open relay??

[rmvg]

Not to alarm anyone but is zimbra functioning as an open relay??

I have checked authentication enabled and TLS authentication only everywhere i can see inside zimbra admin.

However in outlook express i can send mail without setting any username or password for outbound smtp server and also did NOT have to check the this server requires authentication not to mention not enabling the ssl only settings for port 25

am I overlooking something or is zimbra really functioning as an open relay?

[schemers]

Hi. I believe postfix will trust hosts on the same network/subnet as itself. auth is only required if the requesting IP is outside of that network.

See /opt/zimbra/postfix/conf/main.cf, and look for "trust", as it describes the behavior that you are seeing.

roland

[sgatto]

Hi. I believe postfix will trust hosts on the same network/subnet as itself. auth is only required if the requesting IP is outside of that network.

See /opt/zimbra/postfix/conf/main.cf, and look for "trust", as it describes the behavior that you are seeing.

roland

I've just installed Zimbra CS on a vm for testing purpose. ZCS is on a private lan, natted to Internet with port 25 forwarded from the firewall to zimbra private ip.

I've tested smtp authentication with Email Server Test - Online SMTP diagnostics tool. Seems like zimbra accepts rcpt to without asking for authentication.

What's wrong with this ? Is a nat problem ? Or is that service not reliable ?

Thanks for your help.

Leonardo

[jrefl5]

Check the values for MTA trusted network.

I goofed and included the DMZ address of my firewall and it acted as a relay for about a day till I stumbled on that.

[sgatto]

Check the values for MTA trusted network.

I goofed and included the DMZ address of my firewall and it acted as a relay for about a day till I stumbled on that.

thanks for your reply, I'll check for this.

In my understanding, when a packet passes through the firewall with a port forward, the packet retains its src address. Am I wrong ? This "open relay" problem is causing me some headaches...

Is it possibile to completely disable open relaying, leaving this feature only for localhost (webmail) ?

Thanks !

Leonardo

[bdial]

just to verify, you're not trying to send to soemone on your zimbra server right? that will always work

If your server is setup to accept mail for woopty.com, and I set your server up as my smtp server, i'll always be able to send e-mail to someone@woopty.com. This is because really i'm not doing anything more than another mail server would be doing.

However, if I"m using your server as my smtp, i should not be able to send email to any other domain, thats where it should error with relay denied.

[sgatto]

just to verify, you're not trying to send to soemone on your zimbra server right?

At the moment, I'm able to send email *from* zimbra (webmail) to another external account (gmail). But I'm not able to *receive* email because of a DNS misconfiguration (zimbra is on a private LAN, it receives email from other MTA but delivery fails with "host nof found" error. But this is another story ;-) ).

This "open relay" problem raised when I used the service i linked in my first post: that service of course did not use my domain email. Please try that service yourself and tell me if you think is wrong or bad implemented.

Thanks for your replies guys, I appreciate it.

Leonardo.

[Bill Brock]

I must logon to send mail unless I am in the trusted network setup in my Zimbra GUI. If I try to send without logging on from Outlook I get an error that the recipient could not be reached and there was no transport provider.

Zimbra is definitely not an open relay server if it is configured properly.

[Bill Brock]

At the moment, I'm able to send email *from* zimbra (webmail) to another external account (gmail). But I'm not able to *receive* email because of a DNS misconfiguration (zimbra is on a private LAN, it receives email from other MTA but delivery fails with "host nof found" error. But this is another story ;-) ).

This "open relay" problem raised when I used the service i linked in my first post: that service of course did not use my domain email. Please try that service yourself and tell me if you think is wrong or bad implemented.

Thanks for your replies guys, I appreciate it.

Leonardo.

It tells me that relaying was denied! If you are relaying your configuration is not setup to prevent. A properly configured Zimbra server will not relay.

[phoenix]

I've tested smtp authentication with Email Server Test - Online SMTP diagnostics tool. Seems like zimbra accepts rcpt to without asking for authentication.

Of course it accepts the connection without authentication, that's what mail servers do on port 25 - they accept connections from other mail servers and do not need authentication for that.

What's wrong with this ? Is a nat problem ? Or is that service not reliable ?

Nothing is wrong with that, the output from that test should also show the 'Relay access is denied'. Zimbra is not, by default, an open relay unless you've made it one.