[SOLVED] Help with SMTP over TLS authentication

[tcauduro]

Currently running Zimbra 6.0.4 FOSS server.

We're in a situation where inbound email goes through an antispam server before reaching zimbra. However we have port 465 open and directly forwarded to zimbra so that external users can send out email when out of the office. TLS auth is turned on so they would have to authenticate to send.

Confirmed from "zmprov getServer server.domain.com | grep Auth"
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: server.domain.com
zimbraMtaAuthTarget: TRUE
zimbraMtaAuthURL: https://server.domain.com:443/service/soap/
zimbraMtaSaslAuthEnable: TRUE
zimbraMtaTlsAuthOnly: TRUE

My problem is that we are now having spammers send mail through this port and they are logging in through TLS as an Anonymous user and getting access to send.

Maillog shows entries like this:
May 11 20:39:01 webmail postfix/smtpd[25302]: connect from unknown[186.120.141.91]
May 11 20:39:01 webmail postfix/smtpd[25302]: setting up TLS connection from unknown[186.120.141.91]
May 11 20:39:02 webmail postfix/smtpd[25302]: Anonymous TLS connection established from unknown[186.120.141.91]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

I've tried turning off anonymous access in LDAP and that hasn't helped.
("./libexec/zmldapanon -d")

Here's some more info from postfix main.cf:
"grep sasl main.cf"

broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_sender_domain, permit
smtpd_sasl_authenticated_header = no
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
smtpd_sasl_auth_enable = yes

Any ideas how to turn off this Anonymous TLS?

Thanks in advanced

[tcauduro]

Oh forgot to mention my /cyrus-sasl/etc/saslauthd.conf file

zimbra_url: https://server.domain.com:7071/service/admin/soap/
zimbra_cert_file: /opt/zimbra/conf/smtpd.crt
zimbra_cert_check: off

I noticed other posts say to use something like "https://server.domain.com/service/soap/" so I've changed both the saslauthd.conf and saslauthd.conf.in files and restarted the service.
[File now reads]
zimbra_url: https://server.domain.com/service/soap/
zimbra_cert_file: /opt/zimbra/conf/smtpd.crt
zimbra_cert_check: off

I'll have to see if this stops the spam. running testsaslauthd with a few user accounts seems to authenticate. Not sure how i would test the anonymous account as it requires the -p parameter to provide a password when running

[LMStone]

Your profile shows you running ZCS 4.5.6; is that still the case?

All the best,
Mark

[phoenix]

Quote:

Originally Posted by tcauduro

Currently running Zimbra 6.0.4 FOSS server.

Please update your forum profile to reflect the correct Zimbra version in use.

Quote:

Originally Posted by tcauduro

We're in a situation where inbound email goes through an antispam server before reaching zimbra. However we have port 465 open and directly forwarded to zimbra so that external users can send out email when out of the office. TLS auth is turned on so they would have to authenticate to send.

You should switch to the correct Submission port which is 587, that will do what you need. The RFC for the Submission port never ratified the use of port 456 and that has been deprecated in favour of 587.

[tcauduro]

Thanks for the suggestion. Switching to port 587 worked after a minor tweak was made.

I originally had my smtpd_recipient_restrictions configured as below:
reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_sender_domain,permit

This mail server is behind a spam filter and therefor does not receive email from outside directly aside from external authenticated users sending mail. With the last argument as 'permit', junk was still getting through, a switch to 'reject' solved the issue.

So smtpd_recipient_restrictions looks like this now:
reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_sender_domain, reject

Thanks again.

[Tolma4]

Would you please explain how did you do that? I also have the problem with sending spam using my server because of anonymous TLS. Nut if I change "permit" to "reject" and restart zimbra it somehow changes to "permit" again.

[tcauduro]

Go to Global Settings under the Administration Console -pick the 'MTA' tab. There's a check box under 'Protocol Checks' that does this for you.

I would assume Zimbra re-writes the file according to these settings every time it starts up.

[Tolma4]

Thank's. I wil try