smtp interface to accept valid email accounts

[sperkins]

Hello,

We are using zimbra 4.01. We need to configure the smtp interface to accept incoming mail sent to valid email users on our zimbra domains (eg foo.com & bar.com).

The reason is that we have a large antispam server in the DMZ doing all the hard (cpu) work, and needs to check valid email users with zimbra (using a smtp callout method), otherwise our support team gets 100s of "undeliverable" mails a day eg to hotchick@foo.com etc...

I think that postifx can do this but maybe there's an easier zmprov solution

Any help would be appreciated !

Sebastian

[sperkins]

Does somebody have an idea ? maybe more explanations ?

Sebastian

[sperkins]

any help ?

thanks in advance,

Sebastian

[jholder]

Quote:

Originally Posted by sperkins

Hello,

We are using zimbra 4.01. We need to configure the smtp interface to accept incoming mail sent to valid email users on our zimbra domains (eg foo.com & bar.com).

Hi Sebastian-
I think our problem is that I don't fully understand the problem.
If mail comes in to your smtp interface, and the user exists, it should be delivered.

Are you saying that currently, you already have a server that accepts mail, and you would like to somehow forward the messages on from your dmz server onto your zimbra server?

Honestly, I'm lost.

john

[Klug]

John, here's what I understand : he has a antispam server in the DMZ. This server currently accepts all mail incoming mail because it does not know if a user exists or not.

So Sperkins is looking for a way to do "smtp callout" to check, from this server, that an account is valid (in his Zimbra server). Zimbra is able to do the check on its own (when mail arrives in the Zimbra server) but he'd like to do it from the antispam server too...

The smtp callout method depends on the smtp daemon (and additionnal tools) but I think it's possible to do a LDAP callout to the Zimbra's server...

Sperkins, is you antispam server a homebrew or commercial solution ?
Which MTA is it running ?

[zzzzsg]

I have exactly the same problem!

We are using Zimbra 4.02 and have a Barracuda SpamFirewall Server which is the mx server for our domain. The Barracuda server accepts all our incoming mails and then sends them to the Zimbra server.

Before upgrading from Zimbra 3.1 to 4.02, we had no problem.

After upgrading to 4.02, the Barracuda Spam Firewall server is not able to verify with Zimbra server if the recipient email account exists on the Zimbra server.

1) When Barracuda receives an incoming mail addressed to, e.g., tom@abc.com (where abc.com is our domain), it tries to check with the Zimbra server using smtp to see if tom@abc.com exists on the Zimbra server.
Since upgrading to Zimbra 4.02, the Barracuda is not able to do this anymore, and so it sends the email to tom@abc.com at the Zimbra server.

2) If this is the first time the Barracuda receives an email for tom@abc.com, it will create a Barracuda user account for tom@abc.com after checking with the Zimbra server that tom@abc.com exists on the Zimbra server. But since upgrading Zimbra to 4, Barracuda is unable to check with Zimbra server. And so Barracuda creates a Barracuda user account for tom@abc.com even if tom@abc.com doesn't exist on the Zimbra server.


3) After that, it sends an email notification to tom@abc.com informing him of his Barracuda user account. But since tom@abc.com does not exist on Zimbra, Zimbra Postfix sends back an Undelivered Mail message to the Barracuda admin cmgui@abc.com.


Thank you

gui


this is an example of the Undelivered Mail Returned to Sender message
-------- Original Message --------
Received: by mail.abc.com (Postfix) id 3CC9118900B3; Sun, 15 Oct 2006 00:32:45 -0700 (PDT)
Date: Sun, 15 Oct 2006 00:32:45 -0700 (PDT)
From: MAILER-DAEMON@mail.abc.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: cmgui@abc.com
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; boundary="2D25018900B1.1160897565/mail.abc.com"
Message-Id: <20061015073245.3CC9118900B3@mail.abc.com>



This is the Postfix program at host mail.abc.com.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The Postfix program

<ywojgio@abc.com>: abc.com



Reporting-MTA: dns; mail.abc.com
X-Postfix-Queue-ID: 2D25018900B1
X-Postfix-Sender: rfc822; cmgui@abc.com
Arrival-Date: Sun, 15 Oct 2006 00:32:45 -0700 (PDT)

Final-Recipient: rfc822; ywojgio@abc.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; abc.com



Subject:
User Quarantine Account Information
From:
"Barracuda Spam Firewall" <cmgui@abc.com>
Date:
Sun, 15 Oct 2006 00:30:34 -0700 (PDT)
To:
<ywojgio@abc.com>
Received:
from mgate.abc.com (mgate.abc.com [206.180.225.66]) by mail.abc.com (Postfix) with ESMTP id 2D25018900B1 for <ywojgio@abc.com>; Sun, 15 Oct 2006 00:32:45 -0700 (PDT)
Content-Type:
multipart/related; boundary="Barracuda.21060542201948"
MIME-Version:
1.0
Message-ID:
<20061015073034.1D2081C0C375@mgate.abc.com>

Welcome to the Barracuda Spam Firewall. This message contains the information you will need to access your Spam Quarantine and Preferences.

Your account has been set to the following username and password:
Username: ywojgio@abc.com
Password: yddadsfw32

Access your Spam Quarantine directly using the following link: http://mgate.abc.com:10000/cgi-bin/i...&et=1161329434

Quote:

Originally Posted by sperkins

Hello,

We are using zimbra 4.01.

The reason is that we have a large antispam server in the DMZ doing all the hard (cpu) work, and needs to check valid email users with zimbra (using a smtp callout method), otherwise our support team gets 100s of "undeliverable" mails a day eg to hotchick@foo.com etc...

Sebastian

[Dirk]

I'm sure there is a real good reason why you guys dont just direct the raw smtp at the zimbra server. I dont know what it is though, care to tell me?

You see, unless I'm way off, zimbra will bounce mail sent to invalid addresses (unless you set a catchall) and this seems to be what your frontline server is doing, so why not just have zimbra do it anyway?

[zzzzsg]

Many companies buy commercial SpamFirewall servers like Barracuda to accept mails and filter spams and then send non-spam mails to their mail servers. I also don't know why but that's the way it is.

Zimbra 3 has no problem working with our Barracuda SpamFirewall server.

Zimbra 4 does not allow our Barracuda SpamFirewall server to check if a recipient email account exists on Zimbra.

Quote:

Originally Posted by Dirk

I'm sure there is a real good reason why you guys dont just direct the raw smtp at the zimbra server. I dont know what it is though, care to tell me?

You see, unless I'm way off, zimbra will bounce mail sent to invalid addresses (unless you set a catchall) and this seems to be what your frontline server is doing, so why not just have zimbra do it anyway?

[sperkins]

Hello,

Klug's definition of our problem is spot on, and it works exactly like zzzzsg's spamfirewall server.

We're using mailcleaner - a commercial antivirus/antispam system - in the DMZ (it uses Exim as MTA).

Why throw in a second SMTP system ? Although zimbra has these options, it's still prefereable to have another system in the DMZ (when you have one !) :
- it's in a DMZ... if it gets hacked, only that server gets compromised.
- it takes all the internet bashing... on a separate CPU.

In our worst case scenario (relay is totally hacked and useless), the mailboxes are INTACT and we only have to rebuild a quickie smtp relay system or better use zimbra's antispam/virus functions while we rebuild the DMZ server

Do I understand that zimbra 3 worked with SMTP callouts but not zimbra 4 ? There is also a LDAP callout method, but I would prefer to stick with SMTP.

Hope this helps !

Sebastian

[Klug]

Dirk is right on one point : if you don't have a Barracuda or Mailcleaner appliance, you can setup Zimbra's own MTA/AS/AV in the DMZ.

But it won't handle quarantine (as an example of what is not handled)...

I'll check the SMTP callout out on mailcleaner later (today or tomorrow) as this is our "soon to be online" setup (not only for Zimbra but our all customers).