Understanding the Daily Mail Report - Open Relay?

[gihrig]

I Need some help understanding the Daily Mail Report, specifically "Most active senders" and "Most active recipients".

We're Running Zimbra OSS 4.0.2 on CentOS 4.4. Running behind a Cable/DSL router with no open ports. Zimbra communicates to the outside Internet via "Relay MTA for external delivery" set to our ISP's mail server for out bound mail and Fetchmail setup for inbound.

I am seeing addresses with foreign domains in both Most active senders and Most active recipients.

I assume "Senders" would be Zimbra accounts sending mail and "Recipients" would be Zimbra accounts receiving mail. Am I misunderstanding these terms, or do I have an open relay situation.

Please enlighten me.

Regards,

-Glen

[claros]

Glen,
Stats works as you described...
But if you did a clean zimbra install (with no manual change on postifix config files) you are not an open relay.
Postifix itself default to relay localhost only unless you change your config...

But if a user of yours is sending messages through your zimbra smtp as an autenticated zimbra user with another sending address this is what you got in the report of most active sender.

This does not justify the recipient stats, so probably you have opened too much your network without authentication.
Check your logs under /var/log/zimbra and /opt/zimbra/log. If they are too big, you can check your logger database (where your stats came from....)

PS:
Sorry, i did not realize your "fetchmail setup"... it may be you are importing someone-else emails, check logs

Bye
Claudio

[gihrig]

Hi Claudio,

Thank you for the reply!

My system is built from the "bare metal" for this Zimbra installation. The only software installed beyond CentOS and Zimbra is Webmin version 1.300-minimal (with no mail or postfix related modules installed).

I don't think I have opened any undesired access to Postfix, but, of course I could be mistaken, that's what I'm concerned about.

The only changes to Postfix config are as directed in the Zimbra Wiki for "Outgoing SMTP Authentication" details here.

Code:

First check what auth mechanism postfix is configured to use - by default,
you will see:

 $ postconf smtp_sasl_security_options
 smtp_sasl_security_options = noplaintext, noanonymous

Since noplaintext is present, postfix will refuse to use a mechanism that sends
passwords in the clear. If your upstream relay host only supports PLAIN or 
LOGIN mechanisms (both of which send password in the clear), you have to 
remove noplaintext from smtp_sasl_security_options:

 $ postconf -e smtp_sasl_security_options=noanonymous
 $ postfix reload

These changes only affect outgoing smtp authentication, as near as I can tell...

As for fetchmail setup, fetchmail is configured to retrieve mail for individual pop accounts with user and password for each (no multi-drop). All users I am retrieving for are on my domain, hosted by my ISP. fetchmail config is strictly under my control, so I'm pretty sure I'm not retrieving unexpected mail.

==============================

Your comments have given me the idea that "Senders" and "Recipients" are not the _real_ or absolute sender or recipient, but the stated or _listed_ sender and recipient.

To clarify, my understanding of your reply is that if a user on my domain joe@mydomain.com sends a message from my private LAN via my Zimbra server and configures his mail client so as to report his sending address as his home email account joe123@yahoo.com, I would then see joe123@yahoo.com listed in my senders report.

If that is correct, would it also be true that if my user sue@mydomain.com receives a message addressed to listserver@yahoo.com bcc: sue@mydomain.com, that I would see listserver@yahoo.com in my recipients list?

If the above examples are reasonable, then I presume I can safely disregard the detail in these reports, and look only for large changes in volume as indicators of problems.


Please correct my assumptions if needed, and thanks again for your reply, it was helpful.


Regards,

-Glen

[claros]

Your comments have given me the idea that "Senders" and "Recipients" are not the _real_ or absolute sender or recipient, but the stated or _listed_ sender and recipient.

To clarify, my understanding of your reply is that if a user on my domain joe@mydomain.com sends a message from my private LAN via my Zimbra server and configures his mail client so as to report his sending address as his home email account joe123@yahoo.com, I would then see joe123@yahoo.com listed in my senders report.

Absolutely correct. And in /opt/zimbra/log/zimbra.log you can check his authentication username and punish him...

If that is correct, would it also be true that if my user sue@mydomain.com receives a message addressed to listserver@yahoo.com bcc: sue@mydomain.com, that I would see listserver@yahoo.com in my recipients list?

If the above examples are reasonable, then I presume I can safely disregard the detail in these reports, and look only for large changes in volume as indicators of problems.


-Glen

Correct too.
There is a cront script, zmlogprocess that takes syslog logs into mysql
to be processed. If a message have more than one recipient, or it is addressed to a list, only the first destination address is inserted into mysql. And that address is what you see in your zimbra daily report.
Again a check to /var/log/zimbra.log will tell you the recipient list of that message.
You can connect the logger database using a command (mylogger I think but not sure now) as zimbra user.


Ciao,
Claudio

[gihrig]

Claudio,

Thank you very much for the help, these and similar reports on other systems, have been of great concern to me in the past.

You have helped me take one more solid step on sysadmin journey.

Thank you!

-Glen