Page 3 of 3 FirstFirst 123
Results 21 to 30 of 30

Thread: open relay??

  1. #21
    Bill Brock is offline Outstanding Member
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    8

    Default It is under the...

    Server settings. "MTA", "IMAP", and "POP"

  2. #22
    JMoreno is offline Intermediate Member
    Join Date
    Sep 2012
    Posts
    15
    Rep Power
    2

    Default

    Hi guys,

    After suffering 20-30 spam mails a minute (!!), I have found this topic. I believe I am suffering an Open Relay problem with my ZCS 8 mail server.

    After running a test in Open Relay Test I got the following results:

    [Method 0]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@mailradar.com>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <relaytest@mailradar.com>
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 1]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@mailradar.com>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: relaytest@mailradar.com
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 2]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <relaytest@mailradar.com>
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 3]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <relaytest@mailradar.com>
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 4]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <relaytest@mailradar.com>
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 5]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <relaytest%mailradar.com@[<<my-public-IP>>]>
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 6]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <relaytest%mailradar.com.com@[<<my-public-IP>>.staticIP.rima-tde.net]>
    <<< 501 5.1.3 Bad recipient address syntax
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST PASSED]
    [Method 7]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <"relaytest@mailradar.com">
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 8]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <"relaytest%mailradar.com">
    <<< 504 5.5.2 <relaytest%mailradar.com>: Recipient address rejected: need fully-qualified address
    >>> QUIT
    <<< 221 2.0.0 Bye
    [Method 9]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <relaytest@mailradar.com@[<<my-public-IP>>]>
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 10]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <"relaytest@mailradar.com"@[<<my-public-IP>>]>
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 11]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <relaytest@mailradar.com@<<my-public-IP>>.staticIP.rima-tde.net>
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 12]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <@[<<my-public-IP>>]:relaytest@mailradar.com>
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 13]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <@[<<my-public-IP>>.staticIP.rima-tde.net]:relaytest@mailradar.com>
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 14]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <mailradar.com!relaytest>
    <<< 504 5.5.2 <mailradar.com!relaytest>: Recipient address rejected: need fully-qualified address
    >>> QUIT
    <<< 221 2.0.0 Bye
    [Method 15]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <mailradar.com!relaytest@[<<my-public-IP>>]>
    <<< 250 2.1.5 Ok
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST NOT PASSED]
    [Method 16]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <mailradar.com!relaytest@[<<my-public-IP>>.staticIP.rima-tde.net]>
    <<< 501 5.1.3 Bad recipient address syntax
    >>> QUIT
    <<< 221 2.0.0 Bye
    [TEST PASSED]
    [Method 17]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <relaytest%mailradar.com@>
    <<< 504 5.5.2 <relaytest%mailradar.com@>: Recipient address rejected: need fully-qualified address
    >>> QUIT
    <<< 221 2.0.0 Bye
    [Method 18]
    <<< 220 zimbra.mydomain.com ESMTP Postfix
    >>> HELO mailradar.com
    <<< 250 zimbra.mydomain.com
    >>> MAIL FROM: <antispam@[<<my-public-IP>>]>
    <<< 250 2.1.0 Ok
    >>> RCPT TO: <relaytest@mailradar.com@>
    <<< 504 5.5.2 <relaytest@mailradar.com@>: Recipient address rejected: need fully-qualified address
    >>> QUIT
    <<< 221 2.0.0 Bye
    I have replaced:
    - my domain by "mydomain.com"
    - my public IP address by "<<my-public-IP>>"

    It seems clear I am affected by the Open Relay issue. Following instructions in this forum, I have provided:

    - General Settings + MTA + trusted networks: 127.0.0.0/8 172.16.0.41/32 ---> I want autentication from all users before sending mails, even from the LAN.
    - Server + MTA + trusted networks : empty ---> I guess takes settings from the General Settines (above)

    Where 172.16.0.41 is my Zimbra Server Private IP address (example).

    I must say that every single time I full reboot my server, I missed the trusted networks (empty field). Is that normal?

    May anybody help me to fix it?


    Many thanks in advance.
    PS: my mail server connects to Internet via a firewall.
    Last edited by JMoreno; 11-01-2012 at 06:38 AM. Reason: Added trusted network settings I forgot to add.

  3. #23
    JMoreno is offline Intermediate Member
    Join Date
    Sep 2012
    Posts
    15
    Rep Power
    2

    Default

    I believe there is a minor bug in ZCS 8.

    If I provide the "Trusted networks" (127.0.0.0/8 172.16.0.41/32) at the "General Settings + MTA" level, it disapears after booting the server. But, if I set it at the server level, it remains and it starts behaving as expected (stoping the Open Relay issue).

    After a while, I realized that this is also happening for other settings.

    Please correct me whether I am wrong, settings fixed at the "General settings" level should be propagated to the servers, to the extend that we do not override them in the servers configuration. Am I wrong? Did I miss anything?

    Thanks for your comments and replies.
    Best regards.

  4. #24
    rizzpatel is offline Intermediate Member
    Join Date
    May 2013
    Posts
    16
    Rep Power
    1

    Default

    Quote Originally Posted by bdial View Post
    just to verify, you're not trying to send to soemone on your zimbra server right? that will always work
    Uh, is this still not an issue?

    What happens if some guy uses our SMTP server without authentication and spoof the email address for the CEO of our company and sends out a mass "You are FIRED!" email to everyone on the internal domain?

    Is there really no way to prevent anonymous SMTP for the Zimbra domain?

  5. #25
    bdial's Avatar
    bdial is offline Moderator
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    10

    Default

    well for one there would be no way for me to lookup all accounts just using your smtp server

    but in the spirit of the question, whats to stop me from faking your ceo's address using my mail server? this kind of thing has been happening forever. SPF and DKIM were invented to solve this kind of problem.

    I know it seems weird, but there is very little difference to somebody submitting an e-mail to your server directly from their client using your smtp server versus if they relay it through their own server first. It's just another hop when you use your own smtp server

  6. #26
    rizzpatel is offline Intermediate Member
    Join Date
    May 2013
    Posts
    16
    Rep Power
    1

    Default

    Quote Originally Posted by bdial View Post
    well for one there would be no way for me to lookup all accounts just using your smtp server

    but in the spirit of the question, whats to stop me from faking your ceo's address using my mail server? this kind of thing has been happening forever. SPF and DKIM were invented to solve this kind of problem.

    I know it seems weird, but there is very little difference to somebody submitting an e-mail to your server directly from their client using your smtp server versus if they relay it through their own server first. It's just another hop when you use your own smtp server
    Alright, I just retested with a non existing email account with our domain, it fails. Nice. I am just trying to see if theres a way to completely force authentication on our SMTP server.. As in you MUST provide valid credentials to use it. Is there still no way to accomplish this? Thanks bdial

  7. #27
    bdial's Avatar
    bdial is offline Moderator
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    10

    Default

    If you did that, nobody would be able to send you e-mail. What happens when someone at gmail wants to e-mail you? Gmail's server doesn't have a username/password on your system. To your server, gmail is just another client connecting to port 25 trying to send some e-mail to your users.

  8. #28
    rizzpatel is offline Intermediate Member
    Join Date
    May 2013
    Posts
    16
    Rep Power
    1

    Default

    Quote Originally Posted by bdial View Post
    If you did that, nobody would be able to send you e-mail. What happens when someone at gmail wants to e-mail you? Gmail's server doesn't have a username/password on your system. To your server, gmail is just another client connecting to port 25 trying to send some e-mail to your users.
    If this is the case, why is it not possible for me to anonymously login to Gmails SMTP server and send to my gmail account? Googles SMTP server absolutely requires authentication.

    I understand what you are saying, but this is contradicting it..

    How is Gmail accomplishing this task? It's basically exactly what we want..

    zimbraauth.jpg

    Also, I tried using smtp.gmail.com (which is valid) and it also fails.

  9. #29
    bdial's Avatar
    bdial is offline Moderator
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    10

    Default

    because google uses different servers to send and receive mail. do a mx lookup on google.com, you'll get a bunch of responses. Try one, I used alt1.gmail-smtp-in.l.google.com . No secure connection, no authentication, I did e-mail from: bdial@mydomain.com and to my gmail account and it succeeded.

    the smtp.googlemail.com isn't meant to receive mail, only send it so in that case yeah you can force all clients to authenticate

    does this clear it up?

  10. #30
    rizzpatel is offline Intermediate Member
    Join Date
    May 2013
    Posts
    16
    Rep Power
    1

    Default

    Quote Originally Posted by bdial View Post
    because google uses different servers to send and receive mail. do a mx lookup on google.com, you'll get a bunch of responses. Try one, I used alt1.gmail-smtp-in.l.google.com . No secure connection, no authentication, I did e-mail from: bdial@mydomain.com and to my gmail account and it succeeded.

    the smtp.googlemail.com isn't meant to receive mail, only send it so in that case yeah you can force all clients to authenticate

    does this clear it up?
    Mind = Blown

    You definitely cleared it up. Thanks for your patience Bdial

Page 3 of 3 FirstFirst 123

LinkBacks (?)

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 15
    Last Post: 05-14-2012, 09:32 AM
  2. Error message in Server status
    By Max Ma in forum Installation
    Replies: 20
    Last Post: 04-19-2007, 08:55 AM
  3. Understanding the Daily Mail Report - Open Relay?
    By gihrig in forum Administrators
    Replies: 4
    Last Post: 10-16-2006, 08:53 AM
  4. Zimbra acts as open relay by default?
    By lilwong in forum Administrators
    Replies: 2
    Last Post: 06-21-2006, 09:09 PM
  5. The mailbox and mta dies in FC4 GA version
    By meikka in forum Installation
    Replies: 72
    Last Post: 03-16-2006, 05:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •