MTA Trusted Networks

[ray.perea]

I have a box with Zimbra V5.0.1.

My problem is this: When trying to set the MTA Trusted Networks in the Zimbra Admin Utility to only trust the local box, (not the entire local network) it won't let me do it.

So to explain in a bit more detail:
When I log into the admin control panel and click on "Servers" -> "zimbra.domain.com" and then I click on the "MTA" Tab,

there is a field called "MTA Trusted Networks:".
This field is set to: 127.0.0.0/8 192.168.0.64/26

(the actual ip of the box is different and is a public address, I just used 192.168.0. for privacy reasons)

This means that for any box within the ip address range of 192.168.0.65 to 192.168.0.125 basically has a free pass to send email to anywhere unchecked. In other words, it is an open relay for any box within the ip address range. (I have checked it. It allows any box within that ip range send messages from whomever to whomever)

I tried to change the field from 127.0.0.0/8 192.168.0.64/26
to 127.0.0.0/8 192.168.0.124/32

and I get the following error:

Code:

Message: Error! Value for MTA Trusted Networks must contain local subnets: 192.168.0.64/26.
Additional information about MTA Trusted Networks configuration can be found at Zi - Zimbra :: Wiki

The "localnet" trusted network rule may be fine for most installations, but, for my case, there are untrusted boxes on the local network that have already exploited my box and started sending thousands of spam.

The only way that I found to stop this is to simply block those IP addresses in the iptables firewall.

That may be stop exploitations BUT: now I can't get legitimate email from those untrusted ip addresses.

IS THERE A WAY AROUND THIS????

[ray.perea]

OK, I found a way around this. All I did was:
At the command prompt, login as root and execute the following commands

Code:

su zimbra
zmprov modifyServer zimbra.domain.com zimbraMtaMyNetworks '127.0.0.0/8 192.168.0.124/32'
postfix reload

Make sure to substitute zimbra.domain.com with the actual name of your server as it shows in the admin panel and make sure to substitute 192.168.0.124 with the actual ip address of your server.

Now, I have another problem. Anytime I want to make changes in the admin panel to the server, I get the same error as in the last post. So, to modify anything for the server within the admin panel, I have to set the field back to "127.0.0.0/8 192.168.0.64/26" and then save my changes and then go back to the command prompt and execute my commands again.

WOW having to remember that every time can get tedious

[kevlatimer]

I've just been caught out by that too, and it's a long list on my box with 4 NIC's, two of which is part of a SAN subnet, which I don't want in the MTA config!

All I wanted to do was turn on A&D on the boxes, but I can't without turning off relaying and reactivating at the command line.

Is this an oversight or by design?

[DanCody]

Can anyone from Zimbra address this? It's a pretty serious bug when you can't modify ANY server settings through the admin UI because of this.

OK, I found a way around this. All I did was:
At the command prompt, login as root and execute the following commands

Code:

su zimbra
zmprov modifyServer zimbra.domain.com zimbraMtaMyNetworks '127.0.0.0/8 192.168.0.124/32'
postfix reload

Make sure to substitute zimbra.domain.com with the actual name of your server as it shows in the admin panel and make sure to substitute 192.168.0.124 with the actual ip address of your server.

Now, I have another problem. Anytime I want to make changes in the admin panel to the server, I get the same error as in the last post. So, to modify anything for the server within the admin panel, I have to set the field back to "127.0.0.0/8 192.168.0.64/26" and then save my changes and then go back to the command prompt and execute my commands again.

WOW having to remember that every time can get tedious

[mmorse]

File away > bugzilla -be sure to post a #/link back here so we know where it's at

[tim_ba]

Hello

I'm not clear about this "MTA Trusted Networks". What should be there? Now, I have this:
postconf mynetworks
mynetworks = 127.0.0.0/8 X.X.X.X/27
X is a public network where Zimbra is. Probably it should be behind a firewall, but it's a test.

I can send mail from an internal network 10.0.0.0/8, from a client without user authetication and also from a telnet session without any authetication.
How can I force clients to authenticate?

zmprov getServer SERVER | grep Auth
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: SERVER
zimbraMtaAuthTarget: TRUE
zimbraMtaAuthURL: https://SERVER:443/service/soap/
zimbraMtaTlsAuthOnly: TRUE

[phoenix]

Details of the mynetworks setting here: ZimbraMtaMyNetworks. If you have the ip subnet in your mynetworks setting then a user will be able to send without authentication unless you force them to use it. The correct port for email Submission in Port 587 and that's authenticated, you need to make a change to a Zimbra config if you wish to use that port - search the forums for 'port 587' for the details.

[tim_ba]

Thank you for a quick reply. Now, it's like this:
$ postconf mynetworks
mynetworks = 127.0.0.0/8 X.X.X.Y/32
X.X.X.Y is a public address of Zimbra server.
If I use Thunderbird with SMTP SSL on 465 and Authentication, it works. Without the authentication, it's not possible to send an email.
I didn't quite understand about this port 587, but I hope I don't need it anyway.

There still remains another issue, slightly related to this one, TLS is not working:
TLS not working?
Now, with this, I have the following:
- IMAP and POP3 work with TLS or SSL only (which is logical),
- SMTP works with SSL only (TLS doesn't work, which doesn't make sense for me, and SMTP without security receives "Relay access denied" message in Thunderbird).

[phoenix]

Thank you for a quick reply. Now, it's like this:
$ postconf mynetworks
mynetworks = 127.0.0.0/8 X.X.X.Y/32
X.X.X.Y is a public address of Zimbra server.
If I use Thunderbird with SMTP SSL on 465 and Authentication, it works. Without the authentication, it's not possible to send an email.
I didn't quite understand about this port 587, but I hope I don't need it anyway.

Port 587 is actually the correct port for submitting email from a client and not 25 or 465.

There still remains another issue, slightly related to this one, TLS is not working:
TLS not working?
Now, with this, I have the following:
- IMAP and POP3 work with TLS or SSL only (which is logical),
- SMTP works with SSL only (TLS doesn't work, which doesn't make sense for me, and SMTP without security receives "Relay access denied" message in Thunderbird).

I'd have to disagree with you on this, TLS works correctly. You don't say whether the clients you're talking about are on your LAN, whether you want them to authenticate when they send mail or what? You mention above that you have a LAN with a subnet of 10.0.0.x, is this where your user are located? Is this subnet in your mynetworks configuration?

Have you enabled the setting 'Enable authentication' in the admin UI? What about the TLS setting?

From the Admin Help Desk:

Enables SMTP client authentication, so users can authenticate. Only authenticated users or users from trusted networks are allowed to relay mail.

[tim_ba]

You don't say whether the clients you're talking about are on your LAN, whether you want them to authenticate when they send mail or what? You mention above that you have a LAN with a subnet of 10.0.0.x, is this where your user are located? Is this subnet in your mynetworks configuration?
Have you enabled the setting 'Enable authentication' in the admin UI? What about the TLS setting?

Clients are on LAN 10.0.0.x, this is where test are performed from, while Zimbra is outside, on a public address. I set authentication to avoid spam, and I wanted all clients to use it. Otherwise, I (and any spammer) would be able to use some other's account to send an email outside. When I had:
$ postconf mynetworks
mynetworks = 127.0.0.0/8 X.X.X.Y/32 10.0.0.0/8
authentication was not requested for clients from 10.0.0.0/8, even if 'Enable authentication' was on with 'TLS authentication only'.
This is shown here, that hasn't been changed:
zmprov getServer SERVER | grep Auth
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: SERVER
zimbraMtaAuthTarget: TRUE
zimbraMtaAuthURL: https://SERVER:443/service/soap/
zimbraMtaTlsAuthOnly: TRUE

I tried TLS with Thunderbird only, OE doesn't offer it.
I found this:
Adding additional SMTP listener ports - Zimbra :: Wiki
but didin't understand what this means:
"As of ZCS v4.0.x, the default Zimbra postfix config does not have TLS enabled on separate port."