Disallow external authentication via port 25

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
zanthius
Posts: 13
Joined: Thu Apr 14, 2016 11:22 pm

Disallow external authentication via port 25

Postby zanthius » Thu Oct 31, 2019 11:11 pm

Hi all,

I've got a server hosting 700+ accounts here, a majority of the users are clerical type people.

It seems that a few have had their usernames and passwords compromised (probably by using the same details on another site), and spammers have been using the accounts to, well, spam.

Now the users don't have IMAP or POP access enabled in their features, but zimbra is still allowing external connections to authenticate and send mail. The users will ONLY use the zimbra webmail to send e-mails.

Does anyone know how to stop this behaviour (apart from educating users, as we all know how that goes with a large user base).

Thanks.

Zimbra version - Release 8.6.0_GA_1153.SLES11_64_20141215151129 SLES11_64 FOSS edition, Patch 8.6.0_P14.


phoenix
Ambassador
Ambassador
Posts: 26380
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: Disallow external authentication via port 25

Postby phoenix » Fri Nov 01, 2019 1:50 am

Change the passwords and enforce strong passwords in the admin ui for your users.
Regards

Bill

Rspamd: A high performance spamassassin replacement

If you'd like to see this implemented in a future version of ZCS then please vote on Bugzilla entries 97706 & 108168
User avatar
maxxer
Advanced member
Advanced member
Posts: 159
Joined: Fri Oct 04, 2013 2:12 am
Contact:

Re: Disallow external authentication via port 25

Postby maxxer » Mon Nov 04, 2019 7:29 am

Same situation (and actually very similar background :D) solved by adding -o smtpd_sasl_auth_enable=no to the smtpd line in /opt/zimbra/common/conf/master.cf.in. Resulting modified block should look like this:

Code: Select all

smtpd     pass  -       -       n       -       -       smtpd
        -o smtpd_tls_security_level=%%zimbraMtaTlsSecurityLevel%%
        -o smtpd_sasl_auth_enable=no


This will disallow auth on port 25, so you can force your users to auth on port 465 or 587. As most spammers will use port 25 you will mitigate (not solve!) your issue.
In our situation we also geofenced smtps/imaps/pop3s, in order to even lower exposure.

Solution from here

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 15 guests