Allowing specific internal sender addresses through the MTA without a mailbox

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
MightyGorilla
Posts: 32
Joined: Fri Sep 12, 2014 11:48 pm

Allowing specific internal sender addresses through the MTA without a mailbox

Post by MightyGorilla »

I'll admit this feels like a really dumb question- and there may be a simple term for this concept, but I'm not aware of it, so my searches were fruitless. :(

We have a pretty common scenario of hardware devices that may periodically send internal notifications to a few administrative email addresses.
I'm not sure what might have been changed in our system (we haven't done an upgrade in a while ZCS8.6.0) but this was allowed previously, and now Zimbra rejects the unknown sender unless we add an account for it.

Is there a suggested way to handle these types of senders?

Thanks,
Travis-
MightyGorilla
Posts: 32
Joined: Fri Sep 12, 2014 11:48 pm

Re: Allowing specific internal sender addresses through the MTA without a mailbox

Post by MightyGorilla »

I see that I can disable zimbraMtaSmtpdRejectUnlistedSender, but it would be nice to only allow certain senders...
User avatar
DavidMerrill
Advanced member
Advanced member
Posts: 126
Joined: Thu Jul 30, 2015 2:44 pm
Location: Portland, ME
ZCS/ZD Version: 8.8.15 P19
Contact:

Re: Allowing specific internal sender addresses through the MTA without a mailbox

Post by DavidMerrill »

Do these devices have static IPs?

Check out: https://wiki.zimbra.com/wiki/ZimbraMtaMyNetworks
___________________________________
David Merrill - Zimbra Practice Lead
OTELCO Zimbra Hosting, Licensing and Professional Services
Zeta Alliance
MightyGorilla
Posts: 32
Joined: Fri Sep 12, 2014 11:48 pm

Re: Allowing specific internal sender addresses through the MTA without a mailbox

Post by MightyGorilla »

Thanks David-

Yeah, That's how we've had them setup in Zimbra for many years.
Now, the MTA seems to still allow the devices to submit messages, but rejects the messages afterward for having a sender address that doesn't exist on the Zimbra server.

I certainly don't want to create a bunch of mailboxes for "server-A@mydomain.net" just so that the MTA will allow messages through.
I think I did do an apt-get upgrade recently, but I didn't expect anything to affect our Zimbra install since it's not installed that way...
MightyGorilla
Posts: 32
Joined: Fri Sep 12, 2014 11:48 pm

Re: Allowing specific internal sender addresses through the MTA without a mailbox

Post by MightyGorilla »

For now, disabling zimbraMtaSmtpdRejectUnlistedSender resolved the problem, but that setting certainly isn't what started the problem, as I'm the only one here that could have changed it, and I didn't.
If anyone has a preferred method for handling these types of senders, I'd love to hear it.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Allowing specific internal sender addresses through the MTA without a mailbox

Post by L. Mark Stone »

MightyGorilla wrote:For now, disabling zimbraMtaSmtpdRejectUnlistedSender resolved the problem, but that setting certainly isn't what started the problem, as I'm the only one here that could have changed it, and I didn't.
If anyone has a preferred method for handling these types of senders, I'd love to hear it.
Still on 8.6?

It's also possible you might be seeing the effects from the Mailsploit phishing/spoofing remediation work (I haven't touched an 8.6 system since early January except to migrate them to 8.8.8...). See https://bugzilla.zimbra.com/show_bug.cgi?id=108709. Barry deGraff has a nice zimlet for this too: https://github.com/Zimbra-Community/spo ... ert-zimlet

You can check if zimbraPrefShortEmailAddress is set to FALSE (no Mailsploit):

Code: Select all

zmprov gc <name-of-ClassofService> zimbraPrefShortEmailAddress
For hardware devices on the LAN that are too old or otherwise can't do encrypted SMTP-Auth on Port 587, I'll assign them a static IP address and then add that IP address to zimbraMailTrustedIP.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
MightyGorilla
Posts: 32
Joined: Fri Sep 12, 2014 11:48 pm

Re: Allowing specific internal sender addresses through the MTA without a mailbox

Post by MightyGorilla »

Thanks Mark,
I didn't see your post until waaay later. We are still on 8.6 but will upgrade as soon as I get a good chance.

I haven't used zimbraMailTrustedIP before, and I'm not sure how it's different from zimbraMtaMyNetworks.
To add a single machine to zimbraMtaMyNetworks, I have just used its IP with a /32
Post Reply