Zimbra Forums

Hi,
we succesfully use ZCS OSS 8.7.11. Our deployment is made by a frontend load balancer (haproxy) that load balance requests to the backend zimbra mta servers. We planned to use port 25 to receive mail from external MTA; this traffic is load balanced to internal MTA IN zimbra servers. Port 465 is load balanced to internal MTA OUT zimbra servers and they are used to send mail to external domains (SMTPS).
The problem is that some ZCS users configured port 25 as SMTP, so they send email using MTA IN.
The question is: is it possible to configure the MTA (IN) to accept connections only from external MTA (receive mail only function) and not from MUA (even if they are regular users)? We would like to force the ZCS users to use only port 465 (SMTPS) for sending email...and not port 25.
I hope I was clear.

P.S. we forced login on both mta in and mta out because we do not want a mail relay.

Tnx & br.

If the users with an MUA try to send email via port 25 to any domain not already in Zimbra, the delivery will fail and the users will get a bounce. Zimbra's Postfix is not configured to do any authentication Port 25.

So I would think the users who have misconfigured their SMTP (Outbound) server settings in their MUA will learn of their mistake in due course, yes?

BTW, Port 465 is deprecated in favor of port 587 and an increasing number of MUAs are defaulting to 587 for sending (authenticated) outbound email. Zimbra's Postfix listens on both 465 and 587 for authenticated sending.

Hope that helps,
Mark

Hi,
sorry for my late answer. Tnx a lot for your feedback.
I'm trying to understand why accounts performs "sasl_method=LOGIN" on zimbra MTA (IN) that has 25 as the only open port only 25 versus public Internet (all MTA ports are opened in private network).
In MTA /var/log/zimbra.log I see:
<<
Jul 18 09:24:22 <zimbra-mta-hostname> postfix/smtpd[11792]: DF3E165B6E: client=unknown[X.Y.Z.K], sasl_method=LOGIN, sasl_username=<zimbra-account>
>>

I'm trying to understand from where account logins happens on this MTA (IN) that has 25 as the only open port versus public Internet

Tnx you very much for your help.

Tnx & br

It’s possible I am not understanding your question fully, but basically:

1. Postfix on port 25 is configured to do no authentication and to deliver email only to domains on the Zimbra server.

2. Postfix on ports 465/587 will deliver mail anywhere, to any domain, provided the sender authenticates.

3. Postfix has no concept of your LAN or the public Internet. Email comes in to Postfix from wherever and on whichever port and Postfix processes the email as per the configuration in 1. and 2. above.

Hope that helps,
Mark

Hi,
I would like this MTA to receive only mail from external (remote) MTA (I do not want login at all on this MTA), so I opened only port 25 on this MTA in our firewall.
So, why I see in the MTA log the accounts logged in this MTA? How they accomplish this?

tnx & br

Please post the log entries, unedited, so we can help further.

Mark

Hi,
I found the way accounts can login and send email through port 25 on MTA (mta.example.com)
The steps:

openssl s_client -debug -starttls smtp -crlf -connect mta.example.com:25
EHLO mail.example.com
AUTH LOGIN
username
password
MAIL FROM: x@example.com
rcpt to: y@remote.com
DATA
Subject: dummy subject

hello
.
QUIT

Is there a way to disable the login only on this MTA?

P.S. if you need the MTA zimbra.log I can provide you this.

tnx & br

I just reread your original message and I confess I don’t understand how you are able to receive third-party inbound emails from the Internet if you require authentication on port 25.

I also think the simplest solution is to get your MUA users simply to use the correct port.

Maybe I am missing something here.

All the best,
Mark