open relay??

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Bill Brock
Outstanding Member
Outstanding Member
Posts: 618
Joined: Fri Sep 12, 2014 10:35 pm

open relay??

Post by Bill Brock »

Server settings. "MTA", "IMAP", and "POP"
JMoreno
Posts: 14
Joined: Sat Sep 13, 2014 2:54 am

open relay??

Post by JMoreno »

Hi guys,
After suffering 20-30 spam mails a minute (!!), I have found this topic. I believe I am suffering an Open Relay problem with my ZCS 8 mail server.
After running a test in Open Relay Test I got the following results:
[QUOTE][Method 0]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM:

<<
>>> RCPT TO:

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 1]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM:

<<
>>> RCPT TO: relaytest@mailradar.com

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 2]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM:

<<
>>> RCPT TO:

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 3]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>

<<
>>> RCPT TO:

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 4]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO:

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 5]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO: <>]>

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 6]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO: <>.staticIP.rima-tde.net]>

<<
>>> QUIT

<<
[TEST PASSED]

[Method 7]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO:

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 8]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO:

<<: Recipient address rejected: need fully-qualified address

>>> QUIT

<<
[Method 9]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO: <>]>

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 10]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO: <>]>

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 11]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO: <>.staticIP.rima-tde.net>

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 12]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO: <>]:relaytest@mailradar.com>

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 13]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO: <>.staticIP.rima-tde.net]:relaytest@mailradar.com>

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 14]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO:

<<: Recipient address rejected: need fully-qualified address

>>> QUIT

<<
[Method 15]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO: <>]>

<<
>>> QUIT

<<
[TEST NOT PASSED]

[Method 16]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO: <>.staticIP.rima-tde.net]>

<<
>>> QUIT

<<
[TEST PASSED]

[Method 17]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO:

<<: Recipient address rejected: need fully-qualified address

>>> QUIT

<<
[Method 18]

<<
>>> HELO mailradar.com

<<
>>> MAIL FROM: <>]>

<<
>>> RCPT TO:

<<: Recipient address rejected: need fully-qualified address

>>> QUIT

<<
I have replaced:

- my domain by "mydomain.com"

- my public IP address by "<>"
It seems clear I am affected by the Open Relay issue. Following instructions in this forum, I have provided:
- General Settings + MTA + trusted networks: 127.0.0.0/8 172.16.0.41/32 ---> I want autentication from all users before sending mails, even from the LAN.

- Server + MTA + trusted networks : empty ---> I guess takes settings from the General Settines (above)
Where 172.16.0.41 is my Zimbra Server Private IP address (example).
I must say that every single time I full reboot my server, I missed the trusted networks (empty field). Is that normal?
May anybody help me to fix it?


Many thanks in advance.

PS: my mail server connects to Internet via a firewall.
JMoreno
Posts: 14
Joined: Sat Sep 13, 2014 2:54 am

open relay??

Post by JMoreno »

I believe there is a minor bug in ZCS 8.
If I provide the "Trusted networks" (127.0.0.0/8 172.16.0.41/32) at the "General Settings + MTA" level, it disapears after booting the server. But, if I set it at the server level, it remains and it starts behaving as expected (stoping the Open Relay issue).
After a while, I realized that this is also happening for other settings.
Please correct me whether I am wrong, settings fixed at the "General settings" level should be propagated to the servers, to the extend that we do not override them in the servers configuration. Am I wrong? Did I miss anything?
Thanks for your comments and replies.

Best regards.
rizzpatel
Posts: 28
Joined: Sat Sep 13, 2014 3:13 am

open relay??

Post by rizzpatel »

[quote user="bdial"]just to verify, you're not trying to send to soemone on your zimbra server right? that will always work[/QUOTE]
Uh, is this still not an issue?
What happens if some guy uses our SMTP server without authentication and spoof the email address for the CEO of our company and sends out a mass "You are FIRED!" email to everyone on the internal domain?
Is there really no way to prevent anonymous SMTP for the Zimbra domain?
bdial
Elite member
Elite member
Posts: 1633
Joined: Fri Sep 12, 2014 10:39 pm

open relay??

Post by bdial »

well for one there would be no way for me to lookup all accounts just using your smtp server
but in the spirit of the question, whats to stop me from faking your ceo's address using my mail server? this kind of thing has been happening forever. SPF and DKIM were invented to solve this kind of problem.
I know it seems weird, but there is very little difference to somebody submitting an e-mail to your server directly from their client using your smtp server versus if they relay it through their own server first. It's just another hop when you use your own smtp server
rizzpatel
Posts: 28
Joined: Sat Sep 13, 2014 3:13 am

open relay??

Post by rizzpatel »

[quote user="bdial"]well for one there would be no way for me to lookup all accounts just using your smtp server
but in the spirit of the question, whats to stop me from faking your ceo's address using my mail server? this kind of thing has been happening forever. SPF and DKIM were invented to solve this kind of problem.
I know it seems weird, but there is very little difference to somebody submitting an e-mail to your server directly from their client using your smtp server versus if they relay it through their own server first. It's just another hop when you use your own smtp server[/QUOTE]
Alright, I just retested with a non existing email account with our domain, it fails. Nice. I am just trying to see if theres a way to completely force authentication on our SMTP server.. As in you MUST provide valid credentials to use it. Is there still no way to accomplish this? Thanks bdial
bdial
Elite member
Elite member
Posts: 1633
Joined: Fri Sep 12, 2014 10:39 pm

open relay??

Post by bdial »

If you did that, nobody would be able to send you e-mail. What happens when someone at gmail wants to e-mail you? Gmail's server doesn't have a username/password on your system. To your server, gmail is just another client connecting to port 25 trying to send some e-mail to your users.
rizzpatel
Posts: 28
Joined: Sat Sep 13, 2014 3:13 am

open relay??

Post by rizzpatel »

[quote]IF YOU DID THAT, NOBODY WOULD BE ABLE TO SEND YOU E-MAIL. WHAT HAPPENS WHEN SOMEONE AT GMAIL WANTS TO E-MAIL YOU? GMAIL'S SERVER DOESN'T HAVE A USERNAME/PASSWORD ON YOUR SYSTEM. TO YOUR SERVER, GMAIL IS JUST ANOTHER CLIENT CONNECTING TO PORT 25 TRYING TO SEND SOME E-MAIL TO YOUR USERS.[/QUOTE]
IF THIS IS THE CASE, WHY IS IT NOT POSSIBLE FOR ME TO ANONYMOUSLY LOGIN TO GMAILS SMTP SERVER AND SEND TO MY GMAIL ACCOUNT? GOOGLES SMTP SERVER ABSOLUTELY REQUIRES AUTHENTICATION.
I UNDERSTAND WHAT YOU ARE SAYING, BUT THIS IS CONTRADICTING IT..
HOW IS GMAIL ACCOMPLISHING THIS TASK? IT'S BASICALLY EXACTLY WHAT WE WANT..

ALSO, I TRIED USING SMTP.GMAIL.COM (WHICH IS VALID) AND IT ALSO FAILS.
zimbraauth.jpg
bdial
Elite member
Elite member
Posts: 1633
Joined: Fri Sep 12, 2014 10:39 pm

open relay??

Post by bdial »

because google uses different servers to send and receive mail. do a mx lookup on google.com, you'll get a bunch of responses. Try one, I used alt1.gmail-smtp-in.l.google.com . No secure connection, no authentication, I did e-mail from: bdial@mydomain.com and to my gmail account and it succeeded.
the smtp.googlemail.com isn't meant to receive mail, only send it so in that case yeah you can force all clients to authenticate
does this clear it up?
rizzpatel
Posts: 28
Joined: Sat Sep 13, 2014 3:13 am

open relay??

Post by rizzpatel »

[quote user="bdial"]because google uses different servers to send and receive mail. do a mx lookup on google.com, you'll get a bunch of responses. Try one, I used alt1.gmail-smtp-in.l.google.com . No secure connection, no authentication, I did e-mail from: bdial@mydomain.com and to my gmail account and it succeeded.
the smtp.googlemail.com isn't meant to receive mail, only send it so in that case yeah you can force all clients to authenticate
does this clear it up?[/QUOTE]
Mind = Blown
You definitely cleared it up. Thanks for your patience Bdial
Post Reply