What is the recommended way of setting up the zimbra mta so that it only allows zimbra local users to send email out to the Internet and not allowing it to be used as an open relay?
Printable View
What is the recommended way of setting up the zimbra mta so that it only allows zimbra local users to send email out to the Internet and not allowing it to be used as an open relay?
It should be configured like that by default. If your not seeing this in your tests make sure your not in the same IP space as mynetworks for postfix allows you to relay mail if you are local.
Thank you. I was indeed on the same ip subnet as the zimbra mta server. So I tested out the SMTP auth and noticed that zimbra handles smtp auth againt its internal ldap just fine but will not authenticate against an external ldap server as it does for imap and pop logins. Did I set up something wrong?
Quote:
Originally Posted by KevinH
That may be true. I think it only has external auth for web, imap, and pop since those are the hosted in our app. You might need to configure smtp auth in postfix itself. Anand should be able to jump in here and clarify.
If Anand can help here, that would be great. I just tried using /usr/sbin/testsaslauthd to test the saslauthd and I found out that it does authenticate correctly against the external ldap, but smtp auth still fails for the same username@domain and password combo. Strange.
Quote:
Originally Posted by KevinH
SMTP auth, web UI auth (and even IMAP/POP3 auth) should all be working with external auth if you have that setup. All our saslauthd modification does is make a AuthRequest SOAP call. The implementation of that SOAP knows if external auth is configured.
Is this related to the missing -r problem (manifests itself if you are authenticating against the non-default domain), discussed here:
http://www.zimbra.com/forums/1554-post.html
PS: is /usr/bintestsaslauthd is in the same box as the zimbra install? Were you using the right socket inside /opt/zimbra/cyrus-sasl/state?
/usr/sbi/testsaslauthd is on the same box as the zimbra install.
I believe I am using the right socket: /opt/zimbra/cyrus-sasl/state/mux
I did add the -r according to the post you mentioned but it did not help. As I have mentioned, the strange thing is that saslauthdtest does authenticate successfully, but smtp auth failes for the same user/pass combo. :(
Quote:
Originally Posted by anand
out of the box, we have postfix configured to require starttls before auth. Does your SMTP client have a SSL or encrypt check box? and is it turned on?
I disabled the "require tls" option on the zimbra box. And smtp auth works fine for accounts that are configure to authenticate internally but fails for accounts that authenticates against an external server.
Quote:
Originally Posted by anand
are the accounts with external auth not in default domain?