Zimbra offers Open Source email server software and shared calendar for Linux and the Mac
Go Back   Zimbra :: Forums > Zimbra Collaboration Suite > Administrators

Welcome to the Zimbra :: Forums!
Welcome, if you would like to post a comment please register. We also encourage you to explore all things Zimbra with our team and members of the community.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #11 (permalink)  
Old 08-15-2009, 05:51 AM
Outstanding Member
 
Posts: 684
Default mail delivery

Quote:
Originally Posted by sgatto View Post
. Seems like zimbra accepts rcpt to without asking for authentication.
Leonardo
As Phoenix said, this is what mail servers do. The issue then becomes where is the e-mail to be delivered. It will only deliver locally from a unauthenticated connection. That is how someone else send mail to one of your users. It will not, if configured properly, send mail to someone external, or in other words, relay.
Reply With Quote
  #12 (permalink)  
Old 08-15-2009, 10:23 AM
New Member
 
Posts: 4
Default

Quote:
Originally Posted by phoenix View Post
Of course it accepts the connection without authentication, that's what mail servers do on port 25 - they accept connections from other mail servers and do not need authentication for that.

Nothing is wrong with that, the output from that test should also show the 'Relay access is denied'. Zimbra is not, by default, an open relay unless you've made it one.
Sorry, I'm relatively new to email trasport systems. Please take this post as an help-request not something against zimbra (which I'm evaluating for my company).

I made a handmade test. From a remote host I telnet my zimbra on 25 and after this sequence:

helo ....
mail from...
rcpt to...
data
.

zimbra accepted my email. From the admin console I can see this email (I paused it) and here is the screenshot (it's in italian). Obviously my domain is not super.com or poor.com but it is ciavatta.hopto.org (a no-ip.com test domain, created for this zimbra evaluation).

Now, I'm running ubuntu (ubuntu-8.04.3-server-i386.iso) and zimbra CS (zcs-5.0.18_GA_3011.UBUNTU8.20090708092550.tgz). I don't think I have changed something in zimbra configuration. But, as I'm human and not perfect, maybe this is my mistake. Can you guys please help me locating my conf mistake ? I'll post here all of my configuration files, just say what.

Thanks in advance,
Leonardo.
Reply With Quote
  #13 (permalink)  
Old 08-18-2009, 02:49 AM
Moderator
 
Posts: 927
Default

I think postfix is configured to trust the local network, so it wont matter what domain you say you are if you have physical access.
Reply With Quote
  #14 (permalink)  
Old 08-18-2009, 03:09 AM
Zimbra Consultant & Moderator
 
Posts: 19,633
Default

Quote:
Originally Posted by sgatto View Post
Sorry, I'm relatively new to email trasport systems. Please take this post as an help-request not something against zimbra (which I'm evaluating for my company).
I didn't think it was anything against Zimbra.

When you did the open relay test did it say that relaying was denied or not? When you did your test above, what errors for that message did you see in the log files ? When you did your 'handmade' test did you send an email to an external domain, was the test done from an IP address on your LAN? Without details of your domain name and server IP it's impossible for us to verify what your saying (or trying to do) is correct.

As mentioned earlier, by default Zimbra will not act as an open relay. By default, for any user on the LAN IP (Trusted Networks) Zimbra will relay mail to anywhere (that's normal). Without details it's impossible to tell if you have a problem or if you are misunderstanding what's happening.

Go to this page: Open Relay Test enter the IP address of your mail server and look at the results. They should almost all say £Relay access denied" and the others should tell you what restrictions there are on your server. Let us know what happens with that test.
__________________
Regards


Bill
Reply With Quote
  #15 (permalink)  
Old 06-16-2010, 01:55 PM
New Member
 
Posts: 4
Default

I too almost jumped out of my skin when I noticed this email sending behavior!! It was then that I recalled seeing the "trusted networks" configuration in the web interface and thought "oh... maybe it's that" then I went to another box on an outside IP address and used telnet to attempt to send email through my Zimbra box. It failed. *WHEW!*

Now, for those who are worried, I would recommend removing the trusted network or at least limiting that network to having a network of /32 (hostmask 255.255.255.255). In this way you would eliminate all but localhost and your local host's IP address. I haven't tested this though...

Presently, I am trying to work through SMTP AUTH issues. What I would like is for all SMTP to come through encrypted and that SMTP AUTH be encrypted. I'm sure it can be done and I'm sure the information is in here or out there somewhere.
Reply With Quote
  #16 (permalink)  
Old 06-16-2010, 05:35 PM
Outstanding Member
 
Posts: 684
Default Encrypted SMTP

My take on this is the client and server make an SSL connection at which point all communication is encrypted, including the authentication. However, if the authentication takes place before an SSL connection is made then the login would be unencrypted. I believe the former is the case and and that is why when you specify no plain text authentication it works when the SSL connection only is specified.

If my take on this is wrong then I would appreciate someone correcting me.

If you specify using encrypted authentication in , say, Outlook Express, the login fails because OE chokes at the AUTH command. IMHO.
Reply With Quote
  #17 (permalink)  
Old 06-16-2010, 05:41 PM
New Member
 
Posts: 4
Default

Quote:
Originally Posted by Bill Brock View Post
My take on this is the client and server make an SSL connection at which point all communication is encrypted, including the authentication. However, if the authentication takes place before an SSL connection is made then the login would be unencrypted. I believe the former is the case and and that is why when you specify no plain text authentication it works when the SSL connection only is specified.

If my take on this is wrong then I would appreciate someone correcting me.

If you specify using encrypted authentication in , say, Outlook Express, the login fails because OE chokes at the AUTH command. IMHO.
Well here's the problem. While it is encrypted already if the user connects using an SSL connection, there is nothing to enforce that. They could just as easily be connecting over port 25. But if there was a non-clear-text authentication method going on, then it would be better... or at the very least, SMTP AUTH refusing to work over a non SSL link.
Reply With Quote
  #18 (permalink)  
Old 06-16-2010, 05:54 PM
Outstanding Member
 
Posts: 684
Default The mail server is set to not accept....

plain text authentication. So if the SSL connection is not made, the auth appears as plain text and is not accepted. This is how the SSL connection is enforced. Plus the port is not the issue. An SSL connection can be made using port 25 as long as the server and client support it. It is the hand shake between the two computers that determines whether the connection is SSL.

So by setting Zimbra to not accept plain text authentication, the encryption must take place before the credentials are sent across the wire.
Reply With Quote
  #19 (permalink)  
Old 06-17-2010, 03:44 AM
New Member
 
Posts: 4
Default

Quote:
Originally Posted by Bill Brock View Post
plain text authentication. So if the SSL connection is not made, the auth appears as plain text and is not accepted. This is how the SSL connection is enforced. Plus the port is not the issue. An SSL connection can be made using port 25 as long as the server and client support it. It is the hand shake between the two computers that determines whether the connection is SSL.

So by setting Zimbra to not accept plain text authentication, the encryption must take place before the credentials are sent across the wire.
Nice. Where do I set that?
Reply With Quote
  #20 (permalink)  
Old 06-17-2010, 03:50 AM
Zimbra Consultant & Moderator
 
Posts: 19,633
Default

In the Admin UI.
__________________
Regards


Bill
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads

Why Join?

Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.

blog.zimbra.com




 

SEO by vBSEO ©2011, Crawlability, Inc.