Disable Auth in port 25 (Not MUA)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
ImNotET
Posts: 2
Joined: Tue Jun 27, 2017 9:21 am

Disable Auth in port 25 (Not MUA)

Post by ImNotET »

Good day,

I want disable the user authentication in the port 25, we want use only 465 or 587 for MUA, i saw example like:

smtp inet n - - - - smtpd
-o smtpd_tls_security_level=none
-o smtpd_sasl_auth_enable=no

smtps inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

but in the master.cf.in we have this with postscreen:

smtp inet n - n - 1 postscreen
tlsproxy unix - - n - 0 tlsproxy
dnsblog unix - - n - 0 dnsblog
smtpd pass - - n - - smtpd
-o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%

How we can modify this for only use the port 25 for comunication with other servers and not MUA's?

Thank you very much!

Best Regards
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: Disable Auth in port 25 (Not MUA)

Post by DualBoot »

hello,

add the option

Code: Select all

-o smtpd_sasl_auth_enable=no
to the following line :

Code: Select all

smtpd     pass  -       -       n       -       -       smtpd
    -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
Regards,
juan_urtiaga
Posts: 9
Joined: Mon Jan 23, 2017 7:44 pm

Re: Disable Auth in port 25 (Not MUA)

Post by juan_urtiaga »

Hello,

I have Zimbra 8.8.12_GA_3794.RHEL6_64_20190329045002 and like @ImNotET want to use port 25 for only for incoming and outgoing mails.
And ports 465/587 for smtps and submission services to allow clients to authenticate and forward mails.

I tried the configuration suggested by @DualBoot but the smtpd service is still allowing to authenticate en sendmails over 25 port.

@ImNotET could you confirm that configuration worked for you ?

Regards,
Juan


===================================== /mailog after changing configuration

Aug 14 19:45:17 proxymail postfix/postscreen[3441]: CONNECT from [192.168.1.66]:55909 to [192.168.90.107]:25
Aug 14 19:45:17 proxymail postfix/postscreen[3441]: PASS OLD [192.168.1.66]:55909
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: connect from unknown[192.168.1.66]
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: Anonymous TLS connection established from unknown[192.168.1.66]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: NOQUEUE: filter: RCPT from unknown[192.168.1.66]: <juan@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<ju rtiaga@tilsor.com.uy> to=<vicky@domain.com> proto=ESMTP helo=<[192.168.1.66]>
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no SASL support
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: warning: restriction `reject_unauthenticated_sender_login_mismatch' ignored: no SASL support
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: NOQUEUE: filter: RCPT from unknown[192.168.1.66]: <juan@domain.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<ju rtiaga@tilsor.com.uy> to=<vicky@domain.com> proto=ESMTP helo=<[192.168.1.66]>
Aug 14 19:45:27 proxymail postfix/smtpd[3442]: EAB8A80D2A: client=unknown[192.168.1.66]
Aug 14 19:45:27 proxymail postfix/cleanup[3450]: EAB8A80D2A: message-id=<47e12b39-2a30-d619-562f-a48692b50140@tilsor.com.uy>
Aug 14 19:45:27 proxymail postfix/qmgr[907]: EAB8A80D2A: from=<juan@domain.com>, size=673, nrcpt=1 (queue active)
Aug 14 19:45:28 proxymail postfix/smtpd[3442]: disconnect from unknown[192.168.1.66] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Aug 14 19:45:28 proxymail postfix/amavisd/smtpd[3454]: connect from localhost[127.0.0.1]
Aug 14 19:45:28 proxymail postfix/amavisd/smtpd[3454]: 2116D80D47: client=localhost[127.0.0.1]
Aug 14 19:45:28 proxymail postfix/cleanup[3450]: 2116D80D47: message-id=<47e12b39-2a30-d619-562f-a48692b50140@tilsor.com.uy>
Aug 14 19:45:28 proxymail postfix/qmgr[907]: 2116D80D47: from=<juan@domain.com>, size=1281, nrcpt=1 (queue active)
Aug 14 19:45:28 proxymail postfix/smtp[3452]: EAB8A80D2A: to=<vicky@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.31, delays=0.12/0.01/0.01/0.17, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 2116D80D47)
Aug 14 19:45:28 proxymail postfix/qmgr[907]: EAB8A80D2A: removed
Aug 14 19:45:28 proxymail postfix/lmtp[3455]: 2116D80D47: to=<vicky@domain.com>, relay=mail.tilsor.com.uy[192.168.90.108]:7025, delay=0.4, delays=0.03/0.03/0.1/0.25, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Aug 14 19:45:28 proxymail postfix/qmgr[907]: 2116D80D47: removed





=================================/opt/zimbra/common/conf/master.cf.in file:
#
# Postfix master process configuration file. For details on the format
# of the file, see the Postfix master(5) manual page.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - 1 postscreen
tlsproxy unix - - n - 0 tlsproxy
dnsblog unix - - n - 0 dnsblog
smtpd pass - - n - - smtpd
-o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
-o smtpd_sasl_auth_enable=no
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust
465 inet n - n - - smtpd
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_wrappermode=yes
%%uncomment LOCAL:postfix_submission_smtpd_tls_key_file%% -o smtpd_tls_key_file=@@postfix_submission_smtpd_tls_key_file@@
%%uncomment LOCAL:postfix_submission_smtpd_tls_cert_file%% -o smtpd_tls_cert_file=@@postfix_submission_smtpd_tls_cert_file@@
-o smtpd_client_restrictions=
-o smtpd_data_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix/smtps
-o milter_macro_daemon_name=ORIGINATING
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust
submission inet n - n - - smtpd
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
-o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
%%uncomment LOCAL:postfix_submission_smtpd_tls_key_file%% -o smtpd_tls_key_file=@@postfix_submission_smtpd_tls_key_file@@
%%uncomment LOCAL:postfix_submission_smtpd_tls_cert_file%% -o smtpd_tls_cert_file=@@postfix_submission_smtpd_tls_cert_file@@
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_data_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o syslog_name=postfix/submission
-o milter_macro_daemon_name=ORIGINATING
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_filter=[%%zimbraLocalBindAddress%%]:10027
%%uncomment LOCAL:postjournal_enabled%% -o smtpd_proxy_options=speed_adjust
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Disable Auth in port 25 (Not MUA)

Post by L. Mark Stone »

Juan,

Zimbra by default on Port 25 does no authentication, and will accept email only for domains Zimbra is hosting. Otherwise, Zimbra would be an open relay.

Zimbra by default on Ports 465/587 requires authentication, and if authentication is successful will accept email for any destination, whether hosted within Zimbra or elsewhere.

Help me to understand what you need to change and why?

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
juan_urtiaga
Posts: 9
Joined: Mon Jan 23, 2017 7:44 pm

Re: Disable Auth in port 25 (Not MUA)

Post by juan_urtiaga »

Hi Mark!

Thank you for your answer.

Ok, the basic problem is we have malicious attempts of autentication at port 25.
It seems like bots are trying to send mails from our true accounts, after a cuple of attemps the accounts get locked in my LDAP server (out of zimbra).

So under this circuntances , considerating that the malicios attemps are throw port 25, one easy solution may be disable authentication (I guess sasl) at port 25.
Clients should use only ports 587 and 465 to send mails, actually I thing 99% already do it.

Thinking about you comments, as far as I remember since I installed Zimbra 8.0 we were able to send mails athenticated using port 25 from any network. Now we have 8.8.12 with the same bahaviour.

Regards,
Juan
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Disable Auth in port 25 (Not MUA)

Post by phoenix »

Search the forums (and the internet) for fail2ban and read-up on how to use that.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Disable Auth in port 25 (Not MUA)

Post by L. Mark Stone »

Bill is spot on that fail2ban can do the job just fine on a single server; it's more complex in a multi-server environment, which is why I like the IP address banning capability in Zimbra's DoSFilter.

The trick to keep legitimate users happy is to have DoSFilter (or fail2ban) block IP addresses before the bad guy locks the mailbox. I wrote a blog post on this:

https://www.missioncriticalemail.com/20 ... -together/

Either way, it's generally safer to use fail2ban or DoSFilter than to go customizing Zimbra's default MTA configs. Many such customizations won't survive Zimbra upgrades nor some patches.

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
juan_urtiaga
Posts: 9
Joined: Mon Jan 23, 2017 7:44 pm

Re: Disable Auth in port 25 (Not MUA)

Post by juan_urtiaga »

Mark, Phoenix:

Thanks again for your time.

I´ve already deployed fail2ban in the MTA host but not all the attacks are filtered.
And yes, modifing the postfix files is not a good practise, actually I´ve lost the configuration in the last update.

Finally I will try to tune the fail2ban to reduce the account blocks.

Regards
Juan
Sumi
Posts: 8
Joined: Mon Aug 26, 2019 9:37 am

Re: Disable Auth in port 25 (Not MUA)

Post by Sumi »

Hello!

Were you able to solve this? That is disable auth on port 25 after starttls?

We're getting a ton of attacks like this, users are getting locked out, and there is no way to stop it - as the attack is distributed over multiple source ips - so it bypasses fail2ban easily.

Yes, the simple port 25 smtp doesn't offer the "auth login" command, but if you switch to starttls on port 25, then the auth login command becomes available. The question is, is there a way to disable this, without disabling tls itself on port 25?
Post Reply