Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: [SOLVED] Zimbra - acting as open relay

  1. #1
    Join Date
    May 2009
    Posts
    9
    Rep Power
    6

    Default [SOLVED] Zimbra - acting as open relay

    Hi,

    This is my first thread. I have Zimbra configured as primary email server with valid DNS & MX records. I have not configured it as an Open Relay. But still i can see a lot of emails from/to domain "yahoo.com.tw" being relayed from my zimbra server. I have no idea for this and need to stop this relaying immediately. I have not allowed anyone to relay. Please go through the information given below and suggest.

    System config -

    Software -
    Zimbra 6.0.2 community edition
    Red Hat Enterprise Linux 5

    Hardware -
    CPU - 4
    Ram - 4 GB
    HDD - 500 GB

    Network -
    NIC Cards - 1
    IP address - 192.168.xx.yyy/20
    DNS - 192.168.xx.yyy/20 (same machine)

    My firewall's internal NIC address is a part of the same subnet as that of the Zimbra server. I am using my firewall in NAT mode and have mapped a public ip address to internal private ip address of Zimbra server.

    Troubleshooting done so far -

    I had tried few suggestions found in existing threads like -

    MTA trusted networks - 127.0.0.0/8 192.168.xx.0/20

    was modified as

    MTA trusted networks - 127.0.0.0/8 192.168.xx.yyy/32

    After that OPEN RELAY action was stopped, but as a side effect all incoming email traffic was stopped. this forced me to revert back the changes.

    CURRENT STATUS -

    I have now managed to reduce the number of these relayed spam emails by using my hardware firewall policies. But (1) i need to eliminate them completely. (2) Open relay action has to be stopped asap.

    PLEASE SUGGEST.

    Thanks in advance

    Have a nice day !

    Milind Patil

    Team Leader - Technical

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,568
    Rep Power
    57

    Default

    Quote Originally Posted by milind.v.patil View Post
    This is my first thread. I have Zimbra configured as primary email server with valid DNS & MX records. I have not configured it as an Open Relay. But still i can see a lot of emails from/to domain "yahoo.com.tw" being relayed from my zimbra server. I have no idea for this and need to stop this relaying immediately. I have not allowed anyone to relay.
    A default install of Zimbra does not act as an open relay unless you've modified it to do that, as you say you haven't then it won't be acting as an open relay.

    Have you tried any of the open relay test services on the internet? I'd suggest you try one (or as many as you like) then review their output.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    May 2009
    Posts
    9
    Rep Power
    6

    Default

    Hi Phoenix,

    I have done an open relay test on internet and the results are as given below-

    Testing <domain name>...

    Connecting to <domain name> ...
    <<< 220 <server host name> ESMTP Postfix
    >>> HELO godfather.mob.net
    <<< 250 <server host name>
    >>> MAIL FROM:
    <<< 250 2.1.0 Ok
    >>> RCPT TO:
    <<< 250 2.1.5 Ok
    >>> DATA
    <<< 354 End data with .
    >>> (message body)
    <<< 250 2.0.0 Ok: queued as CC3212050414
    >>> QUIT
    <<< 221 2.0.0 Bye

    These result show that the server is acting as an Open Relay.

    Please suggest.

    Note - One of the probable resaons for the open realy action could be - My firewall internal ip address is a part of my local subnet. This is what i think.

    Thanks,

    Milind Patil

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,568
    Rep Power
    57

    Default

    Run the following command on your mail server and post the full output here:

    Code:
    telnet rt.njabl.org 2500
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    May 2009
    Posts
    9
    Rep Power
    6

    Default

    Hi Bill,

    The output is as given below -

    [root@01 ~]# telnet rt.njabl.org 2500
    Trying 69.28.95.130...
    Connected to rt.njabl.org (69.28.95.130).
    Escape character is '^]'.

    If you are excluded from testing, connect again on port 2501 to force the test.

    re-testing <Zimbra server public IP address>
    Net::SMTP>>> Net::SMTP(2.29)
    Net::SMTP>>> Net::Cmd(2.26)
    Net::SMTP>>> Exporter(5.58)
    Net::SMTP>>> IO::Socket::INET(1.27)
    Net::SMTP>>> IO::Socket(1.28)
    Net::SMTP>>> IO::Handle(1.24)
    <<< 220 <Zimbra server host name> ESMTP Postfix
    >>> EHLO rt.njabl.org
    <<< 250-<Zimbra server host name>
    <<< 250-PIPELINING
    <<< 250-SIZE 10240000
    <<< 250-VRFY
    <<< 250-ETRN
    <<< 250-STARTTLS
    <<< 250-ENHANCEDSTATUSCODES
    <<< 250-8BITMIME
    <<< 250 DSN
    >>> MAIL FROM:<relaytestsend@rt.njabl.org>
    <<< 250 2.1.0 Ok
    >>> RCPT TO:<relaytest@rr.njabl.org>
    <<< 250 2.1.5 Ok
    >>> DATA
    <<< 354 End data with <CR><LF>.<CR><LF>
    >>> X-RT-Subject: relaytest: <Zimbra server public IP address>
    >>> X-RT-From: relaytestsend@rt.njabl.org
    >>> X-RT-To: relaytest@rr.njabl.org
    >>> From: relaytestsend@rt.njabl.org
    >>> To: relaytest@rr.njabl.org
    >>> Message-id: <1258016031.1128.0@rt.njabl.org>
    >>> Subject: relaytest: <Zimbra server public IP address>
    >>> This is an automated test message for the purpose of finding and
    >>> adding open relays to our dnsbl. If you have any questions, see
    >>> njabl.org
    >>> -----BEGIN PGP MESSAGE-----

    >>> hQEOA6y+u+WccJSVEAP9Ew7bqRfjkiA9jk17yuFUIexxFQzBRX PoJwyvvhYFQxKE
    >>> Bk913qjhLpAc/G94+Ao2uqJXUGpulWaKORQ0DQuEToDycazuOWAM3c0fjKalS61 Q
    >>> YnOMr8cz+LEhP6Wb0cIO0dPkF8qvXbSXYwzUha3kX+QJWjoyUu WpDXeQxZTgkNAD
    >>> /0f6oMFJ3Zbn2tztc266Yg1WaXL6rqZibMjL9wpsMRidoZ8PZuK r6970HtAZWTDy
    >>> OYbW5i4VcmdI7r/U+ZMu0SDROmwAieZlW/z9431/wuNVHXhE6/09CDNTi4UZTdVP
    >>> QBxVB+88mMF14OQhukEPu4y05SAOsLibzHEf/tD6UMjK0qkBu3Z3vo5fGX+jR6f6
    >>> bXh5Pt1HwYFXBAG/QbWjFzVmSRWsS2S/WckR13XXa0m79wYN9Hyl+ldwGh/+ZVXK
    >>> y78A4TSaaD7lY1UQtk7FL3HXSC5ZfmDFBjA9XfTvsF9nQi2d6C eX70FWNkL+BnVH
    >>> DB6Uma4kI2/w3v/fID/WCoz8ok5u7ifor2mNabsKq5RmsNoECCnlpXU8sr7ZyQMP
    >>> p+UVX6nd1JHZr5QK
    >>> =sp0o
    >>> -----END PGP MESSAGE-----
    >>> .
    <<< 250 2.0.0 Ok: queued as 7E9C037B8001
    >>> QUIT
    <<< 221 2.0.0 Bye
    Connection closed by foreign host.




    Thanks,

    Milind Patil

  6. #6
    ArcaneMagus's Avatar
    ArcaneMagus is offline Moderator
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Quote Originally Posted by milind.v.patil View Post
    MTA trusted networks - 127.0.0.0/8 192.168.xx.0/20

    was modified as

    MTA trusted networks - 127.0.0.0/8 192.168.xx.yyy/32

    After that OPEN RELAY action was stopped, but as a side effect all incoming email traffic was stopped. this forced me to revert back the changes.
    What "incoming traffic" was stopped? The ONLY addresses that should be in that field should be the email server itself and any single machines you want to be able to relay messages.

    Client machines should NOT be in that list. They should be either using the web interface, or authenticating via a secure SMTP connection to send their messages.

  7. #7
    Join Date
    May 2009
    Posts
    9
    Rep Power
    6

    Default

    Hi,

    When I put 127.0.0.0/8 <zimbra server ip address>/32 in the MTA Trusted networks tab, we do not receive any incoming emails from any domain.

    But when we put 127.0.0.0/8 <local ip address range>/subnet there, we start receiving emails.

    All users are using email services through web interface only.

    Thanks,

    Milind Patil
    Last edited by milind.v.patil; 11-12-2009 at 04:15 AM.

  8. #8
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    348
    Rep Power
    8

    Default

    disable smtp auth at all, if your clients are using zimbra web interface to send emails
    further, post some excerpt of zimbra.log where we can see which ip's are abusing your server

  9. #9
    Join Date
    May 2009
    Posts
    9
    Rep Power
    6

    Default

    1. As suggested, i have disabled smtp auth at all for now and restarted the server.



    2. Here is some sample data from Zimbra log file -

    Nov 11 04:02:58 01 postfix/cleanup[4599]: 5411D205263C: message-id=<652556464076.7ssvlggnrhkk@yam.com>
    Nov 11 04:02:58 01 postfix/qmgr[11314]: 5411D205263C: from=<tvekgpr@gmail.com>, size=3508, nrcpt=1 (queue active)
    Nov 11 04:02:58 01 amavis[13688]: (13688-08) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20091111T032124-13688: <tvekgpr@gmail.com> -> <carou_bz@yahoo.com.tw> SIZE=3508 Received: from <Zimbra server host name> ([127.0.0.1]) by localhost (<Zimbra server host name> [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <carou_bz@yahoo.com.tw>; Wed, 11 Nov 2009 04:02:58 +0530 (IST)
    Nov 11 04:02:58 01 amavis[13688]: (13688-08) Checking: Q3yrGgJe9Bbu [<FIREWALL IP ADDRESS>] <tvekgpr@gmail.com> -> <carou_bz@yahoo.com.tw>
    Nov 11 04:02:58 01 postfix/smtpd[4578]: A0D36205266F: client=unknown[<FIREWALL IP ADDRESS>]
    Nov 11 04:02:59 01 postfix/smtpd[4593]: 4B5B820526CB: client=unknown[<FIREWALL IP ADDRESS>]
    Nov 11 04:02:59 01 postfix/cleanup[4569]: A0D36205266F: message-id=<opze258oy1i>
    Nov 11 04:02:59 01 postfix/qmgr[11314]: A0D36205266F: from=<sjzyyijj@yahoo.com>, size=3120, nrcpt=1 (queue active)
    Nov 11 04:02:59 01 amavis[2287]: (02287-12) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20091111T022930-02287: <sjzyyijj@yahoo.com> -> <carrey258456@yahoo.com.tw> SIZE=3120 Received: from <Zimbra server host name> ([127.0.0.1]) by localhost (<Zimbra server host name> [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <carrey258456@yahoo.com.tw>; Wed, 11 Nov 2009 04:02:59 +0530 (IST)
    Nov 11 04:02:59 01 amavis[2287]: (02287-12) Checking: xNJ0i1ZD0S9Q [<FIREWALL IP ADDRESS>] <sjzyyijj@yahoo.com> -> <carrey258456@yahoo.com.tw>
    Nov 11 04:02:59 01 postfix/smtpd[15292]: connect from unknown[<FIREWALL IP ADDRESS>]
    Nov 11 04:03:00 01 sendmail[12605]: nAAMWOIC012605: from=root, size=394, class=0, nrcpts=1, msgid=<200911102232.nAAMWOIC012605@<Zimbra server host name>>, relay=root@localhost
    Nov 11 04:03:00 01 postfix/smtpd[25250]: connect from localhost.localdomain[127.0.0.1]
    Nov 11 04:03:00 01 postfix/smtpd[4593]: lost connection after DATA (3455 bytes) from unknown[<FIREWALL IP ADDRESS>]




    Still the problem persists.
    Last edited by milind.v.patil; 11-12-2009 at 05:55 AM.

  10. #10
    maumar is offline Elite Member
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    348
    Rep Power
    8

    Default

    192.168.59.20 is your firewall or a client on your lan?

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Open Relay --&gt; Zimbra OSE vs MS Exchange
    By benny_0924 in forum Administrators
    Replies: 8
    Last Post: 09-15-2009, 08:45 PM
  2. [SOLVED] parts_decode_ext error
    By jsabater in forum Administrators
    Replies: 7
    Last Post: 10-13-2008, 07:24 AM
  3. Replies: 31
    Last Post: 12-15-2007, 09:05 PM
  4. dspam logrotate errors
    By michaeln in forum Users
    Replies: 7
    Last Post: 02-19-2007, 12:45 PM
  5. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •