[SOLVED] Zimbra Behind Firewall Acting as an OPEN RELAY

[Nascimento]

Hya!
I'm getting a strage behavior from zimbra when I look into this network structure of my client; Zimbra is behind a NAT, everything is forwarded as expected and work just fine - but strangely; Zimbra is starting to act as an Open Relay (?).

Everything that came to Zimbra, came from firewall with internal ip; Example:

200.68.123.1 <---external [] firewall internal IP. ----> 192.168.0.1 ---> 192.168.0.2 [Zimbra server]

As it is FORWARDING, I dunno if has to be with the "trusted networking" configured wrong or if it is the DMZ (that they DO NOT have - everything is on the LAN network in the example: 192.168.0.0/24 - including NAT-FORWARD SERVERS.

Anybody has any tip about making my client Zimbra stop acting as a open relay?

[phoenix]

Have you actually tested it to see if it's an open relay? Why do you think it's an open relay? You'll need to post some evidence to substantiate what you're saying (such as headers form some email)? What's happening to this email (is it in the queues or is it being sent out)? Have you checked to see if any of the accounts have been compromised? Have you searched the forums for some further information, this subject has been covered recently.

[Nascimento]

I've checked if it is really an open relay - and i'm already listed on najsbl.org because of that wrong behavior.

I was not the one that build Zimbra on that client, but I'm the one that must solve that problem - lol


-- RELAY TEST --
Mail relay testing
Connecting to ***.***.***.*** for relay test...
<<< 220 smtp.mydomain.com.br ESMTP Postfix
>>> HELO antispam-ufrj.pads.ufrj.br
<<< 250 smtp.mydomain.com.br
Relay test 1
>>> RSET
<<< 250 2.0.0 Ok
>>> MAIL FROM:<spamtest@antispam-ufrj.pads.ufrj.br>
<<< 250 2.1.0 Ok
>>> RCPT TO:<relaytest@antispam-ufrj.pads.ufrj.br>
<<< 250 2.1.5 Ok

>>> QUIT
<<< 221 2.0.0 Bye
Relay test result
Ops!!! Host appeared to accept a message relay!

-- EOF --


I know that Zimbra doesn't behave it self as and open relay - All I'm saying is that something must be making Zimbra to act as one. Maybe a miss configuration - or as I'm in doubt: Every e-mail that came from World Wide Web is hitting my MTA with internal IP from firewall. I think it was supposed to sustain the valid IP, as it is been forwarded - right?

Sooo - if everything came from firewall hitting my MTA in 25 smtp port - it is on my trusted network, right?

How to solve that without changing my client's entire hack putting a freaking DMZ (Where it had to be at the first place - i know.. don't shoot me. )

I'm already listed in some blacklist's as an open relay.

----------------------------
Note:. The other freak sys admin have installed Gentoo Linux, than putt Zimbra into a chroot dir with Debian 4.
Plz - Don't ask me why.
-----------------------------


i'm just trying to fix that to WORK, just in time to my new blade server came in and them EVERYTHING it will be normally (re)installed as it's recommended by all nice people at ZIMBRA's. lol again.

- I look to the network design again, and I've stopped a moment just to cry alone in the bathroom.. ow my... -

[uxbod]

Code:

su - zimbra
zmprov gs `zmhostname` zimbraMtaMyNetworks

and check what it has been set too. I am guessing that it is wide open hence allowing others to relay through it.

[phoenix]

If the firewall external IP is in the Trusted Networks then that's most likely your problem. Look at the ZimbraMtaMyNetworks settings and ensure that you only have the loopback IP (that must stay) and the LAN subnet (that shouldn't cause you any problem) are in there, if there's anything else then remove it - tell us what's in there.

[Nascimento]

Thnkx for the support!

They have set my external ip into the mynetwork's setup.

Well - very nice for you guys to answer it very fast and SOOO sorry about my really bad-english. I've learned that by myself... lol a lot.



See yah!

[Nascimento]

Ooooops!

Sorry to bother again with that topic - but my MTA is still accepting any HELO command and queueing any mail.

Example:.
smtp.mydomain.com.br = my client smtp
damm.spammer.net = that ****les -.-

#] telnet smtp.mydomain.com.br 25

220 smtp.mydomain.com.br ESMTP Postfix
helo damm.spammer.net
250 smtp.mydomain.com
mail from: virus@damm.spammer.net
250 2.1.0 OK
rcpt to: crynow@hotmail.com
250 2.1.0 OK
Data
354 End data with <CR><LF>.<CR><LF>
Smile, you have been spammed!
try finding the ANY KEY now to stop it!
.
250 2.0.0 Ok: queued as 0D0426E4D4




Curse you, Old-Sys-Admin! .
..
Could u guys help me out? maybe is something else TOO - besides the valid ip address into the trusted networks. -.-'

------------------
Thnkx!
Daniel Nascimento


Ps: Yeap - I'm really thinking about rebuild a brand new Zimbra MTA. =\

[uxbod]

Did they restart ZCS once the change was made ?

Code:

su - zimbra
zmmtactl stop ; zmmtactl start

[Nascimento]

I've used the binary located in /etc/init.d/ called zimbra.

#] /etc/init.d/zimbra restart

I will try that one... thnkx!


Latter!!!

[uxbod]

That should be okay then as that completely restarts Zimbra. Please post the following so we can help further

Code:

su - zimbra
zmprov gs `zmhostname` zimbraMtaMyNetworks