spam delivered by unauthenticated users

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
snowymoountain
Advanced member
Advanced member
Posts: 111
Joined: Thu Aug 02, 2018 4:24 pm

spam delivered by unauthenticated users

Post by snowymoountain »

Hi I am getting a few of these and don't want a flood...

the *.*.43.5 is the external ip of our Zimbra server I can only think unauth access to send to local recipients is somehow enabled or allowed somewhere....

how else cam a sender spoof the sending IP ?

zmmsgtrace: total unmatched entries in '/var/log/zimbra.log': 23
zmmsgtrace: use -debug to see unmatched lines
Message ID 'VJqKB-LCBiTF-YaZaTOqMbImWzSpbReypcUqk21C62g.TSk2_ib2QiplJQAsRaPndAa0RkG66EkoVk5Ols4E6xk@pa-rk.host'
stormydaniels@pa-rk.host -->
rob.*@*.co.uk (originally to rob@*.co.uk)
Recipient rob.*@*.co.uk
Sep 1 08:31:46 - unknown (*.*.43.5) --> 127.0.0.1:10024 (127.0.0.1:10024) status sent
Sep 1 08:31:47 - newmail --> newmail.*.uk.com:7025 (192.168.100.27:7025) status sent
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: spam delivered by unauthenticated users

Post by pup_seba »

Hi!

Sorry but I don't quite understand the scenario.

What's the outcome of these commands:
$ zmcontrol -v
$ zmlocalconfig zimbra_http_originating_ip_header
$ zmprov gcf zimbraMailTrustedIP
$ zmprov gas

Are you running your mta on same server as your store?
Do you have any public IP address in your MTA trusted networks? If so, is that the MTA address sending you the e-mails?

edit: I ask these things because it looks like your MTA is behaving like it should (delivering mail from external domains to your local users). it also looks like is not logging the originating IP or doing any postfix validation to reject unknown_hostnames.
snowymoountain
Advanced member
Advanced member
Posts: 111
Joined: Thu Aug 02, 2018 4:24 pm

Re: spam delivered by unauthenticated users

Post by snowymoountain »

[zimbra@newmail root]$ zmcontrol -v
Release 8.8.9_GA_2055.RHEL7_64_20180703080917 RHEL7_64 FOSS edition, Patch 8.8.9_P1.
[zimbra@newmail root]$ zmlocalconfig zimbra_http_originating_ip_header
zimbra_http_originating_ip_header = X-Forwarded-For
[zimbra@newmail root]$ zmprov gcf zimbraMailTrustedIP
[zimbra@newmail root]$ zmprov gas
newmail.*.uk.com
[zimbra@newmail root]$

Are you running your mta on same server as your store?
yes

Do you have any public IP address in your MTA trusted networks? If so, is that the MTA address sending you the e-mails?livered from it.
No

And yet these outside emails seem to be de
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: spam delivered by unauthenticated users

Post by pup_seba »

Hi,

Could you try to configure your system to log originating IP?

https://wiki.zimbra.com/wiki/Log_Files# ... inating_IP

If the only destinataries of the e-mails are your local users (at least it seems that in the example you shared is the case), most likely there is nothing wrong with your configuration, but rather that you are not logging the originating IP address (look for oip in your logs after changes applied). Your MTA delivering mails to your local users from external domain users, is the way an MTA should operate. The problem would be if an external account can use your server to deliver mail to accounts not owned by you (known as an open relay and that's hardly the case with a Zimbra server).

At this point, it seems to me like regular spam rather than a compromised account or server.

Also, maybe I'm wrong here and this is certanly not related to your problem, but allow me to recommend 2 things:
1. Use local domains to name your servers.
2. In production enviroment at least use 2 servers. 1 for "backend" roles like ldap and store and the 2nd one for "frontend" things like proxy/mta (also dnschache, memchached, amavis, etc).
Post Reply