I have a customer whose Zimbra needs to allow non TLS connections for only LAN legacy applications, without compromising external communications (client SMTP logins and mails aka submissions).
So I thought I don't force TLS with unchecking the "TLS authentication only" option and legacy applications worked. But there is lack of documentation what this action does for port 587.
So I spend some time figuring this out.. testing showed both ports allow insecure login now.
(TY for https://wiki.zimbra.com/wiki/Simple_Tro ... nd_Openssl )
So this setting affects both 25 and 587 ports the same way. If its checked then it ENFORCES encryption, aka disable LOGIN possibility if no TLS (secure connection).
It this setting is unchecked then it sets tls security option in postfix to MAY. This means it tries TLS but also accepts LOGIN to insecure (no TLS) connections.
As I'm fine with port 25 (LAN only allowed, incoming blocked by router's firewall, outgoing not containing passwords),
I'm not fine to relax 587 communication that must be allowed by router's firewall (containing user passwords).
# So heres the hotfix for this issue.. open file master.cf.in
Code: Select all
nano /opt/zimbra/common/conf/master.cf.in
Code: Select all
submission inet n - n - - smtpd
%%uncomment SERVICE:opendkim%% -o content_filter=scan:[%%zimbraLocalBindAddress%%]:10030
-o smtpd_etrn_restrictions=reject
-o smtpd_sasl_auth_enable=%%zimbraMtaSaslAuthEnable%%
-o smtpd_tls_security_level= %%zimbraMtaTlsSecurityLevel%%
# Note that submission is the same as 587 and smtpd is 25 if you use default ports. "-o" are options for "connection lines"
# "%%zimbraMtaTlsSecurityLevel%%" is the value from Zimbra admin interface, if its uncheckd its "may", if checkd its "encrypt"
# Suit yourself to make fixed values for what connection you need or keep using "%%zimbraMtaTlsSecurityLevel%%" for other connection.
#With zimbra user:
Code: Select all
postfix reload
## Notice LOGIN options for 25 and none for 587 with plain telnet (no TLS)
Code: Select all
telnet servername 25
220 servername ESMTP Postfix
helo myworkstation
250 servername
ehlo myworkstation
250-servername
250-PIPELINING
250-SIZE 104857600
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
## No more insecure logins possible , legacy SMTP sending works in LAN, everybody happy and secure.
Code: Select all
telnet servername 587
220 servername ESMTP Postfix
helo myworkstation
250 servername
ehlo myworkstation
250-servername
250-PIPELINING
250-SIZE 104857600
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN