Necessary Zimbra configuration

Originating IP

In a multi-server environment, or any environment running a proxy, a mailbox server may only log the IP of the connecting proxy instead of the real client IP.

For example:

2022-09-06 15:21:29,972 INFO  [qtp192881625-932://localhost:8080/service/soap/BatchRequest] [name=admin@foss9lab.int.intalio.pl;oip=172.17.0.147;ua=zclient/9.0.0_GA_4373;soapId=7e375894;] account - Authentication successful for user: admin@foss9lab.int.intalio.pl

In such case ZI-Access will not work. 

To solve this you have to define the Trusted IPs of your internal nginx proxies, so that the mailstores will instead capture the data on the originating IP from the HTTP traffic. By default, the zimbraMailTrustedIP is empty:

zmprov gcf zimbraMailTrustedIP

By adding your nginx proxy addresses (as seen by the mailstores) to this attribute, it should then log appropriately. For example, if there are two nginx proxies 10.11.12.1 and 10.11.12.2:

zmprov mcf +zimbraMailTrustedIP 10.11.12.1 +zimbraMailTrustedIP 10.11.12.2

Please note here too, if you are running Nginx on the same node as the mailstore, you will need to add both 127.0.0.1 and the real address of that node:

zmprov mcf +zimbraMailTrustedIP 127.0.0.1 +zimbraMailTrustedIP 10.11.12.13

Then restart mailboxd

zmmailboxdctl restart

And check /opt/zimbra/log/mailbox.log to find out that now "oip=" presents the real client IP address

2022-09-06 15:56:50,653 INFO  [qtp192881625-128://localhost:8080/service/soap/BatchRequest] [name=admin@foss9lab.int.intalio.pl;oip=172.17.0.140;ua=zclient/9.0.0_GA_4373;soapId=6fbb7960;] account - Authentication successful for user: admin@foss9lab.int.intalio.pl