Sending emails from non registered hosts

[rodrigoferra]

Hello,

First of all, thanks for the help.

Currently, I installed a relay system to get better management from my sent emails. One thing I notice is that my zimbra is sending from hosts that are not registered, is there any solution to avoid it?

For example, Host test.com is sending email but is not registered as a domain on my panel.

Best regard´s
Rodrigo.

[phoenix]

I don't really understand what you're describing, it sounds like you're allowing another server to relay through your server - is that correct? If it is then it sounds like you have an open relay, you can check that via one of the (many) sites on the internet that provide this service - I'd suggest you do that first.

[rodrigoferra]

I don't really understand what you're describing, it sounds like you're allowing another server to relay through your server - is that correct? If it is then it sounds like you have an open relay, you can check that via one of the (many) sites on the internet that provide this service - I'd suggest you do that first.

Sorry for the lack of information.

I checked against open relay and it's disabled, currently, I hired the mailjet.net service to relay my emails, it's working nicely, but I notice a lot of emails being sent from domains that I don't have registered at my Zimbra. I attached some pictures.

I would like to know who is sending these emails, I tried to stack trace the message but had no success.

Best regard´s
Rodrigo.

[phoenix]

Let's go back a step, you should always give the version of ZCS that's in use by posting the full output of the following command:

Code: Select all

zmcontrol -v

[rodrigoferra]

Let's go back a step, you should always give the version of ZCS that's in use by posting the full output of the following command:

Code: Select all

zmcontrol -v

Ok, my version is:

Code: Select all

Release 8.8.12.GA.3794.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.8.12_P1 proxy.

I had that problem with the exploit´s one or two months ago.

[phoenix]

Have you had a look in the Zimbra log to see if any of these addresses appear there? Is it possible you have any compromised accounts? Does your ZimbraMtaMyNetworks contain the correct settings for your installation and nothing extraneous in there?

[rodrigoferra]

Have you had a look in the Zimbra log to see if any of these addresses appear there? Is it possible you have any compromised accounts? Does your ZimbraMtaMyNetworks contain the correct settings for your installation and nothing extraneous in there?

Hello,

In my zimbra.log I don't have anything about it, but at my mail.log I have:

Code: Select all

Oct  8 15:30:14 mecmail postfix/cleanup[27520]: A45A269D07: message-id=<40a4de9faedfe8aa3a043a89d367f8d1-29-info@sysfinance.es>
Oct  8 15:30:17 mecmail postfix/cleanup[27520]: 65B7769D56: message-id=<40a4de9faedfe8aa3a043a89d367f8d1-29-info@sysfinance.es>
Oct  8 15:30:18 mecmail postfix/cleanup[27520]: 73FB969D07: message-id=<b982e5d7eddd34ee713be354f3bde8db-29-info@sysfinance.es>
Oct  8 15:30:19 mecmail postfix/cleanup[27520]: 5259369D56: message-id=<b982e5d7eddd34ee713be354f3bde8db-29-info@sysfinance.es>

It may occur that my postfix is compromised but my Zimbra configuration is ok, is that possible?

Thanks.

[phoenix]

In my zimbra.log I don't have anything about it, but at my mail.log I have:

Code: Select all

Oct  8 15:30:14 mecmail postfix/cleanup[27520]: A45A269D07: message-id=<40a4de9faedfe8aa3a043a89d367f8d1-29-info@sysfinance.es>
Oct  8 15:30:17 mecmail postfix/cleanup[27520]: 65B7769D56: message-id=<40a4de9faedfe8aa3a043a89d367f8d1-29-info@sysfinance.es>
Oct  8 15:30:18 mecmail postfix/cleanup[27520]: 73FB969D07: message-id=<b982e5d7eddd34ee713be354f3bde8db-29-info@sysfinance.es>
Oct  8 15:30:19 mecmail postfix/cleanup[27520]: 5259369D56: message-id=<b982e5d7eddd34ee713be354f3bde8db-29-info@sysfinance.es>

It may occur that my postfix is compromised but my Zimbra configuration is ok, is that possible?

Thanks.

The log file "mail.log" that you've mentioned does not exist in a ZCS install, do you men /var/log/zimbra.log? That would have all the details of mail going through your server.

If you look for postfix that's running you should see something like this:

Code: Select all

ps aux | grep postfix

postfix    4737  0.0  0.0  49892  4856 ?        S    15:43   0:00 pickup -l -t unix -u
postfix    4738  0.0  0.0  50072  5048 ?        S    15:43   0:00 qmgr -l -t unix -u
postfix    6382  0.0  0.0  49900  5200 ?        S    15:43   0:00 tlsmgr -l -t unix -u
postfix    6433  0.0  0.0  49896  5080 ?        S    15:43   0:00 showq -t unix -u
root      20651  0.0  0.0 112728  2380 pts/0    S+   16:04   0:00 grep --color=auto postfix

Is that how your server looks? Are there any unknown (to you) processes running your server?

[rodrigoferra]

Ops, so I think I have a huge problem:

Code: Select all

root@mecmail:/var/log# ps aux | grep postfix
postfix   9115  0.0  0.0 142636  8432 ?        S    15:27   0:00 smtpd -t pass -u -o stress= -o smtpd_tls_security_level=may -o content_filter=scan:[127.0.0.1]:10030
postfix  11422  0.0  0.0 142516  8468 ?        S    15:34   0:00 smtpd -t pass -u -o stress= -o smtpd_tls_security_level=may -o content_filter=scan:[127.0.0.1]:10030
postfix  12760  0.0  0.0 142512  8244 ?        S    15:38   0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix  12761  0.0  0.0 142512  8316 ?        S    15:38   0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix  12762  0.0  0.0 142512  8228 ?        S    15:38   0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix  14248  0.0  0.0 142512  8240 ?        S    15:43   0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix  17071  0.0  0.0 142512  8348 ?        S    15:51   0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix  17072  0.0  0.0 142512  8332 ?        S    15:51   0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix  17079  0.0  0.0 142512  8336 ?        S    15:51   0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix  17081  0.0  0.0 142512  8260 ?        S    15:51   0:00 smtpd -n 465 -t inet -u -o stress= -o content_filter=scan:[127.0.0.1]:10030 -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -o smtpd_client_restrictions= -o smtpd_data_restrictions= -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o syslog_name=postfix/smtps -o milter_macro_daemon_name=ORIGINATING
postfix  20919  0.0  0.0  46716  4364 ?        S    09:43   0:00 qmgr -l -t unix -u
postfix  20969  0.0  0.0  46664  4720 ?        S    09:43   0:01 tlsmgr -l -t unix -u
postfix  20970  0.0  0.0  46656  4396 ?        S    09:43   0:02 anvil -l -t unix -u
postfix  21420  0.0  0.0  90688  6240 ?        S    16:03   0:00 proxymap -t unix -u
postfix  21429  0.0  0.0  46536  4320 ?        S    16:03   0:00 trivial-rewrite -n rewrite -t unix -u
postfix  21819  0.0  0.0  46668  4388 ?        S    16:05   0:00 showq -t unix -u
postfix  24592  0.0  0.0  47052  6628 ?        S    16:13   0:00 lmtp -t unix -u
postfix  26193  0.0  0.0  46880  5964 ?        S    16:18   0:00 lmtp -t unix -u
postfix  26620  0.0  0.0 142384  7940 ?        S    16:19   0:00 smtpd -t pass -u -o stress= -o smtpd_tls_security_level=may -o content_filter=scan:[127.0.0.1]:10030
postfix  26621  0.5  0.0 142384  8032 ?        S    16:19   0:00 smtpd -t pass -u -o stress= -o smtpd_tls_security_level=may -o content_filter=scan:[127.0.0.1]:10030
root     26641  0.0  0.0  10484  2152 pts/2    S+   16:19   0:00 grep --color=auto postfix
postfix  26742  0.0  0.0  46536  4292 ?        S    14:43   0:00 pickup -l -t unix -u
postfix  32266  0.0  0.0  66036  4536 ?        Ss   11:47   0:01 postscreen -l -n smtp -t inet -u

Many connections and others stuffs, my MTA is configured like this:

Code: Select all

127.0.0.0/8 [::1]/128 [fe80::]/64 10.142.0.0/20 XX.XXX.X.XX/32

I think this MTA is making something really bad too.

Thanks again.

[phoenix]

It's quite possible you don't have a problem. My apologies for that info I posted about postfix, I can't really understand where I got it - it must be my advancing years and your output is what the command should show.

Can you explain in a bit more detail what the mynetworks entry is showing, are they all your IP addresses?