Restricting Local Relay

[AWnet]

I've searched the forums, but I apologize if I have missed something obvious. I've seen threads, like Local relay which seek to restrict local relay to authenticated users, but not exactly in my situation.

I understand a mail server normally needs to allow unauthenticated users to send mail to local mailboxes to facilitate the normal operation of E-mail, but I still wish to restrict local relay to authenticated users, or local network hosts only.

We have a spam firewall device at the edge of our network that we use to receive E-mail from the internet at large, and it does a fantastic job of filtering spam which in turn reduced the load on the Zimbra server, everyone is happy.

The only problem is, Zimbra allows any spammer clever enough to waltz right in and bypass the spam filter, if they connect to the zimbra SMTP server directly. Of course they can't relay to the general internet, but they can spam all of our local mailboxes with impunity.

I know I could restrict access at the network level, and require my legitimate clients to relay through the spam filter as well, but I would prefer leaving the setup as it is, and just requiring Zimbra to enforce authentication for ALL users.

Is there ANY way in zimbra 6 to have this restriction? I am not opposed to hacking around in the postfix configuration every time I upgrade if that's what it takes.


Thanks for reading, and doubly so for any assistance you can provide!

[phoenix]

Quote:

Originally Posted by AWnet

The only problem is, Zimbra allows any spammer clever enough to waltz right in and bypass the spam filter, if they connect to the zimbra SMTP server directly. Of course they can't relay to the general internet, but they can spam all of our local mailboxes with impunity.

How do you reckon they're bypassing the spam 'filter'? Do you mean your edge spam filetr or the Zimbra anti-spam system? How can they get to port 25 on the Zimbra server when it's (should be) pointed at your edge spam filter?

Quote:

Originally Posted by AWnet

I know I could restrict access at the network level, and require my legitimate clients to relay through the spam filter as well, but I would prefer leaving the setup as it is, and just requiring Zimbra to enforce authentication for ALL users.

Your users should be using Port 587 (the correct Submission port) not port 25 for mail delivers, Port 587 requires Authentication.

Quote:

Originally Posted by AWnet

Is there ANY way in zimbra 6 to have this restriction? I am not opposed to hacking around in the postfix configuration every time I upgrade if that's what it takes.!

You could always remove your LAN subnet from the Trusted Networks and force every local user to authenticate, obviously you'd need to add the IP of your edge spam filter in that setting if you don't want to to authenticate.