mta in - mta out

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
simred
Advanced member
Advanced member
Posts: 63
Joined: Wed Jun 28, 2017 9:40 am

mta in - mta out

Post by simred »

Hi,
we succesfully use ZCS OSS 8.7.11. Our deployment is made by a frontend load balancer (haproxy) that load balance requests to the backend zimbra mta servers. We planned to use port 25 to receive mail from external MTA; this traffic is load balanced to internal MTA IN zimbra servers. Port 465 is load balanced to internal MTA OUT zimbra servers and they are used to send mail to external domains (SMTPS).
The problem is that some ZCS users configured port 25 as SMTP, so they send email using MTA IN.
The question is: is it possible to configure the MTA (IN) to accept connections only from external MTA (receive mail only function) and not from MUA (even if they are regular users)? We would like to force the ZCS users to use only port 465 (SMTPS) for sending email...and not port 25.
I hope I was clear.

P.S. we forced login on both mta in and mta out because we do not want a mail relay.

Tnx & br.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: mta in - mta out

Post by L. Mark Stone »

If the users with an MUA try to send email via port 25 to any domain not already in Zimbra, the delivery will fail and the users will get a bounce. Zimbra's Postfix is not configured to do any authentication Port 25.

So I would think the users who have misconfigured their SMTP (Outbound) server settings in their MUA will learn of their mistake in due course, yes?

BTW, Port 465 is deprecated in favor of port 587 and an increasing number of MUAs are defaulting to 587 for sending (authenticated) outbound email. Zimbra's Postfix listens on both 465 and 587 for authenticated sending.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
simred
Advanced member
Advanced member
Posts: 63
Joined: Wed Jun 28, 2017 9:40 am

Re: mta in - mta out

Post by simred »

Hi,
sorry for my late answer. Tnx a lot for your feedback.
I'm trying to understand why accounts performs "sasl_method=LOGIN" on zimbra MTA (IN) that has 25 as the only open port only 25 versus public Internet (all MTA ports are opened in private network).
In MTA /var/log/zimbra.log I see:
<<
Jul 18 09:24:22 <zimbra-mta-hostname> postfix/smtpd[11792]: DF3E165B6E: client=unknown[X.Y.Z.K], sasl_method=LOGIN, sasl_username=<zimbra-account>
>>

I'm trying to understand from where account logins happens on this MTA (IN) that has 25 as the only open port versus public Internet

Tnx you very much for your help.

Tnx & br
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: mta in - mta out

Post by L. Mark Stone »

It’s possible I am not understanding your question fully, but basically:

1. Postfix on port 25 is configured to do no authentication and to deliver email only to domains on the Zimbra server.

2. Postfix on ports 465/587 will deliver mail anywhere, to any domain, provided the sender authenticates.

3. Postfix has no concept of your LAN or the public Internet. Email comes in to Postfix from wherever and on whichever port and Postfix processes the email as per the configuration in 1. and 2. above.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
simred
Advanced member
Advanced member
Posts: 63
Joined: Wed Jun 28, 2017 9:40 am

Re: mta in - mta out

Post by simred »

Hi,
I would like this MTA to receive only mail from external (remote) MTA (I do not want login at all on this MTA), so I opened only port 25 on this MTA in our firewall.
So, why I see in the MTA log the accounts logged in this MTA? How they accomplish this?

tnx & br
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: mta in - mta out

Post by L. Mark Stone »

Please post the log entries, unedited, so we can help further.

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
simred
Advanced member
Advanced member
Posts: 63
Joined: Wed Jun 28, 2017 9:40 am

Re: mta in - mta out

Post by simred »

Hi,
I found the way accounts can login and send email through port 25 on MTA (mta.example.com)
The steps:

openssl s_client -debug -starttls smtp -crlf -connect mta.example.com:25
EHLO mail.example.com
AUTH LOGIN
username
password
MAIL FROM: x@example.com
rcpt to: y@remote.com
DATA
Subject: dummy subject

hello
.
QUIT

Is there a way to disable the login only on this MTA?

P.S. if you need the MTA zimbra.log I can provide you this.

tnx & br
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: mta in - mta out

Post by L. Mark Stone »

I just reread your original message and I confess I don’t understand how you are able to receive third-party inbound emails from the Internet if you require authentication on port 25.

I also think the simplest solution is to get your MUA users simply to use the correct port.

Maybe I am missing something here.

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply