On 7/14/2012 11:40 PM, Ryan Pugatch wrote: > I am running Zimbra which means my MTAs are running Postfix 2.6.7. > > At work, our mail systems were hosted within our office but as of > yesterday they are hosted externally at a data center. > > When everyone would get to the MTA while the system was in the office, > they would be seen by their internal address. > > However, since moving the mail systems to the data center, we are sending > all of that traffic over the WAN and so all of our users are getting NAT'd > to one IP outbound which is what our MTAs will see them as when they go to > send mail. > > It seems like this is causing an issue because intermittently any > connections from our NAT IP start getting ignored by our two MTA's. I can > watch a TCPDUMP on the MTAs and then telnet to them on 25 from a box > behind the NAT and I can see the SYN packets arriving to the MTA but no > response is given. Worth noting, no connection can be made from the NAT > IP to other ports I have Postfix listening on, either.
While this problem occurs, does SSH work? IMAP? Anything other than SMTP? Have you disabled any/all iptables/ipfilter rules and disabled AppArmor/SELinux? Is there a firewall other than the NAT device in the packet path, i.e. in the new datacenter? Have you looked at the logs of the router(s) in the new datacenter? > During the same time, I can get to the MTAs on port 25 from outside of the > NAT or if I am coming from a box on the same network that gets NAT'd to a > different IP. Could be an issue with the NAT router in your office. Which make/model? > Considering that when the issue occurs I can't even establish a connection > on 25, makes me think that this may not be a Postfix issue and may be > something kernel related. However, I'm baffled, so if anyone has any > ideas I'd really appreciate them. This isn't a kernel issue nor a Postfix issue, but a network issue. Given this outsourced datacenter architecture is brand new as of yesterday, and given the problem description and troubleshooting thus far, it sounds like a NAT, packet loss, or firewall issue. -- Stan
