SMTP authenticated ONLY access ?

[su_A_ve]

We currently have a split domain setup, with Zimbra as a secondary server. We also currently do a high level antispam/virus at the edge, so there's no outside access at port 25.

Internally, we allow users to have access to SMTP and they can relay outside the domain if authed. Of course, since it's a split domain setup, zimbra accepts emails for ANY email address at the domain without the need to authenticate.

What we would like to do is to allow them SMTP access from the outside world but only if authenticated, while preventing spam/spoofs.

This should be easier to do with SSL, forcing that connection to perform auth regardless, while leaving port 25 as is (and firewalling it). Otherwise, if port 25 is forced to do authentication (TLS) then the edge mtas would have to do this as well, right ?

TIA and let me know if it's confusing and I'll try to clarify this...

[phoenix]

You have a couple of choices, you can open port 25 to the outside world and add the edge MTAs IP addresses to your 'mynetworks' (a trusted network and no authentication needed). You could leave port 25 closed and get the external clients to use the correct submissions port 587 for sending mail and 443 or 993 for retrieving their mail.

[su_A_ve]

opening port 25 as is not an option, as in a split domain, zimbra would still accept port 25 spam attacks...

So option A would be to force TLS authentication on port 25, if outside mynetworks (edge MTAs would be on mynetworks)

Option B would be to allow port 25 to accept in TLS auth mode ONLY regardless of mynetworks (and I set up the edge MTAs to TLS auth)

Or option C would be to maintain port 25 blocked via firewall, but open up 465 (SMTP over SSL) provided that it's set up to force authentication regardless of mynetworks

587 (sendmail submission) is not enabled by default on zimbra (at least I don't see anything listening on that port)

No problems with incoming mail (http/imap/pop3).

TIA...

[phoenix]

The wiki article describes SMTP over SSL and is (IIRC correctly) enabled by default in Zimbra 5, the submissions port 587 is not enabled by default. You should have a look in /opt/zimbra/postfix/conf/master.cf for the following lines:

Code:

#submission inet n      -       n       -       -       smtpd
#        -o smtpd_etrn_restrictions=reject
#        -o smtpd_client_restrictions=permit_sasl_authenticated,reject

and uncomment them, the white space in front of the second and third lines is important and must be there.

Modify your Zimbra server to require authentication and restart it and you should be set. The port 587 will not survive an upgrade and you'll need to modify that after you do any Zimbra upgrade, there's an RFE in bugzilla to make that change permanent if you want to vote on it.

[su_A_ve]

Thanks - currently testing 4.5.10 and 465 is enabled there using:

Code:

465    inet  n       -       n       -       -       smtpd
  -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes

And I would guess that here or in the default one would be where I would add any options to force the authentication, right ? And what options would that be ?

TIA

[phoenix]

The correct port to use for Submissions would be 587 as that's the one defined in the RFC, it's also required to use Authentication on that port. You can enable Authentication on the server by checking the Admin UI MTA tab on either the Global or Server settings and checking the following:

Code:

Enable authentication
TLS authentication only