Zimbra with Barracuda spam appliance goofiness

[ricardoc]

We have a zimbra server that works fine in house.

The problem we are having is with user authentication in conjunction with a barracuda spam appliance.

The spam appliance is where our MX record points, so all mail goes there first, gets scanned, and if is legit, comes to the zimbra server.

The barracuda is supposed to check with the zimbra server to see if the incoming mail matches a real user on the zimbra server...user verification?

It appears to not work. The barracuda is having troubles talking with zimbra.

I hope I'm explaining this right.. Has anyone had any issues like this?

It looks like the spam appliance isnt verifying with the zimbra server correctly.

We've switched the spambox from RCPT to VRFY and that still doesn't work.

Any advice?

[John Siu]

VRFY will not work. It will always reply with:

Code:

450 4.7.1 <email address>: Recipient address rejected: Access denied

I believe it is an anti-spam configuration. But RCPT has to work or else your email server will not accept any email at all.

Anyway for you to get more details/log from your spam appliance?

[ricardoc]

The spam appliance is at an ISP, so I'll have to get them to check their logs.

The spam appliance is supposed to do address verification against zimbra's users and then block emails at the spam appliance level.

It's just not working. My zimbra server is rejecting emails to bad addresses, when it shouldn't have to.

I started looking at LDAP as a mechanism to verify between the two, but man it's complicated.

Do you know how to find the BASEDN AND BINDDN of your zimbra server?

[odeleon]

Do you know how to find the BASEDN AND BINDDN of your zimbra server?

The Base DN is a string of DC's based on your mail domain (as in dc=example,dc=com). You get the bind dn running zmlocalconfig zimbra_ldap_userdn , by default it's uid=zimbra,cn=admins,cn=zimbra .

You should be aware that you would be giving your ISP total, complete and full access to your Zimbra LDAP if you do this. I would advice against it.

... as for your other problems, I think you might want to add the barracuda appliance as the incoming MX for your domain if you haven't already. OR, you could add your ISP's network as a Trusted Network in you ZCS MTA (but that opens a whole other can of worms in terms of security so think it over carefully).

[ricardoc]

The Base DN is a string of DC's based on your mail domain (as in dc=example,dc=com). You get the bind dn running zmlocalconfig zimbra_ldap_userdn , by default it's uid=zimbra,cn=admins,cn=zimbra .

You should be aware that you would be giving your ISP total, complete and full access to your Zimbra LDAP if you do this. I would advice against it.

... as for your other problems, I think you might want to add the barracuda appliance as the incoming MX for your domain if you haven't already. OR, you could add your ISP's network as a Trusted Network in you ZCS MTA (but that opens a whole other can of worms in terms of security so think it over carefully).

Thanks, our MX record is pointing to the barracuda, and that part works great.

I've also added the barracudas ip as a trusted network. Just for some reason the user verification fails, so our server is the one bouncing bad addresses (we get hit hard, and have been targets for lots of joejobs).

The last thing we are trying is LDAP to user verification.

I trust the guys at the ISP, we've been customers of theirs for a long time.

I will try that command you gave, thanks.

[ricardoc]

I'm trying to use Softerras LDAP browser to see if the ldap settings Im using work, and I get invalid credential errors, which means I have the wrong user/pass.

Can anyone help, this is what I have so far as my basedn and binddn. I don't ever remember setting up a password for user "zimbra". Do I need to use a different user to authenticate to the directory so I can browse it?

basedn:
dc=bigballs,dc=com

binddn:
uid=zimbra,cn=admins,cn=zimbra

[John Siu]

Try ldap_root_password in /opt/zimbra/conf/localconfig.xml

[ricardoc]

Appreciate it, that works great, thanks for everything. 1 for your karma bank

Now to lock down the appropiate filter that the fortimail likes...yipee!