Security issues, block relay to local addresses

[alpa]

Hi all,

After using zimbra for about a month I'm quite satisfied with it. I found some issues, though.

Everything went well until we realised that any user knowing our smtp host could sent any kind of mail to our domains hosted in zimbra using a simple telnet without any authentication.

I mean, I can enter our smtp (telnet smtp.ourmail.com 25) do a HELO, MAIL FROM, RCPT TO and send the mail. But this (RCPT TO) can only be done with the domains we host on that server (i.e. dA.com, dB.com). When trying to send to another domain (i.e. gmail.com) it returns "Relay access denied" which is the answer we want for our accounts. How can I do this?

We cannot firewall port 25 or limit to certain IPs as most of us use a mail client and we are quite scattered around the world. Maybe the best option is force a user/pass auth when sending mail, in fact that's the way i thought zimbra works by default.

Any ideas?

Many thanks in advance.

[phoenix]

Everything went well until we realised that any user knowing our smtp host could sent any kind of mail to our domains hosted in zimbra using a simple telnet without any authentication.

That's how email works, a user on the trusted mynetworks can send mail (local and outbound) and external user can send email to your users via telnet just the same as sending an email to you via another mail server - I don't see the problem with that.

[alpa]

That's how email works, a user on the trusted mynetworks can send mail (local and outbound) and external user can send email to your users via telnet just the same as sending an email to you via another mail server - I don't see the problem with that.

the problem I find is that anybody can send a mail with our smtp from outside mynetworks using as from "user@mynetwork.com" to anybody "@mynetwork.com" without performing any authentication and we are having problems with this. I'd like to prevent sending that mail without authentication and limit the from field to out created accounts. Is it possible?

Thanks.

[phoenix]

the problem I find is that anybody can send a mail with our smtp from outside mynetworks using as from "user@mynetwork.com" to anybody "@mynetwork.com" without performing any authentication and we are having problems with this.

That is how email works, any user can send an email to you and it gets delivered to a valid user (or not, as the case may be). The external user can send mail via another mail service or via telnet - that is the normal function of email.

I'd like to prevent sending that mail without authentication and limit the from field to out created accounts. Is it possible

What you're asking deosn't make sense, you would be requiring all email server that connect to you to connect using authentication - that's not possible as nobody would be able to send you mail.

[alpa]

That is how email works, any user can send an email to you and it gets delivered to a valid user (or not, as the case may be).

But if this mail is sent through my smtp, I can require a user/pass autentication, can't I?

What you are saying is that any mail sent to me will go through my smtp, so I can't set authentication on it. If so, we cannot stop the spamming we get using a mail address of one of our workers. Am I right?

I'm still not convinced. Sorry because I think I am explaining the problem poorly

Trying a smtp from google i get the behaviour i want for my server, so I'm sure there is a way.

this is the behaviour i'd like

Code:

test@machine:~$ telnet smtp.google.com 25
Trying 209.85.237.25...
Connected to smtp1.google.com.
Escape character is '^]'.
220 smtp.google.com ESMTP
HELO gmail.com
250 smtp.google.com Hello [xxx.yyy.zzz.49], pleased to meet you
MAIL FROM: testaccount@gmail.com
250 2.1.0 testaccount@gmail.com... Sender ok
RCPT TO: anotheraccount@gmail.com
550 5.7.1 anotheraccount@gmail.com... Relaying denied. IP name lookup failed [xxx.yyy.zzz.49]
RCPT TO: test@mynetwork.com
550 5.7.1 test@mynetwork.com... Relaying denied. IP name lookup failed [xxx.yyy.zzz.49]

this is the one i have

Code:

test@machine:~$ telnet mysmtp.mycompany.com 25
Trying xxx.yyy.zzz.nnn...
Connected to mysmtp.mycompany.com.
Escape character is '^]'.
220 mysmtp.mycompany.com ESMTP Postfix
HELO testserver.com
250 mysmtp.mycompany.com
MAIL FROM: testmail@testcompany.com
250 2.1.0 Ok
RCPT TO: somemail@anothercompany.com
554 5.7.1 <somemail@anothercompany.com>: Relay access denied
RCPT TO: existingmail@mycompany.com
250 2.1.5 Ok

Many thanks for your patience

[phoenix]

But if this mail is sent through my smtp, I can require a user/pass autentication, can't I?

Mail can't be sent thorugh your server, all you are demonstrating by using telnet is that your server will accept mail for your domain - that's what it should do. By default Zimbra will not allow anyone to relay mail through your server to another domain.