My Zimbra 8.0 is an Open Relay

[Andre81]

Hi there,

this is my first post in this community. I'm new on Zimbra colaboration suite, and I've some question about my particular configuration.

My network is quite complicated, and I have two NAT one behind the other.
This prejudice that Zimbra will always see all incoming connections to be local, and they are generated locally (192.168.xx) although is generated by an external ip.
In this scenario we understand very well that restrict the authorization with trusted network does not make sense.

My idea is simple:

in order to send out of Zimbra domain (users@mydomain.com -> users@outside_the_world), users MUST be authenticated trough username and password regardless of where the connection is originated.

in order to receive mail, is permitted to the sender outside my domain to send only to users in my domain.

I' ve read some about how to restrict here: ZIMBRA SMTP AUTH problem but I've some problem.

1) in this way all type of mail relay only if the sender is authenticated
2) my Zimbra 8.0 rewrite all changes I've made in configuration files, so after restart I've lost the configuration


Any help will'be appreciated.

Thanks

Andrea

[phoenix]

Zimbra, by default, is not an open relay unless you've modified something to make it one.

My network is quite complicated, and I have two NAT one behind the other.

That makes no sense and doesn't provide any benefit.

This prejudice that Zimbra will always see all incoming connections to be local, and they are generated locally (192.168.xx) although is generated by an external ip.
In this scenario we understand very well that restrict the authorization with trusted network does not make sense.

My idea is simple:

in order to send out of Zimbra domain (users@mydomain.com -> users@outside_the_world), users MUST be authenticated trough username and password regardless of where the connection is originated.

Your users should use Port 587 as the correct submission port, that requires authentication.

in order to receive mail, is permitted to the sender outside my domain to send only to users in my domain.

They can't send mail to anyone else unless you're an open relay (see my first comment).

I' ve read some about how to restrict here: ZIMBRA SMTP AUTH problem but I've some problem.

1) in this way all type of mail relay only if the sender is authenticated
2) my Zimbra 8.0 rewrite all changes I've made in configuration files, so after restart I've lost the configuration

Then you need to make the changes correctly in ZCS 8, search the forums for details.

FWIW, I have my server behind a NAT router and I also have my LAN subnet in the Trusted Networks and nobody can relay through my server. I'd suggest you search the internet for sites that will test your server to see if it's an open relay.

[Andre81]

Zimbra, by default, is not an open relay unless you've modified something to make it one.

That makes no sense and doesn't provide any benefit.

This is correct, I think exactly like you, but this configuration is provided by my ISP and I can't change.
Don't remember, this is Italy for better or for worse
(we have not thought patterns and we range into the strangest default configuration )

Your users should use Port 587 as the correct submission port, that requires authentication.

The port 587 must be configured in initial setup?

They can't send mail to anyone else unless you're an open relay (see my first comment).

That's right, but in my particular case Zimbra is an Open Relay (I've done test) due to this particular scenario.
I think that permits to send based only in IP address isn't enough secure, in fact if my network has many server, and one of them is compromised, the Trusted network isn't enough.

Then you need to make the changes correctly in ZCS 8, search the forums for details.

I've searched but there are a bit of confusion, one user talks to one method, another one talks to another method, and so...

FWIW, I have my server behind a NAT router and I also have my LAN subnet in the Trusted Networks and nobody can relay through my server. I'd suggest you search the internet for sites that will test your server to see if it's an open relay.

If I've only one NAT, my Zimbra works like a charm... even if the problem of access to the local network even to other servers remains.


Thanks for your attention.

Andrea