Zimbra not enforcing MTA whitelist/ SPF check ?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
rokoyato
Advanced member
Advanced member
Posts: 86
Joined: Mon Jun 29, 2020 9:12 am

Zimbra not enforcing MTA whitelist/ SPF check ?

Post by rokoyato »

Hi,

I have a zimbra server that is allowing anyone one to send a mail to a local user with a fake from address as long has a correct email is provided in rcpt

here's the test

Code: Select all

telnet IP 25
Trying IP...
Connected to IP.
Escape character is '^]'.
220 hostname.domain ESMTP Postfix
HELO x
250 hostname.domain
MAIL FROM: fakemail@microsoft.com
250 2.1.0 Ok
RCPT TO:test@domain.org
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: This is a fake
Still fake
.
250 2.0.0 Ok: queued as 159478A1B3E
And the mail ends in the user box...

I've check the MTA whitelist all seems good on this side, I don't know which part of zimbra is supposed to block this type of mail (there should be a SPF check that block these i think ?)

If anyone has an idea :)
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Zimbra not enforcing MTA whitelist/ SPF check ?

Post by L. Mark Stone »

I would check two things:

Code: Select all

zmprov gs `zmhostname` zimbraMtaMyNetworks
Any IPs in the networks listed by the above command can use Zimbra as an open relay.


You may also want to restrict users from sending "From:" anyone as a general rule:

Code: Select all

zmprov mcf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
rokoyato
Advanced member
Advanced member
Posts: 86
Joined: Mon Jun 29, 2020 9:12 am

Re: Zimbra not enforcing MTA whitelist/ SPF check ?

Post by rokoyato »

L. Mark Stone wrote:I would check two things:

Code: Select all

zmprov gs `zmhostname` zimbraMtaMyNetworks
Any IPs in the networks listed by the above command can use Zimbra as an open relay.


You may also want to restrict users from sending "From:" anyone as a general rule:

Code: Select all

zmprov mcf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
Hope that helps,
Mark
Hi Mark,

The server is not an open relay as I cannot send an email to someone outside of the zimbra.

I can send emails to any user inside the server with a fake from and zimbra let the mail go to the recipient mailbox.

That mean Zimbra does not apply any checking of incoming mails from port 25 even from a random IP (a simple spf check on microsoft.com in my example would suffice to block the mail).

Regards
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Zimbra not enforcing MTA whitelist/ SPF check ?

Post by L. Mark Stone »

Sorry, I misunderstood that the flow is inbound, not outbound.

To be clear, are you expecting Zimbra to able to discern whether a foreign email address in the From: header is valid or not? And do you also expect that the From: address will always be identical to the envelope sender or do you want to check for differences there as well (and verify the envelope sender too perhaps)?

Or are you just wanting Zimbra to be doing SPF checks of inbound email?
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
rokoyato
Advanced member
Advanced member
Posts: 86
Joined: Mon Jun 29, 2020 9:12 am

Re: Zimbra not enforcing MTA whitelist/ SPF check ?

Post by rokoyato »

L. Mark Stone wrote:Sorry, I misunderstood that the flow is inbound, not outbound.

To be clear, are you expecting Zimbra to able to discern whether a foreign email address in the From: header is valid or not? And do you also expect that the From: address will always be identical to the envelope sender or do you want to check for differences there as well (and verify the envelope sender too perhaps)?

Or are you just wanting Zimbra to be doing SPF checks of inbound email?
Well for now I will go only for SPF check, but if you have links to ressources for all other checking methods you've mentionned I'm interested !
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Zimbra not enforcing MTA whitelist/ SPF check ?

Post by L. Mark Stone »

Zimbra ships with Amavis and Spamassassin, and Spamassassin already does SPF checks on incoming mail.

Sounds like you may just need to bump up the fail score for the existing SPF check?

To do so, as the Zimbra user, create a file called /opt/zimbra/data/spamassassin/localrules/zzsauser.cf and add a line to set the desired score for the test. If your spam threshold is, say, 5, and you absolutlely want emails that fail the SPF test to be marked as spam, then to allow for the email getting some negative scores as well, you would a line to zzsauser.cf like:

Code: Select all

score SPF_FAIL 7.5
If you want to see in /var/log/zimbra.log the individual Spamassassin test results of each email (useful for confirming operation and debugging false positives), then change the Amavis logging level:

Code: Select all

zmprov mcf zimbraAmavisLogLevel 2
BTW, the zzsauser.cf will survive most Zimbra patches, but not a version upgrade, so it's a good idea to keep a backup of it someplace.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
rokoyato
Advanced member
Advanced member
Posts: 86
Joined: Mon Jun 29, 2020 9:12 am

Re: Zimbra not enforcing MTA whitelist/ SPF check ?

Post by rokoyato »

L. Mark Stone wrote:Zimbra ships with Amavis and Spamassassin, and Spamassassin already does SPF checks on incoming mail.

Sounds like you may just need to bump up the fail score for the existing SPF check?

To do so, as the Zimbra user, create a file called /opt/zimbra/data/spamassassin/localrules/zzsauser.cf and add a line to set the desired score for the test. If your spam threshold is, say, 5, and you absolutlely want emails that fail the SPF test to be marked as spam, then to allow for the email getting some negative scores as well, you would a line to zzsauser.cf like:

Code: Select all

score SPF_FAIL 7.5
If you want to see in /var/log/zimbra.log the individual Spamassassin test results of each email (useful for confirming operation and debugging false positives), then change the Amavis logging level:

Code: Select all

zmprov mcf zimbraAmavisLogLevel 2
BTW, the zzsauser.cf will survive most Zimbra patches, but not a version upgrade, so it's a good idea to keep a backup of it someplace.

Hope that helps,
Mark
Hi,

Here are the log for a test I've just done, with more logs of amavis, seems like no SPF checks are done :

Code: Select all

Dec  1 18:06:56 zimbra-server postfix/smtpd[28780]: NOQUEUE: filter: RCPT from ext-adm.mycompany[companyIP]: <test@microsoft.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<test@microsoft.com> to=<client@domain.orgg> proto=SMTP helo=<x>
Dec  1 18:06:57 zimbra-server postfix/smtpd[28780]: NOQUEUE: filter: RCPT from ext-adm.mycompany[companyIP]: <test@microsoft.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<test@microsoft.com> to=<client@domain.orgg> proto=SMTP helo=<x>
Dec  1 18:06:57 zimbra-server postfix/smtpd[28780]: 437138A6A57: client=ext-adm.mycompany[companyIP]
Dec  1 18:07:25 zimbra-server postfix/cleanup[40451]: 437138A6A57: message-id=<20221201170657.437138A6A57@zimbra-server.mycompany>
Dec  1 18:07:25 zimbra-server postfix/qmgr[81090]: 437138A6A57: from=<test@microsoft.com>, size=358, nrcpt=1 (queue active)
Dec  1 18:07:25 zimbra-server amavis[94692]: (94692-12) ESMTP [127.0.0.1]:10024 /opt/zimbra/data/amavisd/tmp/amavis-20221201T171016-94692-BTYJtz2H: <test@microsoft.com> -> <client@domain.orgg> SIZE=358 Received: from zimbra-server.mycompany ([127.0.0.1]) by localhost (zimbra-server.mycompany [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <client@domain.orgg>; Thu,  1 Dec 2022 18:07:25 +0100 (CET)
Dec  1 18:07:25 zimbra-server amavis[94692]: (94692-12) Checking: cA8oZMTsd07F [companyIP] <test@microsoft.com> -> <client@domain.orgg>
Dec  1 18:07:25 zimbra-server amavis[94692]: (94692-12) p001 1 Content-Type: text/plain, size: 11 B, name:
Dec  1 18:07:25 zimbra-server postfix/amavisd/smtpd[40456]: connect from localhost[127.0.0.1]
Dec  1 18:07:25 zimbra-server postfix/amavisd/smtpd[40456]: E0D548A6C1A: client=localhost[127.0.0.1]
Dec  1 18:07:25 zimbra-server postfix/cleanup[40802]: E0D548A6C1A: message-id=<20221201170657.437138A6A57@zimbra-server.mycompany>
Dec  1 18:07:25 zimbra-server postfix/amavisd/smtpd[40456]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Dec  1 18:07:25 zimbra-server amavis[94692]: (94692-12) cA8oZMTsd07F FWD from <test@microsoft.com> -> <client@domain.orgg>, BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E0D548A6C1A
Dec  1 18:07:25 zimbra-server postfix/qmgr[81090]: E0D548A6C1A: from=<test@microsoft.com>, size=777, nrcpt=1 (queue active)
Dec  1 18:07:25 zimbra-server amavis[94692]: (94692-12) Passed CLEAN {RelayedInbound}, [companyIP]:1845 [companyIP] <test@microsoft.com> -> <client@domain.orgg>, Queue-ID: 437138A6A57, Message-ID: <20221201170657.437138A6A57@zimbra-server.mycompany>, mail_id: cA8oZMTsd07F, Hits: -, size: 358, queued_as: E0D548A6C1A, 71 ms
Dec  1 18:07:25 zimbra-server postfix/smtp[40452]: 437138A6A57: to=<client@domain.orgg>, relay=127.0.0.1[127.0.0.1]:10024, delay=40, delays=40/0/0/0.07, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as E0D548A6C1A)
Dec  1 18:07:25 zimbra-server postfix/qmgr[81090]: 437138A6A57: removed
Dec  1 18:07:25 zimbra-server amavis[94692]: (94692-12) size: 358, TIMING [total 75 ms, cpu 24 ms] - SMTP greeting: 1.4 (2%)2, SMTP EHLO: 0.3 (0%)2, SMTP pre-MAIL: 0.3 (0%)3, lookup_ldap: 3.3 (4%)7, SMTP pre-DATA-flush: 0.7 (1%)8, SMTP DATA: 37 (50%)58, check_init: 0.2 (0%)58, digest_hdr: 0.3 (0%)58, digest_body_dkim: 0.1 (0%)58, collect_info: 0.9 (1%)60, mime_decode: 7 (9%)69, get-file-type1: 4.2 (6%)74, parts_decode: 0.1 (0%)74, check_header: 0.2 (0%)75, decide_mail_destiny: 0.4 (1%)75, notif-quar: 0.2 (0%)75, fwd-connect: 2.4 (3%)79, fwd-mail-pip: 6 (8%)87, fwd-rcpt-pip: 0.1 (0%)87, fwd-data-chkpnt: 0.0 (0%)87, write-header: 0.2 (0%)87, fwd-data-contents: 0.0 (0%)87, fwd-end-chkpnt: 2.3 (3%)90, prepare-dsn: 0.4 (1%)91, report: 0.7 (1%)92, main_log_entry: 2.3 (3%)95, update_snmp: 0.2 (0%)95, SMTP pre-response: 0.1 (0%)95, SMTP response: 0.1 (0%)95, unlink-1-files: 2.9 (4%)99, rundown: 0.5 (1%)100
Dec  1 18:07:25 zimbra-server amavis[94692]: (94692-12) size: 358, RUSAGE minflt=2+0, majflt=0+0, nswap=0+0, inblock=0+0, oublock=24+0, msgsnd=0+0, msgrcv=0+0, nsignals=0+0, nvcsw=22+0, nivcsw=0+0, maxrss=82936+0, ixrss=0+0, idrss=0+0, isrss=0+0, utime=0.023+0.000, stime=0.001+0.000
Dec  1 18:07:26 zimbra-server postfix/lmtp[40457]: E0D548A6C1A: to=<client@domain.orgg>, relay=zimbra-server.mycompany[192.168.75.2]:7025, delay=0.14, delays=0.01/0/0.05/0.09, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
Dec  1 18:07:26 zimbra-server postfix/qmgr[81090]: E0D548A6C1A: removed
So I think I'm missing some knowledge here :(
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Zimbra not enforcing MTA whitelist/ SPF check ?

Post by L. Mark Stone »

The only SpamAssassin tests that make it in to the logs are the ones that are triggered.

You did restart amavis after making those changes yes?
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
rokoyato
Advanced member
Advanced member
Posts: 86
Joined: Mon Jun 29, 2020 9:12 am

Re: Zimbra not enforcing MTA whitelist/ SPF check ?

Post by rokoyato »

L. Mark Stone wrote:The only SpamAssassin tests that make it in to the logs are the ones that are triggered.

You did restart amavis after making those changes yes?
I did not change the SPF FAIL score has I wanted to see what was the default score, but it seems that there's no spf check by default ?

This problem seems to appear several times already on the forum :

viewtopic.php?t=59010
viewtopic.php?t=13870
viewtopic.php?t=66822
viewtopic.php?t=65090

Following the last link I tried to enable reject_unknown_sender_domain but with no luck.

Regards
raghuramn89@gmail.com
Posts: 11
Joined: Thu Jan 29, 2015 2:40 pm
Location: Hyderabad
Contact:

Re: Zimbra not enforcing MTA whitelist/ SPF check ?

Post by raghuramn89@gmail.com »

Share "Show Original" of the any message so we can check whether SPF check done or not.
Post Reply