Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: SMTP authentication for zimbra postfix

  1. #1
    Vivek k c is offline Awaiting Activation
    Join Date
    Aug 2007
    Posts
    15
    Rep Power
    0

    Default SMTP authentication for zimbra postfix

    Hi wazup?

    Hope things are going great here .. :-)

    I'm a zimbra zcs-4.0.4_GA_457.FC4 admin.
    Let me jump into my probelm now - it is SPAM

    I have applied many settings to zimbra postfix reading the froum here..and could block a huge chunk of spams.. thanks guys..

    Now the set up is like this - we have internal mail groups and only mydomain.com users are allowed to mail to those groups. All other domains are bloked using -
    permitted_senders_list = check_sender_access hash:/opt/zimbra/postfix/conf/permitted_senders, reject
    smtpd_restriction_classes = permitted_senders_list.

    Ok, things were fine, now the spamer generates some junk ids (not real) in mydomian.com (eg: xhys42@mydomain.com) and sends mails. Please help me block him now, need to enable SMTP authentication? My requirement is like this - only a valid user with a valid password should be able to send mails from mydomain.com. Possible right? I was searching here in forums but too many lists & unable to find. I know with postfix it's possible (but don't know how/didn't try yet) but confused with LDAP authetication in zimbra.

    Please give me some hints. Is this issue already addressed? then somebody can direct me to the proper place? :-)

    Thanks
    -ViveK
    Last edited by Vivek k c; 02-27-2008 at 10:30 AM.

  2. #2
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    Have you checked your main.cf in postfix to make sure Zimbra didn't overwrite your changes? Specifically the reject sender parameter.

  3. #3
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default

    I guess it would be you permitted_sender parameter.

    I had it do this to me and had to change one of their conf files. I don't remember which one off the top of my head.

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    In the file /opt/zimbra/conf/zmmta.cf change the smtpd_reject_unlisted_recipients to 'yes' and restart postfix, That will reject any email addresses not existing on your server. You will need to make that modification after each Zimbra upgrade.

    There's also some tips for improving the anti-spam system on this page: Improving Anti-spam system - Zimbra :: Wiki - I've never needed most of those changes but YMMV. You also might investigate updating the rules in /opt/zimbra/conf/spamassassin with sa-update, there's a recent post in the forums about this.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Vivek k c is offline Awaiting Activation
    Join Date
    Aug 2007
    Posts
    15
    Rep Power
    0

    Default

    Those are taken care and things are fine, works accordingly.

    Now I want to allow SMTP authentication with Zimbra postfix. Only a valid user should be able to send mails from mydomain.com (not a junk spamer mail id which is generated by spamer). Basicall, for any SMTP request, postfix should check if the user is valid in zimbra ldap. If it's not found, should reject the connection for the unknown user (deny him from sending mails with mydomain.com). Hope I'm not confusing.. :-)

  6. #6
    Vivek k c is offline Awaiting Activation
    Join Date
    Aug 2007
    Posts
    15
    Rep Power
    0

    Default

    I have already that parameter set (long back) -

    [root@star conf]# pwd
    /opt/zimbra/conf
    [root@star conf]# grep smtpd_reject_unlist zmmta.cf
    POSTCONF smtpd_reject_unlisted_recipient yes
    [root@star conf]#
    [root@star conf]# grep smtpd_reject_unlisted /opt/zimbra/postfix/conf/main.cf
    smtpd_reject_unlisted_recipient = yes
    [root@star conf]#

    --
    But still the spammer is able to send mails :-( ,
    What you think, where I'm doing wrong!!!

    I will check enforce the spam settings reading the links, thanks :-)
    Before that I should be able to fix SMTP auth..





    Quote Originally Posted by phoenix View Post
    In the file /opt/zimbra/conf/zmmta.cf change the smtpd_reject_unlisted_recipients to 'yes' and restart postfix, That will reject any email addresses not existing on your server. You will need to make that modification after each Zimbra upgrade.

    There's also some tips for improving the anti-spam system on this page: Improving Anti-spam system - Zimbra :: Wiki - I've never needed most of those changes but YMMV. You also might investigate updating the rules in /opt/zimbra/conf/spamassassin with sa-update, there's a recent post in the forums about this.
    Last edited by Vivek k c; 02-27-2008 at 11:04 AM.

  7. #7
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    Quote Originally Posted by Vivek k c View Post
    Now I want to allow SMTP authentication with Zimbra postfix. Only a valid user should be able to send mails from mydomain.com (not a junk spamer mail id which is generated by spamer). Basicall, for any SMTP request, postfix should check if the user is valid in zimbra ldap. If it's not found, should reject the connection for the unknown user (deny him from sending mails with mydomain.com). Hope I'm not confusing.. :-)
    Spammers can't, by default, relay through your Zimbra server unless you've made changes that allow that. If the Admin UI/Global Settings/MTA tab has the Authentication setting checked then a user will require authentication to send mail through your server. Those settings are overridden by the individual server settings.

    If you are having any problems and you think people are relay through your server (is that what you're saying?) the check the wiki for the 'mynetworks' setting and verify it's OK.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    Vivek k c is offline Awaiting Activation
    Join Date
    Aug 2007
    Posts
    15
    Rep Power
    0

    Default

    Quote Originally Posted by phoenix View Post
    Spammers can't, by default, relay through your Zimbra server unless you've made changes that allow that. If the Admin UI/Global Settings/MTA tab has the Authentication setting checked then a user will require authentication to send mail through your server. Those settings are overridden by the individual server settings.

    If you are having any problems and you think people are relay through your server (is that what you're saying?) the check the wiki for the 'mynetworks' setting and verify it's OK.
    It's not like that - Let me brief:
    Everydomains are denied sending mails to our distribution groups except mydomain.com. This is a domain based restriction & can't be IP based as many of our staff work from home/remote/client side etc (can be any IP). Now all the SPAMS are getting rejected from other domains. But some smart spamers generates junk mail ids in mydomain.com itself which is not present in Zimbra (eg:test1x@mydomain.com). Since mydomain.com is allowed to send, zimbra simply sends those spams (since it's not checking if the user is valid) to my internal distribution groups

    Got me? Please help.. :-)

  9. #9
    Vivek k c is offline Awaiting Activation
    Join Date
    Aug 2007
    Posts
    15
    Rep Power
    0

    Default

    Quote Originally Posted by phoenix View Post
    In the file /opt/zimbra/conf/zmmta.cf change the smtpd_reject_unlisted_recipients to 'yes' and restart postfix, That will reject any email addresses not existing on your server. You will need to make that modification after each Zimbra upgrade.

    There's also some tips for improving the anti-spam system on this page: Improving Anti-spam system - Zimbra :: Wiki - I've never needed most of those changes but YMMV. You also might investigate updating the rules in /opt/zimbra/conf/spamassassin with sa-update, there's a recent post in the forums about this.

    smtpd_reject_unlisted_recipients tag is for checking if the receipent is valid? That's working fine.

    I want to check if the sender is valid, something like

    smtpd_reject_unlisted_sending_user
    smtpd_reject_unauthorized_user

    Possible? ;-)

  10. #10
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    Perhaps I'm being a bit dumb this morning but your post has confused me.

    Quote Originally Posted by Vivek k c View Post
    Now all the SPAMS are getting rejected from other domains. But some smart spamers generates junk mail ids in mydomain.com itself which is not present in Zimbra (eg:test1x@mydomain.com). Since mydomain.com is allowed to send, zimbra simply sends those spams (since it's not checking if the user is valid) to my internal distribution groups
    If I understand this correctly you are saying that the only domain on your server is mydomain.com and spammers are generating mail for test1x@mydomain.com (and here's part of my confusion), this user doesn't exist but the mail gets delivered via a distribution list. Am I still missing the point?

    The fact that you have set /opt/zimbra/conf/zmmta.cf to 'yes' will reject any mail sent to your server for an email address that doesn't exist on the server. Isn't that what you're describing above?

    There are also several settings in the Admin Ui that can further restrict who can connect to your server, check the following settings:

    Code:
    Protocol checks:
    
    	Hostname in greeting violates RFC (reject_invalid_hostname)
    	Client must greet with a fully qualified hostname (reject_non_fqdn_hostname)
    	Sender address must be fully qualified (reject_non_fqdn_sender)
    
    DNS checks:
    
    	Client's IP address (reject_unknown_client)
    	Hostname in greeting (reject_unknown_hostname)
    	Sender's domain (reject_unknown_sender_domain)
    Have you actually made any changes on who can send to distribution lists as described in this article?

    RestrictPostfixRecipients - Zimbra :: Wiki
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. SMTP Authentication
    By ferra in forum Installation
    Replies: 13
    Last Post: 06-26-2008, 07:25 AM
  2. SMTP authentication problems continue
    By EdMartin in forum Installation
    Replies: 2
    Last Post: 01-11-2008, 03:23 AM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. Is it started or not
    By kwelipatton in forum Installation
    Replies: 10
    Last Post: 03-28-2006, 11:11 PM
  5. SMTP SASL authentication failure
    By igeorg in forum Developers
    Replies: 5
    Last Post: 10-10-2005, 01:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •