dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
494
maruscya
join:2014-11-09

maruscya

Member

ZyWall USG 200 - Help needed

Dear All ....

I have buy a new Zywall USG 200

It work fine, but i found a little problem in my configuration and i'm not able to fix it.
This is my network configuration

MTA -->Internet ----> ZyWall ---> MailServer

Zywall IP on LAN side is configured as 192.168.1.200
MailServer IP is 192.168.1.201. Postfix run on mailserver.

My problem is simple :
Postfix receive the connections from ZyWall (192.168.1.200), but i want see the real MTA IP. Below i report i simple postfix log line

Received: from XYZY (unknown [192.168.1.200])

I want see something like

Received: from XYZY (fqdn-name.com [REAL.IP.HERE.AAA])

How i can setup Zywall to forward the real IP instead of Zwall Lan IP ? I can't understand how to reach my goal. Could you explain me , step-by-step how to reach my goal !?!?

Many Many thanks...

NB: sorry about my poor english.

MaruscyA

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON
(Software) OPNsense
Ubiquiti UniFi UAP-AC-PRO
Ubiquiti NanoBeam M5 16

Brano

MVM

It's caused by either Anti-spam or loop-back.

Try disabling anti spam completely and see if it helps. Check any other UTM services that interact with port 25 and disable them.
If it doesn't see if you have loopback configured on the wan interface and disable it.

I'm assuming that you have virtual (in NAT section) server configured for your postfix mailserver.

stefaanE
Premium Member
join:2002-07-10
9657

stefaanE to maruscya

Premium Member

to maruscya
If the MTA on the Internet connects to your Postfix server through the ZyWall (using NAT), the SMTP headers should show the address of the MTA, not that of the ZyWall. The only time you would see the ZyWall's address in the headers (or the log) is when it is sending the message. Here, for example, is my external MTA connecting to the internal Postfix MTA (on a Synology) through my USG-100:

Nov  9 22:28:25 DiskStation postfix/smtpd[22483]: connect from mail.ecc.lu[198.71.89.73]
 

In the header of a message, the same IP address appears:
Received: from mail.ecc.lu (mail.ecc.lu [198.71.89.73])
    by home.ecc.lu (Postfix) with SMTP id C143580A6D4
    for <xxx@ecc.lu>; Sun, 9 Nov 2014 22:28:25 +0100 (CET)
 

Here is my USG connecting to send its daily report:
Nov  9 00:00:10 DiskStation postfix/smtpd[22711]: connect from vpnrouter.ecc.lu[192.168.1.252]
Nov  9 00:00:10 DiskStation postfix/smtpd[22711]: 102F1860001: client=vpnrouter.ecc.lu[192.168.1.252
Nov  9 00:00:10 DiskStation postfix/cleanup[22715]: 102F1860001: hold: header Received: from ecc.lu
Nov  9 00:00:10 DiskStation postfix/cleanup[22715]: 102F1860001: message-id=<>
Nov  9 00:00:10 DiskStation postfix/smtpd[22711]: disconnect from vpnrouter.ecc.lu[192.168.1.252]
 

and the corresponding header in the email:

Received: from ecc.lu (vpnrouter.ecc.lu [192.168.1.252])
    by home.ecc.lu (Postfix) with ESMTP id C1B53808751
    for <xxx@ecc.lu>; Sun, 9 Nov 2014 00:00:11 +0100 (CET)
 

For the ZyWall's address to be substituted for the external MTA's address it would have to act as a kind of proxy instead of NATting the connection to your internal MTA, and I am not aware of such a functionality.

Can you post the relevant excerpts from the configuration of your USG?

Take care,

Stefaan
stefaanE

stefaanE to Brano

Premium Member

to Brano
said by Brano:

It's caused by either Anti-spam or loop-back.

Does the Anti-SPAM act as a proxy? Interesting.

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Yes, if anti-spam is intercepting port 25 then it would show as new hop in the mail relay headers as well as new anti-x headers will be added to the message(s).

zywall user
@107.9.221.x

zywall user to maruscya

Anon

to maruscya
NAT settings : use 1:1 NAT, not virtual server

Brano
I hate Vogons
MVM
join:2002-06-25
Burlington, ON

Brano

MVM

Unless he has dedicated public IP for the server I'd go with virtual server and forward only ports needed.