Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Securing Zimbra MTA

  1. #1
    tron is offline Senior Member
    Join Date
    Oct 2005
    Posts
    52
    Rep Power
    9

    Default Securing Zimbra MTA

    What is the recommended way of setting up the zimbra mta so that it only allows zimbra local users to send email out to the Internet and not allowing it to be used as an open relay?

  2. #2
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    It should be configured like that by default. If your not seeing this in your tests make sure your not in the same IP space as mynetworks for postfix allows you to relay mail if you are local.

  3. #3
    tron is offline Senior Member
    Join Date
    Oct 2005
    Posts
    52
    Rep Power
    9

    Default

    Thank you. I was indeed on the same ip subnet as the zimbra mta server. So I tested out the SMTP auth and noticed that zimbra handles smtp auth againt its internal ldap just fine but will not authenticate against an external ldap server as it does for imap and pop logins. Did I set up something wrong?

    Quote Originally Posted by KevinH
    It should be configured like that by default. If your not seeing this in your tests make sure your not in the same IP space as mynetworks for postfix allows you to relay mail if you are local.

  4. #4
    KevinH's Avatar
    KevinH is offline Expert Member
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    18

    Default

    That may be true. I think it only has external auth for web, imap, and pop since those are the hosted in our app. You might need to configure smtp auth in postfix itself. Anand should be able to jump in here and clarify.

  5. #5
    tron is offline Senior Member
    Join Date
    Oct 2005
    Posts
    52
    Rep Power
    9

    Default

    If Anand can help here, that would be great. I just tried using /usr/sbin/testsaslauthd to test the saslauthd and I found out that it does authenticate correctly against the external ldap, but smtp auth still fails for the same username@domain and password combo. Strange.


    Quote Originally Posted by KevinH
    That may be true. I think it only has external auth for web, imap, and pop since those are the hosted in our app. You might need to configure smtp auth in postfix itself. Anand should be able to jump in here and clarify.

  6. #6
    anand is offline Zimbra Employee
    Join Date
    Sep 2005
    Posts
    274
    Rep Power
    9

    Default hmm

    SMTP auth, web UI auth (and even IMAP/POP3 auth) should all be working with external auth if you have that setup. All our saslauthd modification does is make a AuthRequest SOAP call. The implementation of that SOAP knows if external auth is configured.

    Is this related to the missing -r problem (manifests itself if you are authenticating against the non-default domain), discussed here:
    SMTP SASL authentication failure

    PS: is /usr/bintestsaslauthd is in the same box as the zimbra install? Were you using the right socket inside /opt/zimbra/cyrus-sasl/state?

  7. #7
    tron is offline Senior Member
    Join Date
    Oct 2005
    Posts
    52
    Rep Power
    9

    Default

    /usr/sbi/testsaslauthd is on the same box as the zimbra install.

    I believe I am using the right socket: /opt/zimbra/cyrus-sasl/state/mux

    I did add the -r according to the post you mentioned but it did not help. As I have mentioned, the strange thing is that saslauthdtest does authenticate successfully, but smtp auth failes for the same user/pass combo.

    Quote Originally Posted by anand
    SMTP auth, web UI auth (and even IMAP/POP3 auth) should all be working with external auth if you have that setup. All our saslauthd modification does is make a AuthRequest SOAP call. The implementation of that SOAP knows if external auth is configured.

    Is this related to the missing -r problem (manifests itself if you are authenticating against the non-default domain), discussed here:
    SMTP SASL authentication failure

    PS: is /usr/bintestsaslauthd is in the same box as the zimbra install? Were you using the right socket inside /opt/zimbra/cyrus-sasl/state?

  8. #8
    anand is offline Zimbra Employee
    Join Date
    Sep 2005
    Posts
    274
    Rep Power
    9

    Default is TLS on?

    out of the box, we have postfix configured to require starttls before auth. Does your SMTP client have a SSL or encrypt check box? and is it turned on?

  9. #9
    tron is offline Senior Member
    Join Date
    Oct 2005
    Posts
    52
    Rep Power
    9

    Default

    I disabled the "require tls" option on the zimbra box. And smtp auth works fine for accounts that are configure to authenticate internally but fails for accounts that authenticates against an external server.

    Quote Originally Posted by anand
    out of the box, we have postfix configured to require starttls before auth. Does your SMTP client have a SSL or encrypt check box? and is it turned on?

  10. #10
    anand is offline Zimbra Employee
    Join Date
    Sep 2005
    Posts
    274
    Rep Power
    9

    Default

    are the accounts with external auth not in default domain?

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 9
    Last Post: 03-01-2008, 08:21 PM
  2. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 11:34 AM
  3. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  4. Logger
    By jholder in forum Installation
    Replies: 24
    Last Post: 03-31-2006, 11:50 AM
  5. Zimbra Processor Output
    By UltraFlux in forum Installation
    Replies: 3
    Last Post: 02-01-2006, 08:23 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •