My Zimbra 8.0 is an Open Relay

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Andre81
Posts: 9
Joined: Sat Sep 13, 2014 2:59 am

My Zimbra 8.0 is an Open Relay

Post by Andre81 »

Hi there,
this is my first post in this community. I'm new on Zimbra colaboration suite, and I've some question about my particular configuration.
My network is quite complicated, and I have two NAT one behind the other.

This prejudice that Zimbra will always see all incoming connections to be local, and they are generated locally (192.168.xx) although is generated by an external ip.

In this scenario we understand very well that restrict the authorization with trusted network does not make sense.
My idea is simple:
in order to send out of Zimbra domain (users@mydomain.com -> users@outside_the_world), users MUST be authenticated trough username and password regardless of where the connection is originated.
in order to receive mail, is permitted to the sender outside my domain to send only to users in my domain.
I' ve read some about how to restrict here: http://www.zimbra.com/forums/administra ... post235929 but I've some problem.
1) in this way all type of mail relay only if the sender is authenticated

2) my Zimbra 8.0 rewrite all changes I've made in configuration files, so after restart I've lost the configuration


Any help will'be appreciated.
Thanks
Andrea
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

My Zimbra 8.0 is an Open Relay

Post by phoenix »

Zimbra, by default, is not an open relay unless you've modified something to make it one.
[quote user="Andre81"]My network is quite complicated, and I have two NAT one behind the other.[/QUOTE]That makes no sense and doesn't provide any benefit.
[quote user="Andre81"]This prejudice that Zimbra will always see all incoming connections to be local, and they are generated locally (192.168.xx) although is generated by an external ip.

In this scenario we understand very well that restrict the authorization with trusted network does not make sense.[/QUOTE]
[quote user="Andre81"]My idea is simple:
in order to send out of Zimbra domain (users@mydomain.com -> users@outside_the_world), users MUST be authenticated trough username and password regardless of where the connection is originated.[/QUOTE]Your users should use Port 587 as the correct submission port, that requires authentication.
[quote user="Andre81"]in order to receive mail, is permitted to the sender outside my domain to send only to users in my domain.[/QUOTE]They can't send mail to anyone else unless you're an open relay (see my first comment).
[quote user="Andre81"]I' ve read some about how to restrict here: http://www.zimbra.com/forums/administra ... post235929 but I've some problem.
1) in this way all type of mail relay only if the sender is authenticated

2) my Zimbra 8.0 rewrite all changes I've made in configuration files, so after restart I've lost the configuration[/QUOTE]Then you need to make the changes correctly in ZCS 8, search the forums for details.
FWIW, I have my server behind a NAT router and I also have my LAN subnet in the Trusted Networks and nobody can relay through my server. I'd suggest you search the internet for sites that will test your server to see if it's an open relay.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Andre81
Posts: 9
Joined: Sat Sep 13, 2014 2:59 am

My Zimbra 8.0 is an Open Relay

Post by Andre81 »

[quote user="10330phoenix"]Zimbra, by default, is not an open relay unless you've modified something to make it one.
That makes no sense and doesn't provide any benefit.[/QUOTE]
This is correct, I think exactly like you, but this configuration is provided by my ISP and I can't change.

Don't remember, this is Italy for better or for worse ;)

(we have not thought patterns and we range into the strangest default configuration :D)


[quote user="10330phoenix"]Your users should use Port 587 as the correct submission port, that requires authentication.[/QUOTE]
The port 587 must be configured in initial setup?
[quote user="10330phoenix"]They can't send mail to anyone else unless you're an open relay (see my first comment).[/QUOTE]

That's right, but in my particular case Zimbra is an Open Relay (I've done test) due to this particular scenario.

I think that permits to send based only in IP address isn't enough secure, in fact if my network has many server, and one of them is compromised, the Trusted network isn't enough.
[quote user="10330phoenix"]Then you need to make the changes correctly in ZCS 8, search the forums for details.[/QUOTE]
I've searched but there are a bit of confusion, one user talks to one method, another one talks to another method, and so...
[quote user="10330phoenix"]FWIW, I have my server behind a NAT router and I also have my LAN subnet in the Trusted Networks and nobody can relay through my server. I'd suggest you search the internet for sites that will test your server to see if it's an open relay.[/QUOTE]
If I've only one NAT, my Zimbra works like a charm... even if the problem of access to the local network even to other servers remains.


Thanks for your attention.
Andrea
Post Reply