Force auth for internal users

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Force auth for internal users

Post by pup_seba »

Hi,

We need to make sure that for our local domain, users need to:
1. exist
2. authenticate

As right now, we can connect from an outside network and via telnet send messages to our own domain, with:
1. non existent users in our own domain (mail from: nonexistant@domain.com, rcpt to: existentuser1@domain.com)
2. existent users in our own domain (mail from: existentuser1@domain.com, rcpt to: existentuser2@domain.com)

We followed this guide: https://wiki.zimbra.com/wiki/Rejecting_ ... _and_above

And thus, excecuted these commands in our mta/proxy server:
zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zmmtactl restart
zmconfigdctl restart

The behaviour did not change. At this point, we don't need to match the sender from address to the authenticated user, we just need for users to authenticate (we'll see about forcing that match later...maybe).

The infrastructure consists in 2 (1 ldap+store / 1 proxy+mta) RHEL 6 servers with Zimbra Network 8.8.8 deployed on them.

Any ideas?
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: Force auth for internal users

Post by DualBoot »

Hello,

zmconfigdctl should be restart first, because it will rewrite all configuration files and after you can restart the MTA.

Regards,
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: Force auth for internal users

Post by pup_seba »

During the restart of mta, a reload of the configuration is automatically done as per the displayed output after excecuting the command.

In anycase, we also restarted the whole server aftearwards and as this is a configuration saved in the ldap, that should also load it upon service start.

I don't thing the order has anything to do with this not working. Have you been able to make it work? I'm testing it now in a lab enviorment with a different (8.8.9) version and it fails there too :/
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: Force auth for internal users

Post by pup_seba »

Looking around, I think this statement is wrong: "For Zimbra Collaboration 8.5 and above, please use the next commands to increase the security and reject the logins for users that doesn't exist in the LDAP" in regards to the zimbraMtaSmtpdRejectUnlistedRecipient and zimbraMtaSmtpdRejectUnlistedSender.

I was not able to find zimbra documentation explaining what those are used for, except for the previous qoutation found here https://wiki.zimbra.com/wiki/Rejecting_ ... _and_above
But again, I think that's wrong for 2 reasons:
1. I've tried those in 3 different versions of zimbra over 8.5, I was always able to send without loging or authenticating.
2. If those configurations match this http://www.postfix.org/ADDRESS_VERIFICATION_README.html then their purpose is other.

After seeing and testing point 2, I can confirm that i can no longer send e-mails with madeup addresses within my own domain. And now, if I send an email to a non existent address, I get rejected at a postfix level. Which I think is the only purpose of these configurations.

So I guess that I'm stucked with https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5 which I would rather not to implment. I just need users that are sending e-mails from my own domain, that authenticate before being able to send that email, but without affecting their option to send-mails in behalf of other users when a proper delegation is done.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Force auth for internal users

Post by L. Mark Stone »

Please run:

Code: Select all

zmprov gs `zmhostname` zimbraMtaMyNetworks
and check that the IP address of the device from which you are running your telnet tests is or is not listed in the networks above.

By definition, Zimbra is an open relay for any device listed in zimbraMtaMyNetworks. This is working as designed (it's a Postfix thing...).

Ideally, the only networks that should be listed in zimbraMtaMyNetworks are the localhost network (127.0.0.0/8) and the /32 for each of your Zimbra servers. If you have an older device, like a scan-to-email machine that doesn't do SMTP-Auth, you can give it a static IP and add that to zimbraMtaMyNetworks as a /32 as well.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
pup_seba
Outstanding Member
Outstanding Member
Posts: 687
Joined: Sat Sep 13, 2014 2:43 am
Location: Tarragona - Spain
Contact:

Re: Force auth for internal users

Post by pup_seba »

Thanks for the idea, but is not the case. My networks was one of the first things I make sure was not in the way. Also, for my lab testings and for this issue, all my "telnet" tries are done from a different network (my home) against the public IP of the lab (in my office).

I'm starting to think that those configurations, don't do what I thought they do. It looks like they just check for the existence of the account on the zimbra server (probing for existent accounts on remote servers as detailed in this link http://www.postfix.org/ADDRESS_VERIFICATION_README.html doesn't seem to be in place). Some part on their description on the wikis, mislead me to think they were to enforce sasl auth...but now I think I just missunderstood.

Could it be that zimbraMtaSmtpdRejectUnlistedRecipient and zimbraMtaSmtpdRejectUnlistedSender only check if the sender or receiver exist in our server during the postfix session? They don't seem to have anything to do with authentication...

Then, there is this other configuration for "enforcing match between...". But that seems an "overkill" for what I intend at this point, which is make sure that if someone from outside my_networks is trying to send and e-mail to my organization, and that person (mail from:) claims to be an existent user of my organization, that should be avoided/prohibited. But only that...once authenticated and at this point, I'm not pursuing to force a match between the "mail from" in the header and in the data of the mail.

As for your experience and knowledge, what do you think?
Post Reply