Necessary Zimbra configuration

Originating IP

In a multi-server environment, or any environment running a proxy, a mailbox server may only log the IP of the connecting proxy instead of the real client IP.

For example:

2022-09-06 15:21:29,972 INFO  [qtp192881625-932://localhost:8080/service/soap/BatchRequest] [;oip=;ua=zclient/9.0.0_GA_4373;soapId=7e375894;] account - Authentication successful for user:

In such case ZI-Access will not work. 

To solve this you have to define the Trusted IPs of your internal nginx proxies, so that the mailstores will instead capture the data on the originating IP from the HTTP traffic. By default, the zimbraMailTrustedIP is empty:

zmprov gcf zimbraMailTrustedIP

By adding your nginx proxy addresses (as seen by the mailstores) to this attribute, it should then log appropriately. For example, if there are two nginx proxies and

zmprov mcf +zimbraMailTrustedIP +zimbraMailTrustedIP

Please note here too, if you are running Nginx on the same node as the mailstore, you will need to add both and the real address of that node:

zmprov mcf +zimbraMailTrustedIP +zimbraMailTrustedIP

Then restart mailboxd

zmmailboxdctl restart

And check /opt/zimbra/log/mailbox.log to find out that now "oip=" presents the real client IP address

2022-09-06 15:56:50,653 INFO  [qtp192881625-128://localhost:8080/service/soap/BatchRequest] [;oip=;ua=zclient/9.0.0_GA_4373;soapId=6fbb7960;] account - Authentication successful for user: