Is there a way to block email sends from domains that aren't native to the host?

[omegainstitute]

I'm trying to combat a spammer that seems to have the ability to send smap through my machine. I'd like to setup Zimbra so that the only emails it's allowed to send, are from our domain (domainx.org) instead of (domainy.com). I have authenication turned on, as well as TLS in the MTA settings for my domain.

I'm seeing a large increase in small emails going out, where their "From" emails are not from our domain. Is there a way to increase the amount of info being logged to show the username being provided to the SMTP server in zimbra.log?

Thank you for taking the time to read this, and thank you for any responses...

Rob

[mtorres]

Hi, I believe zimbra by default only trusts hosts on your own subnet and anything else can't relay through it unless they are authenticated. There are many websites to test for open relay, Network Tools: DNS,IP,Email is one I believe. Could it be an infected machine on your network perhaps?

[omegainstitute]

I haven't ruled that out. Very well could be an internal machine sending the spam. If I am able to determin the IP of the internal machine I'd go over and throw the machine out the window in a heartbeat..

I found some spamassasin and postifx changes that I could make to block the machine sending emails from an address that doesn't reside on the machine (SMTP authentication for zimbra postfix).

Now comes the tracking down part. Is there a way to increase the amount of info logged?

[mtorres]

I don't believe so, If you have the sending address you could search /var/log/zimbra.log for it and it should list the IP somewhere in there. cat /var/log/zimbra.log | grep sendingaddress@domain.com.

[ArcaneMagus]

Under the default configuration the Zimbra server will accept SMTP connections sending mail to a domain on the server from any computer on the same network, but will deny sending to any domain not on the server. For example:
Zimbra Server: 10.0.0.2/24 domain company.com
Client machine 1: 10.0.0.3/24
Client 1 makes a SMTP connection to the Zimbra server trying to send an email to admin@company.com from user@company.com. The Zimbra server will accept this and queue the message.
However anything not addressed to a domain on the Zimbra server will give a "554 5.7.1 <asdf@gmail.com>: Relay access denied" message.

What is likely going on is you have a machine on your network that is infected and just connecting directly to the external email servers. The way to solve this problem is to block all SMTP outbound traffic from any machine that is not your email server.

Where are you seeing these messages going out? Are you finding them in the Zimbra logs, or from bounce back messages you are getting?