Results 1 to 6 of 6

Thread: Security issues, block relay to local addresses

  1. #1
    alpa is offline New Member
    Join Date
    Apr 2009
    Posts
    4
    Rep Power
    6

    Default Security issues, block relay to local addresses

    Hi all,

    After using zimbra for about a month I'm quite satisfied with it. I found some issues, though.

    Everything went well until we realised that any user knowing our smtp host could sent any kind of mail to our domains hosted in zimbra using a simple telnet without any authentication.

    I mean, I can enter our smtp (telnet smtp.ourmail.com 25) do a HELO, MAIL FROM, RCPT TO and send the mail. But this (RCPT TO) can only be done with the domains we host on that server (i.e. dA.com, dB.com). When trying to send to another domain (i.e. gmail.com) it returns "Relay access denied" which is the answer we want for our accounts. How can I do this?

    We cannot firewall port 25 or limit to certain IPs as most of us use a mail client and we are quite scattered around the world. Maybe the best option is force a user/pass auth when sending mail, in fact that's the way i thought zimbra works by default.

    Any ideas?

    Many thanks in advance.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,480
    Rep Power
    56

    Default

    Quote Originally Posted by alpa View Post
    Everything went well until we realised that any user knowing our smtp host could sent any kind of mail to our domains hosted in zimbra using a simple telnet without any authentication.
    That's how email works, a user on the trusted mynetworks can send mail (local and outbound) and external user can send email to your users via telnet just the same as sending an email to you via another mail server - I don't see the problem with that.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    alpa is offline New Member
    Join Date
    Apr 2009
    Posts
    4
    Rep Power
    6

    Default

    Quote Originally Posted by phoenix View Post
    That's how email works, a user on the trusted mynetworks can send mail (local and outbound) and external user can send email to your users via telnet just the same as sending an email to you via another mail server - I don't see the problem with that.
    the problem I find is that anybody can send a mail with our smtp from outside mynetworks using as from "user@mynetwork.com" to anybody "@mynetwork.com" without performing any authentication and we are having problems with this. I'd like to prevent sending that mail without authentication and limit the from field to out created accounts. Is it possible?

    Thanks.

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,480
    Rep Power
    56

    Default

    Quote Originally Posted by alpa View Post
    the problem I find is that anybody can send a mail with our smtp from outside mynetworks using as from "user@mynetwork.com" to anybody "@mynetwork.com" without performing any authentication and we are having problems with this.
    That is how email works, any user can send an email to you and it gets delivered to a valid user (or not, as the case may be). The external user can send mail via another mail service or via telnet - that is the normal function of email.

    Quote Originally Posted by alpa View Post
    I'd like to prevent sending that mail without authentication and limit the from field to out created accounts. Is it possible
    What you're asking deosn't make sense, you would be requiring all email server that connect to you to connect using authentication - that's not possible as nobody would be able to send you mail.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    alpa is offline New Member
    Join Date
    Apr 2009
    Posts
    4
    Rep Power
    6

    Default

    That is how email works, any user can send an email to you and it gets delivered to a valid user (or not, as the case may be).
    But if this mail is sent through my smtp, I can require a user/pass autentication, can't I?

    What you are saying is that any mail sent to me will go through my smtp, so I can't set authentication on it. If so, we cannot stop the spamming we get using a mail address of one of our workers. Am I right?

    I'm still not convinced. Sorry because I think I am explaining the problem poorly

    Trying a smtp from google i get the behaviour i want for my server, so I'm sure there is a way.

    this is the behaviour i'd like

    Code:
    test@machine:~$ telnet smtp.google.com 25
    Trying 209.85.237.25...
    Connected to smtp1.google.com.
    Escape character is '^]'.
    220 smtp.google.com ESMTP
    HELO gmail.com
    250 smtp.google.com Hello [xxx.yyy.zzz.49], pleased to meet you
    MAIL FROM: testaccount@gmail.com
    250 2.1.0 testaccount@gmail.com... Sender ok
    RCPT TO: anotheraccount@gmail.com
    550 5.7.1 anotheraccount@gmail.com... Relaying denied. IP name lookup failed [xxx.yyy.zzz.49]
    RCPT TO: test@mynetwork.com
    550 5.7.1 test@mynetwork.com... Relaying denied. IP name lookup failed [xxx.yyy.zzz.49]

    this is the one i have

    Code:
    test@machine:~$ telnet mysmtp.mycompany.com 25
    Trying xxx.yyy.zzz.nnn...
    Connected to mysmtp.mycompany.com.
    Escape character is '^]'.
    220 mysmtp.mycompany.com ESMTP Postfix
    HELO testserver.com
    250 mysmtp.mycompany.com
    MAIL FROM: testmail@testcompany.com
    250 2.1.0 Ok
    RCPT TO: somemail@anothercompany.com
    554 5.7.1 <somemail@anothercompany.com>: Relay access denied
    RCPT TO: existingmail@mycompany.com
    250 2.1.5 Ok
    Many thanks for your patience

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,480
    Rep Power
    56

    Default

    Quote Originally Posted by alpa View Post
    But if this mail is sent through my smtp, I can require a user/pass autentication, can't I?
    Mail can't be sent thorugh your server, all you are demonstrating by using telnet is that your server will accept mail for your domain - that's what it should do. By default Zimbra will not allow anyone to relay mail through your server to another domain.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 04:42 PM
  2. postfix transport maps
    By pheonix1t in forum Administrators
    Replies: 12
    Last Post: 01-17-2009, 11:42 PM
  3. Zimbra fails after working for 2 weeks
    By Linsys in forum Administrators
    Replies: 10
    Last Post: 10-07-2008, 12:42 AM
  4. DelegateAuth in audit.log
    By Krishopper in forum Administrators
    Replies: 2
    Last Post: 05-17-2007, 05:08 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •