[SOLVED] Open Relay --> Zimbra OSE vs MS Exchange

[benny_0924]

I am in the middle of evaluating Zimbra OSE to replace the existing MS Exchange Server.

I found out that the open relay protection behavior is different between Zimbra and MS Exchange.

Testing was done using simple telnet to port 25 of the server (eg. "telnet mailserver.mydomain.com 25").

I have set in Zimbra's MTA to only allowed itself to relay email (x.x.x.0/32).

My domain is "mydomain.com"

Using telnet (on the zimbra server terminal screen), I did the following simulation:

Scenario 1:
- mail from: friend@yahoo.com
- rcpt to: me@mydomain.com
result: Zimbra accept the scenario (this is normal behavior for all mail server)

Scenario 2:
- mail from: friend@yahoo.com
- rcpt to: someone@gmail.com
result: Zimbra accept the scenario, this is not accepted by MS Exchange because exchange said that the rcpt to is not a valid domain (cannot relayed) --> this is open relay.

Scenario 3:
- mail from: me@mydomain.com
- rcpt to: friend@yahoo.com
result: Zimbra accept the scenario, this is not accepted by MS Exchange because exchange said that the rcpt to is not a valid domain (cannot relayed) --> this is open relay.

I am questioning scenario 2 and 3, why is Zimbra allow that?

I want this open relay protection behavior from Zimbra is the same as MS Exchange behavior, how to confgure it in Zimbra to not allow scenario 2 and 3?

Could someone explain this? I need to replace my old MS Exchange with Zimbra, but if I cannot solve this open relay problem then I cannot move to Zimbra as well.

Thanks in advance.

Regards,
Benny.

[tiger2000]

Set Postfix parameter : smtpd_reject_unlisted_recipient to YES and see if it helps.

/opt/zimbra/conf/zmmta.cf
/opt/zimbra/postfix/conf/main.cf
/opt/zimbra/postfix/conf/main.cf.default

Change smtpd_reject_unlisted_recipient to YES in these files and restart ZCS service.

(someone may have better idea how to set Postfix parameter by postconf command)

[mtorres]

Not sure if I understand, but you set zimbra to only allow relay from itself.

Quote:

Originally Posted by benny_0924

Using telnet (on the zimbra server terminal screen), I did the following simulation:

Does this mean you are on the zimbra server telneting to itself on port 25 and issuing these commands? If so, try doing it from another machine. By default, zimbra allows only machines on it's subnet to relay.

[benny_0924]

Quote:

Originally Posted by mtorres

Not sure if I understand, but you set zimbra to only allow relay from itself.


Does this mean you are on the zimbra server telneting to itself on port 25 and issuing these commands? If so, try doing it from another machine. By default, zimbra allows only machines on it's subnet to relay.

Yes I am telneting on zimbra to itself, if this is allowed then it is too danger for zimbra server if the server is compromised by spamvirus. MS Exchange won't allowed you even you telneting on itself.


@tiger2000:
I have set the smtpd_reject_unlisted_recipient parameter to Yes in all 3 files and restart the server, but still no luck, still got the same open relay behavior. Where else should I look for?

Thanks.

[uxbod]

Quote:

Originally Posted by benny_0924

Yes I am telneting on zimbra to itself, if this is allowed then it is too danger for zimbra server if the server is compromised by spamvirus.

Email would be the least of your worries if the server is compromised!

[veronica]

Do this to see if your server is really an open relay
telnet relay-test.mail-abuse.org 25 after the test it will tell you if it is open relay or not

[ewilen]

Quote:

Originally Posted by benny_0924

Yes I am telneting on zimbra to itself, if this is allowed then it is too danger for zimbra server if the server is compromised by spamvirus. MS Exchange won't allowed you even you telneting on itself.

As uxbod sort of implied, this may be a concern for Exchange admins, but it sounds like an overly-stringent requirement for the rest of us. In my experience (with other servers and now Zimbra), best practice is to allow relaying through the server as long the source is on the local subnet, a defined "trusted" subnet, or is authenticated.

I'm not certain but you may be able to remove the local subnet from the list of "trusted" subnets in Zimbra. If so then you would have slightly better protection against spam coming from a compromised internal machine, but all clients would have to authenticate to send mail.

I would also question how the server could be "compromised by a spamvirus" as no regular users should have access to the server to use it as a workstation that would accept mail...let alone have the privileges necessary for allowing a piece of malware to be installed.

[benny_0924]

Quote:

Originally Posted by ewilen

As uxbod sort of implied, this may be a concern for Exchange admins, but it sounds like an overly-stringent requirement for the rest of us. In my experience (with other servers and now Zimbra), best practice is to allow relaying through the server as long the source is on the local subnet, a defined "trusted" subnet, or is authenticated.

I'm not certain but you may be able to remove the local subnet from the list of "trusted" subnets in Zimbra. If so then you would have slightly better protection against spam coming from a compromised internal machine, but all clients would have to authenticate to send mail.

I would also question how the server could be "compromised by a spamvirus" as no regular users should have access to the server to use it as a workstation that would accept mail...let alone have the privileges necessary for allowing a piece of malware to be installed.

Elliot, I am totally agree with you. Actually all email server (smtp server) must be able to relay from itself, its their job, right. And MS Exchange actually do the same, only that the way MS Exchange do is not really follow the smtp rule, it use their own rule.

And for the spamvirus, I would not assume that the server will be safe although I am the only administrator that control and have access to the server. I can do something wrong also one day. So it is better to play safe (for me) and always be caution.

OK, I think I can move to Zimbra now and throw away the Exchange.

Thanks.

[mtorres]

Hi Benny_0924, not sure if this will help but I have spoken with people on the phone that are migrating from exchange to zimbra, a few of them, and I have heard some good reasons of why they don't want to move off of exchange and read arguments in the forums, but security has never been one that I have encountered. Another good thing is Zimbra runs on linux/mac which is probably less susceptible to being compromised by a virus. Not that it is impossible, but less likely.