[SOLVED] Zimbra Behind Firewall Acting as an OPEN RELAY

[Nascimento]

#] telnet smtp.mydomain.com.br

220 smtp.mydomain.com.br ESMTP Postfix
helo none.net
250 smtp.mydomain.com.br
mail from:user@none.net
250 2.1.0 Ok
rcpt to:victim@hotmail.com
250 2.1.5 Ok
Data
354 End data with <CR><LF>.<CR><LF>
Teste de SPAMMER
.
250 2.0.0 Ok: queued as C277A6C029



That really suckx, hun? =\


ps:. i've done that zimbra-user restart and it was everything okay.

[Nascimento]

As u wish, sir! =)

---
smtp:/# su - zimbra
zimbra@smtp:~$
zimbra@smtp:~$ zmprov gs `zmhostname` zimbraMtaMyNetworks
# name smtp.mydomain.com.br
zimbraMtaMyNetworks: 127.0.0.0/8 192.168.0.0/24
-----


and now what? =}
zimbra@smtp:~$

[uxbod]

Do you have any others hosts relaying through your Zimbra server ? If not then remove the 192.168.0.0 IP range.

[jrefl5]

I had a same problem when I initialy setup my zimbra server;

I did the following as the zimbra user;

Code:

#!/bin/bash
ServerName="Your.mail.server.name"
# list current settings
zmprov gas -v | grep MyNetwork
# make the change
#note that zimbra is 10.168.30.60, the other 10.168.30.nn addresses use
# the zimbra server as a "SMART HOST" from sendmail
# this sets only limited servers as "TRUSTED"
# My firewall at the time masked the external address of all incoming 
#connections as its 10.168.30.* address   

zmprov modifyserver $ServerName zimbraMtaMyNetworks '127.0.0.0/8 10.168.30.60/32 10.168.30.7/32 10.168.30.22/32'

As the comments indicate some firewalls nat the external address to the Firewalls internal nic's IP, so in your case if you have 192.168.0.0/24 everything is part of your "TRUSTED NETWORK".

[Nascimento]

Testing my relay in other sites - mxtoolbox


Results:
----------------------------------------------

220 smtp.cymimasa.com.br ESMTP Postfix


[ALERT] May be an open relay.
[OK] 0 seconds - Good on Connection time
[OK] 0.671 seconds - Good on Transaction time
[OK] OK - ***.***.***.165 resolves to smtp.mydomain.com.br
[OK] OK - Reverse DNS matches SMTP Banner

Session Transcript:
HELO please-read-policy.mxtoolbox.com
250 smtp.mydomain.com.br [156 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 Ok [172 ms]
RCPT TO: <test@example.com>
250 2.1.5 Ok [187 ms]
QUIT
221 2.0.0 Bye [156 ms]
reverse lookup smtp diag port scan blacklist

Reported by mxtoolbox.com on Friday, January 29, 2010 at 2:30:48 PM

--------------------------


Thnkx again,

Daniel Nascimento

[Nascimento]

Quote:

Originally Posted by uxbod

Do you have any others hosts relaying through your Zimbra server ? If not then remove the 192.168.0.0 IP range.

I surrely cannot do that, 'cause this range is the only ip settled in my MTA Server. And, just for testing it - when i try to do that - Zimbra complains and don't allow me to remove that range.

[Nascimento]

a New map:



[ WORLD WIDE WEB ]
|
|___ {my ISP } ***.***.***.161 = router IP

|
| ***.***.***.165
[ FIREWALL ]
|192.168.0.1/24
|
[ and now- cry -> SERVERS AND USER'S LAN! ] 192.168.0.0/24
[ including my MTA - 192.168.0.4 ]



And that's why i THINK I 'm getting trough with OPEN RELAY - 'cause the old Sys Admin's don't care too much to create a DMZ and figures that putting everything on the same lan IP address was great. -.-'

DMZ - is this the most-like solution? Well - putting my SERVERS on another range to disable routed IP to allow into the trusted network? like 172.16 ? and make only a trust net inside that?

Thnkx a Lot!!!!!!!

=D

[jrefl5]

NAscimento,
if you use the command in the code above and change it to read;
zmprov modifyserver $ServerName zimbraMtaMyNetworks '127.0.0.0/8 192.169.0.IP/32'
where IP is the address of your zimbra server it should help, and will work.

[Nascimento]

Quote:

Originally Posted by jrefl5

NAscimento,
if you use the command in the code above and change it to read;
zmprov modifyserver $ServerName zimbraMtaMyNetworks '127.0.0.0/8 192.169.0.IP/32'
where IP is the address of your zimbra server it should help, and will work.

THNK U SOOO MUCH - by the time you are replying that, i've solved by your request.


220 smtp.mydomain.com.br ESMTP Postfix
helo spammer.org
250 smtp.mydomain.com.br
mail from:spammer@spammer.org
250 2.1.0 Ok
rcpt to:crynow@hotmail.com
554 5.7.1 <crynow@hotmail.com>: Relay access denied

Muito obrigado!
Very thnkx!

Daniel Nascimento