main.cf overwritten: trying to restrict relay access?

[KDoc]

I am trying to lock down postfix so the zimbra server doesn't behave as an open relay.

I tried modifying main.cf with the;

smtpd_sender_restrictions = check_sender_access hash:/opt/zimbra/nice_guys

and adding to;

smtpd_client_restrictions = reject_unauth_pipelining, check_client_access hash:/opt/zimbra/nice_guys

But as soon as I save and issue a postfix reload, the main.cf appears to get overwritten.

What have I missed pls?

[phoenix]

Quote:

Originally Posted by KDoc

I am trying to lock down postfix so the zimbra server doesn't behave as an open relay.

Zimbra, by default, does not act as an open relay unless you've made changes to it that make that happen. If you've installed a standard copy of Zimbra and made no changes to it then you will not be able to relay through that server unless you are authenticated or on the Trusted Networks IP range.

[KDoc]

That surprises me Phoenix.

My experience is;

I installed a std copy.
Prior to wanting to modify main.cf, I had only tried, via UI and/or zmprov to set up a relay host to my ISP.
My ISP only accepts secure connections over SSL on 465, which of course, Postfix no longer supports/implements. This took a bit of reading to discover.
In the meantime however, ALL mails were attemptimg to send via SSL to the relay host. And of course, were being simply 'deferred' with the error; "status=deferred (lost connection with <ISP_Host>[IP.add.ress.x] while receiving the initial server greeting)".
And so, I would see in the 'deferred' queue, all mails sitting there.
This included zimbra attempting to send what were very obviously spam mails with spurious addresses which were apparently attempting to traverse my ZCS.

There's only 1 MS host in my network with well updated AV. The rest are linux or OSX, so I'm confident there're no bots inside.

[phoenix]

Quote:

Originally Posted by KDoc

That surprises me Phoenix.

Really? Take my word for it, what I've posted above is correct - if you don't believe me then search the forums for further information. You could also run an external test to see if you're an open relay, there are plenty available if you do a web search.

Here's the instructions for relaying through your ISP: Outgoing SMTP Authentication - Zimbra :: Wiki

[KDoc]

That's what I followed Phoenix. But as I mentioned, my ISP only accepts secure connections over SSL on 465. They do not have TLS implemented. And The wiki just connfirms what I've read about Postfix. It no longer supports SSL over 465.

In fact, I just found a post by Wietse himself stating as much; Mailing List Archive - postfix-users : Re: postfix errors when sending smtp auth via yahoo.

[KDoc]

Re: Relay Access,

It does seem to pass all the tests, so I'll say it (not, I'm sure, that you need it saying, but nevertheless...), you were right.

To address the other part of my question. How do I go about ensuring a parameter change in main.cf, IF I WANTED TO, and ensuring it persists?

Do I have to issue a postconf command?

Or do I have to filter it through zmlocalconfig?

The fact the file gets re-written suggests zimbra is storing it elsewhere and reading/writing it out at start-up? How is it handling this please?