Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: [SOLVED] Zimbra - acting as open relay

  1. #11
    ArcaneMagus's Avatar
    ArcaneMagus is offline Moderator
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Quote Originally Posted by milind.v.patil View Post
    When I put 127.0.0.0/8 <zimbra server ip address>/32 in the MTA Trusted networks tab, we do not receive any incoming emails from any domain.
    Something is very wrong if this is the way it is working, your relay problem will not go away as long as the firewall is in the block of trusted network addresses.

    How is your firewall setup to forward port 25 to the mail server? Do you only have one public IP address? Your firewall should be forwarding the connections like this:
    Code:
    external server ip:port -> your public IP address:25 -> internal zimbra IP address:25
    If this is working properly these external connections should appear to come from the external server's IP address, not the firewall's address.

  2. #12
    Join Date
    May 2009
    Posts
    9
    Rep Power
    5

    Default

    Yes. My firewall is in the trusted network addresses.

    My firewall has been configured in NAT mode and it forwards port 25 as public IP address:25 -> internal zimbra IP address:25

    When you say that external server iport then which server are you referring to? I am bit confused here.

    Thanks,

    Milind Patil
    Last edited by milind.v.patil; 11-12-2009 at 09:23 PM.

  3. #13
    ArcaneMagus's Avatar
    ArcaneMagus is offline Moderator
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Quote Originally Posted by milind.v.patil View Post
    Nov 11 04:02:58 01 postfix/cleanup[4599]: 5411D205263C: message-id=<652556464076.7ssvlggnrhkk@yam.com>
    Nov 11 04:02:58 01 postfix/qmgr[11314]: 5411D205263C: from=<tvekgpr@gmail.com>, size=3508, nrcpt=1 (queue active)
    Nov 11 04:02:58 01 amavis[13688]: (13688-08) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20091111T032124-13688: <tvekgpr@gmail.com> -> <carou_bz@yahoo.com.tw> SIZE=3508 Received: from <Zimbra server host name> ([127.0.0.1]) by localhost (<Zimbra server host name> [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <carou_bz@yahoo.com.tw>; Wed, 11 Nov 2009 04:02:58 +0530 (IST)
    Nov 11 04:02:58 01 amavis[13688]: (13688-08) Checking: Q3yrGgJe9Bbu [<FIREWALL IP ADDRESS>] <tvekgpr@gmail.com> -> <carou_bz@yahoo.com.tw>
    Nov 11 04:02:58 01 postfix/smtpd[4578]: A0D36205266F: client=unknown[<FIREWALL IP ADDRESS>]
    Nov 11 04:02:59 01 postfix/smtpd[4593]: 4B5B820526CB: client=unknown[<FIREWALL IP ADDRESS>]
    Nov 11 04:02:59 01 postfix/cleanup[4569]: A0D36205266F: message-id=<opze258oy1i>
    Nov 11 04:02:59 01 postfix/qmgr[11314]: A0D36205266F: from=<sjzyyijj@yahoo.com>, size=3120, nrcpt=1 (queue active)
    Nov 11 04:02:59 01 amavis[2287]: (02287-12) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20091111T022930-02287: <sjzyyijj@yahoo.com> -> <carrey258456@yahoo.com.tw> SIZE=3120 Received: from <Zimbra server host name> ([127.0.0.1]) by localhost (<Zimbra server host name> [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <carrey258456@yahoo.com.tw>; Wed, 11 Nov 2009 04:02:59 +0530 (IST)
    Nov 11 04:02:59 01 amavis[2287]: (02287-12) Checking: xNJ0i1ZD0S9Q [<FIREWALL IP ADDRESS>] <sjzyyijj@yahoo.com> -> <carrey258456@yahoo.com.tw>
    Nov 11 04:02:59 01 postfix/smtpd[15292]: connect from unknown[<FIREWALL IP ADDRESS>]
    Nov 11 04:03:00 01 sendmail[12605]: nAAMWOIC012605: from=root, size=394, class=0, nrcpts=1, msgid=<200911102232.nAAMWOIC012605@<Zimbra server host name>>, relay=root@localhost
    Nov 11 04:03:00 01 postfix/smtpd[25250]: connect from localhost.localdomain[127.0.0.1]
    Nov 11 04:03:00 01 postfix/smtpd[4593]: lost connection after DATA (3455 bytes) from unknown[<FIREWALL IP ADDRESS>]
    There are two possible ways that I can think of that mail would be showing up on your server like this:
    • Your firewall has been hacked and is sending the mail itself.
    • Your firewall is forwarding incoming connections improperly so they show up as coming from your firewall machine.


    In either case the proper way to stop the spam messages from going through your server is to have only the Zimbra server's IP address and localhost in the trusted MTA networks. Since you have said that when you do that ALL incoming mail fails to be delivered my guess is that your firewall isn't properly forwarding the connections and they are showing up to the Zimbra server as all coming from the firewall machine.

    When you do have your MTA trusted networks setup properly what log entries show for incoming (valid) mail? Does it show up as coming from your firewall machine?

    Here is an example of what it should look like:
    Code:
    Nov 13 09:46:27 email postfix/smtpd[17625]: connect from mail-pw0-f55.google.com[209.85.160.55]
    Nov 13 09:46:29 email postfix/smtpd[17625]: C40CB904001: client=mail-pw0-f55.google.com[209.85.160.55]
    Nov 13 09:46:30 email postfix/cleanup[17631]: C40CB904001: message-id=<4AFD9B65.8060600@gmail.com>
    Nov 13 09:46:30 email postfix/qmgr[20731]: C40CB904001: from=<user1@gmail.com>, size=2038, nrcpt=1 (queue active)
    Nov 13 09:46:30 email amavis[32519]: (32519-11) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20091112T130754-32519: <user1@gmail.com> -> <user2@domain.com> SIZE=2038 Received: from email.domain.com ([127.0.0.1]) by localhost (email.domain.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <user2@domain.com>; Fri, 13 Nov 2009 09:46:30 -0800 (PST)
    Nov 13 09:46:30 email amavis[32519]: (32519-11) Checking: KNNPub8cT7bp [209.85.160.55] <user1@gmail.com> -> <user2@domain.com>
    Nov 13 09:46:34 email postfix/smtpd[17827]: connect from localhost.localdomain[127.0.0.1]
    Nov 13 09:46:34 email postfix/smtpd[17827]: 9ED03904004: client=localhost.localdomain[127.0.0.1]
    Nov 13 09:46:34 email postfix/cleanup[17631]: 9ED03904004: message-id=<4AFD9B65.8060600@gmail.com>
    Nov 13 09:46:34 email postfix/smtpd[17827]: disconnect from localhost.localdomain[127.0.0.1]
    Nov 13 09:46:34 email postfix/qmgr[20731]: 9ED03904004: from=<user1@gmail.com>, size=2900, nrcpt=1 (queue active)
    Nov 13 09:46:34 email amavis[32519]: (32519-11) FWD via SMTP: <user1@gmail.com> -> <user2@domain.com>,BODY=7BIT 250 2.0.0 Ok, id=32519-11, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9ED03904004
    Nov 13 09:46:34 email amavis[32519]: (32519-11) Passed CLEAN, [209.85.160.55] [72.11.126.18] <user1@gmail.com> -> <user2@domain.com>, Message-ID: <4AFD9B65.8060600@gmail.com>, mail_id: KNNPub8cT7bp, Hits: -1.49, size: 2038, queued_as: 9ED03904004, dkim_id=@gmail.com,user1@gmail.com, 4545 ms
    Nov 13 09:46:34 email postfix/smtp[17637]: C40CB904001: to=<user2@domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=6.9, delays=2.4/0/0/4.5, dsn=2.0.0, status=sent (250 2.0.0 Ok, id=32519-11, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 9ED03904004)
    Nov 13 09:46:34 email postfix/qmgr[20731]: C40CB904001: removed
    Nov 13 09:46:34 email postfix/lmtp[17830]: 9ED03904004: to=<user2@domain.com>, relay=email.domain.com[192.168.1.6]:7025, delay=0.09, delays=0.01/0.01/0/0.07, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
    Nov 13 09:46:34 email postfix/qmgr[20731]: 9ED03904004: removed
    Notice how the connection shows as coming from 209.85.160.55 even though this machine is behind the firewall?

  4. #14
    Join Date
    May 2009
    Posts
    9
    Rep Power
    5

    Default Zimbra - Acting as open relay

    Hi all,

    Thanks for your support.

    I have managed to resolve the issue here. I have kept my Zimbra server under observation and will get back with the results and further details.

    Have a nice day !

    Thanks,

    Milind Patil

  5. #15
    Join Date
    May 2009
    Posts
    9
    Rep Power
    5

    Default

    Hi,

    Here are the details -

    My LAN network is behind fortigate firewall which is operating in NAT mode.

    IP address for internal interface of this firewall falls within the IP address range of my internal LAN network.

    Spam emails were relayed from my Zimbra email server.

    For every email received, i observed that my firewall ip address replacing the original sender domain/email server IP address in Zimbra log file.

    I removed the natting on my Fortigate firewall (Public IP address was natted to private IP address of my Zimbra email server) and this worked.

    All the realying stopped with immediate effect. All the open relay tests on internet showed as "Relay access denied".

    Thanks to everyone here.

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Open Relay --&gt; Zimbra OSE vs MS Exchange
    By benny_0924 in forum Administrators
    Replies: 8
    Last Post: 09-15-2009, 08:45 PM
  2. [SOLVED] parts_decode_ext error
    By jsabater in forum Administrators
    Replies: 7
    Last Post: 10-13-2008, 07:24 AM
  3. Replies: 31
    Last Post: 12-15-2007, 09:05 PM
  4. dspam logrotate errors
    By michaeln in forum Users
    Replies: 7
    Last Post: 02-19-2007, 12:45 PM
  5. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •