Results 1 to 8 of 8

Thread: [SOLVED] Help with SMTP over TLS authentication

  1. #1
    tcauduro is offline Junior Member
    Join Date
    Sep 2007
    Location
    Ontario, Canada
    Posts
    9
    Rep Power
    7

    Default [SOLVED] Help with SMTP over TLS authentication

    Currently running Zimbra 6.0.4 FOSS server.

    We're in a situation where inbound email goes through an antispam server before reaching zimbra. However we have port 465 open and directly forwarded to zimbra so that external users can send out email when out of the office. TLS auth is turned on so they would have to authenticate to send.

    Confirmed from "zmprov getServer server.domain.com | grep Auth"
    zimbraMtaAuthEnabled: TRUE
    zimbraMtaAuthHost: server.domain.com
    zimbraMtaAuthTarget: TRUE
    zimbraMtaAuthURL: https://server.domain.com:443/service/soap/
    zimbraMtaSaslAuthEnable: TRUE
    zimbraMtaTlsAuthOnly: TRUE

    My problem is that we are now having spammers send mail through this port and they are logging in through TLS as an Anonymous user and getting access to send.

    Maillog shows entries like this:
    May 11 20:39:01 webmail postfix/smtpd[25302]: connect from unknown[186.120.141.91]
    May 11 20:39:01 webmail postfix/smtpd[25302]: setting up TLS connection from unknown[186.120.141.91]
    May 11 20:39:02 webmail postfix/smtpd[25302]: Anonymous TLS connection established from unknown[186.120.141.91]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

    I've tried turning off anonymous access in LDAP and that hasn't helped.
    ("./libexec/zmldapanon -d")

    Here's some more info from postfix main.cf:
    "grep sasl main.cf"

    broken_sasl_auth_clients = yes
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_sender_domain, permit
    smtpd_sasl_authenticated_header = no
    local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
    smtpd_sasl_auth_enable = yes

    Any ideas how to turn off this Anonymous TLS?

    Thanks in advanced

  2. #2
    tcauduro is offline Junior Member
    Join Date
    Sep 2007
    Location
    Ontario, Canada
    Posts
    9
    Rep Power
    7

    Default

    Oh forgot to mention my /cyrus-sasl/etc/saslauthd.conf file

    zimbra_url: https://server.domain.com:7071/service/admin/soap/
    zimbra_cert_file: /opt/zimbra/conf/smtpd.crt
    zimbra_cert_check: off

    I noticed other posts say to use something like "https://server.domain.com/service/soap/" so I've changed both the saslauthd.conf and saslauthd.conf.in files and restarted the service.
    [File now reads]
    zimbra_url: https://server.domain.com/service/soap/
    zimbra_cert_file: /opt/zimbra/conf/smtpd.crt
    zimbra_cert_check: off

    I'll have to see if this stops the spam. running testsaslauthd with a few user accounts seems to authenticate. Not sure how i would test the anonymous account as it requires the -p parameter to provide a password when running

  3. #3
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,366
    Rep Power
    10

    Default

    Your profile shows you running ZCS 4.5.6; is that still the case?

    All the best,
    Mark

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,201
    Rep Power
    56

    Default

    Quote Originally Posted by tcauduro View Post
    Currently running Zimbra 6.0.4 FOSS server.
    Please update your forum profile to reflect the correct Zimbra version in use.

    Quote Originally Posted by tcauduro View Post
    We're in a situation where inbound email goes through an antispam server before reaching zimbra. However we have port 465 open and directly forwarded to zimbra so that external users can send out email when out of the office. TLS auth is turned on so they would have to authenticate to send.
    You should switch to the correct Submission port which is 587, that will do what you need. The RFC for the Submission port never ratified the use of port 456 and that has been deprecated in favour of 587.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    tcauduro is offline Junior Member
    Join Date
    Sep 2007
    Location
    Ontario, Canada
    Posts
    9
    Rep Power
    7

    Default

    Thanks for the suggestion. Switching to port 587 worked after a minor tweak was made.

    I originally had my smtpd_recipient_restrictions configured as below:
    reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_sender_domain,permit

    This mail server is behind a spam filter and therefor does not receive email from outside directly aside from external authenticated users sending mail. With the last argument as 'permit', junk was still getting through, a switch to 'reject' solved the issue.

    So smtpd_recipient_restrictions looks like this now:
    reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_sender_domain, reject

    Thanks again.

  6. #6
    Tolma4 is offline Starter Member
    Join Date
    Mar 2012
    Posts
    2
    Rep Power
    3

    Default

    Would you please explain how did you do that? I also have the problem with sending spam using my server because of anonymous TLS. Nut if I change "permit" to "reject" and restart zimbra it somehow changes to "permit" again.

  7. #7
    tcauduro is offline Junior Member
    Join Date
    Sep 2007
    Location
    Ontario, Canada
    Posts
    9
    Rep Power
    7

    Default

    Go to Global Settings under the Administration Console -pick the 'MTA' tab. There's a check box under 'Protocol Checks' that does this for you.

    I would assume Zimbra re-writes the file according to these settings every time it starts up.

  8. #8
    Tolma4 is offline Starter Member
    Join Date
    Mar 2012
    Posts
    2
    Rep Power
    3

    Default

    Thank's. I wil try

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. SMTP authentication failed, curl problem ?
    By iX in forum Installation
    Replies: 4
    Last Post: 10-23-2009, 02:24 AM
  2. Force TLS for outgoing SMTP
    By peter@mxtoolbox.com in forum Administrators
    Replies: 1
    Last Post: 04-12-2008, 11:12 PM
  3. SMTP authentication problems continue
    By EdMartin in forum Installation
    Replies: 2
    Last Post: 01-11-2008, 03:23 AM
  4. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  5. Supporting SPA and TLS for SMTP relaying
    By pbwebguy in forum Installation
    Replies: 1
    Last Post: 05-18-2006, 07:59 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •