Same issue here on the latest version & I could swear it wasn't used to be like this..
I can send mail from user1@domain.com to user2@domain com via port 25, even if user1@domain.com doesn't exist (doesn't have a mailbox or anything, so any string I put instead of user1 will be able to send email to user2@domain.com).
Also if I try it from the internal network, I basicly have an open relay, as anyuser@domain.com (even if it doesn't exist) is able to send email to *@*.* over port 25.. wtf.
EDIT: Okay, the second one was my bad.. I had "zimbraMtaMyNetworks" set to the internal network(s).. But still anyone can send from anyuser1@domain.com to anyuser2@domain.com (doesn't matter where I connect from or if anyuser1 even exists or not)
How to enable SMTP Auth
Re: How to enable SMTP Auth
How about starting with this article: https://wiki.zimbra.com/wiki/Rejecting_ ... _addresses
You should also read some of the other wiki articles on Zimbra security and some of the forum threads.
You should also read some of the other wiki articles on Zimbra security and some of the forum threads.
- wentum
- Advanced member
- Posts: 53
- Joined: Fri Apr 04, 2014 10:49 am
- Location: Pforzheim (Germany)
- ZCS/ZD Version: Release 9.0.0.GA.3924 _P30
- Contact:
Re: How to enable SMTP Auth
It is generally still as Bill said here: viewtopic.php?f=15&t=59829#p292661
But let me go a bit further and add "it feels responsible for'.
Meaning, if you configured 'mydomain.com' as a domain in your zimbra, it will take emails from any sender address whatever domain for any recipient adress at 'mydomain.com' on port 25. As long as this recipient address exists and you didn't configure other restrictions...
Regards
Joerg
But let me go a bit further and add "it feels responsible for'.
Meaning, if you configured 'mydomain.com' as a domain in your zimbra, it will take emails from any sender address whatever domain for any recipient adress at 'mydomain.com' on port 25. As long as this recipient address exists and you didn't configure other restrictions...
Regards
Joerg
Re: How to enable SMTP Auth
phoenix wrote:How about starting with this article: https://wiki.zimbra.com/wiki/Rejecting_ ... _addresses
You should also read some of the other wiki articles on Zimbra security and some of the forum threads.
Thank you very much! Appreciate it.
Re: How to enable SMTP Auth
Also sorry for the stupid question, but is there a way to require users to authenticate on port 25 if and only if the mail from: address is one of the zimbra domains (user@mydomain.com)?phoenix wrote:How about starting with this article: https://wiki.zimbra.com/wiki/Rejecting_ ... _addresses
You should also read some of the other wiki articles on Zimbra security and some of the forum threads.
I understand that they can only send emails to the "outside world" if they have authenticated, but intra-domains (user1@mydomain.com -> user2@mydomain.com) it still goes through if user1 and user2 exists (thanks once again for your previous post, as now at least it doesn't go through if user1 doesn't exist:)).
I know that in an ideal world users won't connect to port 25, but in reality they're able to (Even if I filter all the LAN's, they can connect on port 25 when they're connecting from a WAN address).
Re: How to enable SMTP Auth
Hi! I fixed this problem with this https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5