain.

  • 0 in reply to Louis-M

    it is not explained in what direction the emails are rejected

Reply Children
No Data
Unfiltered HTML