HELP - Open Relay Exploit
I need some thoughts and a solution. After 3 years using ZIMBRA and 10 yrs before doing OPWV I got my first breach - my Zimbra server got turned into an OPEN RELAY.
Here is the config: I have 2 mail systems - one for ABC.com, and one ZIMBRA server for dealer1.ABC.com,dealer2.ABC.com,dealer3.ABC.com. There is an MX for ABC.com going to another mail server, and an MX for dealer1-X.ABC.com going to my ZIMBRA server.
Zimbra is set up with users in the sub-domains ie: user@dealer1-X.ABC.com as the primary account and an alias for user@ABC.com. Each user also has an external account for ABC.com to POP mail from the other mail server via ZIMBRA.
ABC.com is a domain in the domains list for the user aliases ie: myuser@ABC.com. That way any local mail sent to joe@ABC.com who IS one of our users gets delivered locally else he is relayed to ABC.com - used to be referred to as a non-authoritative domain
ALL account Reply To's are set to user@ABC.com and ANY external incoming mail should go to the ABC.COM email server via the MX record ( at least that was the way it should have/did work) . Internal mail is delivered locally.
The issue is that the black hats figured out that if they connect to MY server (dealer1.ABC.com) directly AND send mail msg to nouser@ABC.com (in with a batch of hundreds of other email addresses)
ZIMBRA sees the DST domain in my list of domains but does not see the user in my LDAP and SpamAssasin complains that there is no local delivery and this may be a SPAM messageBUT then... I assume it does a MX lookup on nouser@ABC.com sees that the message goes to the other server and then forwards the msg via SMTP to ABC.com and since the message is now from Spam Assassin and the 127.0.0.1 trusted network (ME) Postfix goes to deliver the msg to all the rest of the recipients - OPEN RELAY!
YES - ALL protocol, DNS and MTA checks are turned on and I have 5 RTBL in the MTA settings. I do not have TLS only authentication on because I believe the issue to be: Zimbra accepts the original SPAM messages because the ABC.com domain IS a domain on the domains list.
Right now I have turned off port 25 on the firewall so that we take no outside SMTP traffic - but this has issues, roaming clients can't relay is just one issue. But this is better than 10k msg/hr being spewed like the oil in the Gulf.
There must be a way to say - IF there is NO local recipient - KILL the message / relay ONLY with authentication I can do - but that will not stop what they are doing.
Clearly the black hats are getting VERY clever.... the condition list to make this happen is very small - but this config has worked for over 2 years at this site, and it has uses for DR.
As always, any thoughts and suggestions are welcome