[SOLVED] Zimbra - acting as open relay

[milind.v.patil]

Hi,

This is my first thread. I have Zimbra configured as primary email server with valid DNS & MX records. I have not configured it as an Open Relay. But still i can see a lot of emails from/to domain "yahoo.com.tw" being relayed from my zimbra server. I have no idea for this and need to stop this relaying immediately. I have not allowed anyone to relay. Please go through the information given below and suggest.

System config -

Software -
Zimbra 6.0.2 community edition
Red Hat Enterprise Linux 5

Hardware -
CPU - 4
Ram - 4 GB
HDD - 500 GB

Network -
NIC Cards - 1
IP address - 192.168.xx.yyy/20
DNS - 192.168.xx.yyy/20 (same machine)

My firewall's internal NIC address is a part of the same subnet as that of the Zimbra server. I am using my firewall in NAT mode and have mapped a public ip address to internal private ip address of Zimbra server.

Troubleshooting done so far -

I had tried few suggestions found in existing threads like -

MTA trusted networks - 127.0.0.0/8 192.168.xx.0/20

was modified as

MTA trusted networks - 127.0.0.0/8 192.168.xx.yyy/32

After that OPEN RELAY action was stopped, but as a side effect all incoming email traffic was stopped. this forced me to revert back the changes.

CURRENT STATUS -

I have now managed to reduce the number of these relayed spam emails by using my hardware firewall policies. But (1) i need to eliminate them completely. (2) Open relay action has to be stopped asap.

PLEASE SUGGEST.

Thanks in advance

Have a nice day !

Milind Patil

Team Leader - Technical

[phoenix]

Quote:

Originally Posted by milind.v.patil

This is my first thread. I have Zimbra configured as primary email server with valid DNS & MX records. I have not configured it as an Open Relay. But still i can see a lot of emails from/to domain "yahoo.com.tw" being relayed from my zimbra server. I have no idea for this and need to stop this relaying immediately. I have not allowed anyone to relay.

A default install of Zimbra does not act as an open relay unless you've modified it to do that, as you say you haven't then it won't be acting as an open relay.

Have you tried any of the open relay test services on the internet? I'd suggest you try one (or as many as you like) then review their output.

[milind.v.patil]

Hi Phoenix,

I have done an open relay test on internet and the results are as given below-

Testing <domain name>...

Connecting to <domain name> ...
<<< 220 <server host name> ESMTP Postfix
>>> HELO godfather.mob.net
<<< 250 <server host name>
>>> MAIL FROM:
<<< 250 2.1.0 Ok
>>> RCPT TO:
<<< 250 2.1.5 Ok
>>> DATA
<<< 354 End data with .
>>> (message body)
<<< 250 2.0.0 Ok: queued as CC3212050414
>>> QUIT
<<< 221 2.0.0 Bye

These result show that the server is acting as an Open Relay.

Please suggest.

Note - One of the probable resaons for the open realy action could be - My firewall internal ip address is a part of my local subnet. This is what i think.

Thanks,

Milind Patil

[phoenix]

Run the following command on your mail server and post the full output here:

Code:

telnet rt.njabl.org 2500

[milind.v.patil]

Hi Bill,

The output is as given below -

[root@01 ~]# telnet rt.njabl.org 2500
Trying 69.28.95.130...
Connected to rt.njabl.org (69.28.95.130).
Escape character is '^]'.

If you are excluded from testing, connect again on port 2501 to force the test.

re-testing <Zimbra server public IP address>
Net::SMTP>>> Net::SMTP(2.29)
Net::SMTP>>> Net::Cmd(2.26)
Net::SMTP>>> Exporter(5.58)
Net::SMTP>>> IO::Socket::INET(1.27)
Net::SMTP>>> IO::Socket(1.28)
Net::SMTP>>> IO::Handle(1.24)
<<< 220 <Zimbra server host name> ESMTP Postfix
>>> EHLO rt.njabl.org
<<< 250-<Zimbra server host name>
<<< 250-PIPELINING
<<< 250-SIZE 10240000
<<< 250-VRFY
<<< 250-ETRN
<<< 250-STARTTLS
<<< 250-ENHANCEDSTATUSCODES
<<< 250-8BITMIME
<<< 250 DSN
>>> MAIL FROM:<relaytestsend@rt.njabl.org>
<<< 250 2.1.0 Ok
>>> RCPT TO:<relaytest@rr.njabl.org>
<<< 250 2.1.5 Ok
>>> DATA
<<< 354 End data with <CR><LF>.<CR><LF>
>>> X-RT-Subject: relaytest: <Zimbra server public IP address>
>>> X-RT-From: relaytestsend@rt.njabl.org
>>> X-RT-To: relaytest@rr.njabl.org
>>> From: relaytestsend@rt.njabl.org
>>> To: relaytest@rr.njabl.org
>>> Message-id: <1258016031.1128.0@rt.njabl.org>
>>> Subject: relaytest: <Zimbra server public IP address>
>>> This is an automated test message for the purpose of finding and
>>> adding open relays to our dnsbl. If you have any questions, see
>>> njabl.org
>>> -----BEGIN PGP MESSAGE-----

>>> hQEOA6y+u+WccJSVEAP9Ew7bqRfjkiA9jk17yuFUIexxFQzBRX PoJwyvvhYFQxKE
>>> Bk913qjhLpAc/G94+Ao2uqJXUGpulWaKORQ0DQuEToDycazuOWAM3c0fjKalS61 Q
>>> YnOMr8cz+LEhP6Wb0cIO0dPkF8qvXbSXYwzUha3kX+QJWjoyUu WpDXeQxZTgkNAD
>>> /0f6oMFJ3Zbn2tztc266Yg1WaXL6rqZibMjL9wpsMRidoZ8PZuK r6970HtAZWTDy
>>> OYbW5i4VcmdI7r/U+ZMu0SDROmwAieZlW/z9431/wuNVHXhE6/09CDNTi4UZTdVP
>>> QBxVB+88mMF14OQhukEPu4y05SAOsLibzHEf/tD6UMjK0qkBu3Z3vo5fGX+jR6f6
>>> bXh5Pt1HwYFXBAG/QbWjFzVmSRWsS2S/WckR13XXa0m79wYN9Hyl+ldwGh/+ZVXK
>>> y78A4TSaaD7lY1UQtk7FL3HXSC5ZfmDFBjA9XfTvsF9nQi2d6C eX70FWNkL+BnVH
>>> DB6Uma4kI2/w3v/fID/WCoz8ok5u7ifor2mNabsKq5RmsNoECCnlpXU8sr7ZyQMP
>>> p+UVX6nd1JHZr5QK
>>> =sp0o
>>> -----END PGP MESSAGE-----
>>> .
<<< 250 2.0.0 Ok: queued as 7E9C037B8001
>>> QUIT
<<< 221 2.0.0 Bye
Connection closed by foreign host.




Thanks,

Milind Patil

[ArcaneMagus]

Quote:

Originally Posted by milind.v.patil

MTA trusted networks - 127.0.0.0/8 192.168.xx.0/20

was modified as

MTA trusted networks - 127.0.0.0/8 192.168.xx.yyy/32

After that OPEN RELAY action was stopped, but as a side effect all incoming email traffic was stopped. this forced me to revert back the changes.

What "incoming traffic" was stopped? The ONLY addresses that should be in that field should be the email server itself and any single machines you want to be able to relay messages.

Client machines should NOT be in that list. They should be either using the web interface, or authenticating via a secure SMTP connection to send their messages.

[milind.v.patil]

Hi,

When I put 127.0.0.0/8 <zimbra server ip address>/32 in the MTA Trusted networks tab, we do not receive any incoming emails from any domain.

But when we put 127.0.0.0/8 <local ip address range>/subnet there, we start receiving emails.

All users are using email services through web interface only.

Thanks,

Milind Patil

[maumar]

disable smtp auth at all, if your clients are using zimbra web interface to send emails
further, post some excerpt of zimbra.log where we can see which ip's are abusing your server

[milind.v.patil]

1. As suggested, i have disabled smtp auth at all for now and restarted the server.



2. Here is some sample data from Zimbra log file -

Nov 11 04:02:58 01 postfix/cleanup[4599]: 5411D205263C: message-id=<652556464076.7ssvlggnrhkk@yam.com>
Nov 11 04:02:58 01 postfix/qmgr[11314]: 5411D205263C: from=<tvekgpr@gmail.com>, size=3508, nrcpt=1 (queue active)
Nov 11 04:02:58 01 amavis[13688]: (13688-08) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20091111T032124-13688: <tvekgpr@gmail.com> -> <carou_bz@yahoo.com.tw> SIZE=3508 Received: from <Zimbra server host name> ([127.0.0.1]) by localhost (<Zimbra server host name> [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <carou_bz@yahoo.com.tw>; Wed, 11 Nov 2009 04:02:58 +0530 (IST)
Nov 11 04:02:58 01 amavis[13688]: (13688-08) Checking: Q3yrGgJe9Bbu [<FIREWALL IP ADDRESS>] <tvekgpr@gmail.com> -> <carou_bz@yahoo.com.tw>
Nov 11 04:02:58 01 postfix/smtpd[4578]: A0D36205266F: client=unknown[<FIREWALL IP ADDRESS>]
Nov 11 04:02:59 01 postfix/smtpd[4593]: 4B5B820526CB: client=unknown[<FIREWALL IP ADDRESS>]
Nov 11 04:02:59 01 postfix/cleanup[4569]: A0D36205266F: message-id=<opze258oy1i>
Nov 11 04:02:59 01 postfix/qmgr[11314]: A0D36205266F: from=<sjzyyijj@yahoo.com>, size=3120, nrcpt=1 (queue active)
Nov 11 04:02:59 01 amavis[2287]: (02287-12) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20091111T022930-02287: <sjzyyijj@yahoo.com> -> <carrey258456@yahoo.com.tw> SIZE=3120 Received: from <Zimbra server host name> ([127.0.0.1]) by localhost (<Zimbra server host name> [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <carrey258456@yahoo.com.tw>; Wed, 11 Nov 2009 04:02:59 +0530 (IST)
Nov 11 04:02:59 01 amavis[2287]: (02287-12) Checking: xNJ0i1ZD0S9Q [<FIREWALL IP ADDRESS>] <sjzyyijj@yahoo.com> -> <carrey258456@yahoo.com.tw>
Nov 11 04:02:59 01 postfix/smtpd[15292]: connect from unknown[<FIREWALL IP ADDRESS>]
Nov 11 04:03:00 01 sendmail[12605]: nAAMWOIC012605: from=root, size=394, class=0, nrcpts=1, msgid=<200911102232.nAAMWOIC012605@<Zimbra server host name>>, relay=root@localhost
Nov 11 04:03:00 01 postfix/smtpd[25250]: connect from localhost.localdomain[127.0.0.1]
Nov 11 04:03:00 01 postfix/smtpd[4593]: lost connection after DATA (3455 bytes) from unknown[<FIREWALL IP ADDRESS>]




Still the problem persists.

[maumar]

192.168.59.20 is your firewall or a client on your lan?