Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Problem with ZCS 8.0.3

  1. #1
    alvaroag is offline Starter Member
    Join Date
    May 2013
    Posts
    2
    Rep Power
    2

    Default Problem with ZCS 8.0.3

    Hi. I'm currently having a problem with SMTP relay on ZCS 8.0.3, since I updated from 8.0.2.

    My mail server is inside a network(172.18.2.0/24) where other servers are. One of them, the web server(172.18.2.4) runs some web apps in PHP which usually send emails through the ZCS server without authentication.This worked OK with 8.0.2, but since I updated to 8.0.3 none of my web apps are able to send mail. I wrote a test with phpmailer; in debug mode, it outputs the following:

    Code:
    SMTP -> FROM SERVER:220 MAILSERVER.DOMAIN.COM ESMTP Postfix 
    SMTP -> FROM SERVER: 250-MAILSERVER.DOMAIN.COM 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN 
    SMTP -> FROM SERVER:250 2.1.0 Ok 
    SMTP -> FROM SERVER:554 5.7.1 : Recipient address rejected: Access denied 
    SMTP -> ERROR: RCPT not accepted from server: 554 5.7.1 : Recipient address rejected: Access denied
    The configuration for phpmailer is:

    PHP Code:
    $mail = new PHPMailer(true);
    $mail->IsSMTP();
    $mail->SMTPAuth false;
    $mail->SMTPSecure "ssl";
    $mail->Host "172.18.2.6";
    $mail->Port 465;
    $mail->SetFrom("webmaster@DOMAIN.COM","Webmaster");
    $mail->Sender "webmaster@DOMAIN.COM";
    $mail->AddReplyTo("webmaster@DOMAIN.COM","Webmaster");
    $mail->AddAddress("USER@DOMAIN.COM","USER@DOMAIN.COM");
    $mail->Subject $subject;
    $mail->MsgHTML($body);
    $mail->SMTPDebug 2;
    $mail->Send(); 
    At the same time, in /var/log/maillog, I get the following:

    May 15 15:07:35 adriana postfix/smtps/smtpd[11298]: connect from unknown[172.18.2.4]
    May 15 15:07:35 adriana postfix/smtps/smtpd[11298]: Anonymous TLS connection established from unknown[172.18.2.4]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    May 15 15:07:35 adriana postfix/smtps/smtpd[11298]: NOQUEUE: filter: RCPT from unknown[172.18.2.4]: <webmaster@DOMAIN.COM>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<webmaster@DOMAIN.COM> to=<USER@DOMAIN.COM> proto=ESMTP helo=<WEB.DOMAIN.COM>
    May 15 15:07:35 adriana postfix/smtps/smtpd[11298]: NOQUEUE: reject: RCPT from unknown[172.18.2.4]: 554 5.7.1 <USER@DOMAIN.COM>: Recipient address rejected: Access denied; from=<webmaster@DOMAIN.COM> to=<USER@DOMAIN.COM> proto=ESMTP helo=<WEB.DOMAIN.COM>
    May 15 15:07:35 adriana postfix/smtps/smtpd[11298]: lost connection after RCPT from unknown[172.18.2.4]
    May 15 15:07:35 adriana postfix/smtps/smtpd[11298]: disconnect from unknown[172.18.2.4]

    The address of the mail server is 172.18.2.6. In the server network, WEB.DOMAIN.COM resolves to 172.18.2.4. "zmcontrol -v" outputs "Release 8.0.3_GA_5664.RHEL6_64_20130305090204 CentOS6_64 FOSS edition."

    The value of zimbraMtaMyNetworks is "127.0.0.0/8 172.18.2.0/24" (without quotes). That value gets reflected in main.cf & in amavisd.conf

    I've tried changing configuration, rebooting, restarting postfix & amavisd, but nothing works. For external mail, the server works properly, so the problem is only for local relay.

    Hope someone can help me. Thanks in advance.

  2. #2
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    To use an authenticated port, you must auth. I don't see anything in your PHP script indicating you authenticated. I.e., no username/password.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    alvaroag is offline Starter Member
    Join Date
    May 2013
    Posts
    2
    Rep Power
    2

    Default

    Quote Originally Posted by quanah View Post
    To use an authenticated port, you must auth. I don't see anything in your PHP script indicating you authenticated. I.e., no username/password.
    Hi. Thanks for your response.

    I've tried enabling SMTP auth in phpmailer, and passing a valid username and password, and it works. Now, what keeps me thinking, why did the same configuration worked before updating to 8.0.3?

    Also is there any way to send mail from inside a trusted network(such as other servers in the mail server lan) without authenticating? Obviously, restricting by IP address.

    Thanks.

  4. #4
    quanah is offline Zimbra Employee
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,276
    Rep Power
    10

    Default

    Yes, you can always send mail from hosts in zimbraMtaMyNetworks without authenticating if you use port 25.

    What happened in ZCS8.0.3 is that a previous loophole was fixed.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  5. #5
    arb.miz is offline Starter Member
    Join Date
    Jun 2013
    Posts
    2
    Rep Power
    2

    Default There is no such thing as an "authenticated port"

    Quote Originally Posted by quanah View Post
    To use an authenticated port, you must auth. I don't see anything in your PHP script indicating you authenticated. I.e., no username/password.
    I'm sorry, but IMHO there is no such thing as an "authenticated port". There are ports which are defined to be used only (or at least to start) to communicate in plain text (as 25). Others are defined to be used only to perform encrypted communication (see SMTPS - Wikipedia, the free encyclopedia to learn if 465 is really one of those)

    But plain text or encrypted communication has nothing to do with authentication. To cite http://en.wikipedia.org/wiki/Authentication: "Authentication is the act of confirming the truth of an attribute of a datum or entity. This might involve confirming the identity of a person [...]"
    Encrypted communication is very useful to perform authentication, because it prevents fraudulent changes in the communication (like e.g. Man-in-the-middle attacks) or eavesdropping of the identification credentials.

    So, if Zimbra states, it closes a loophole by urging authentication if using encrypted communication on 465, the same must apply to the use of port 25 together with STARTTLS, but that's not the case (in 8.0.3).

    Using authentication for SMTP to protect the server to be abused as spam entry point is a good idea. But that would mean, that all entry points should be protected by authentication, not just those which are using encrypted communication.

    And if a Zimbra admin decides to allow unauthenticated SMTP delivery (because e.g. the server is only available in a controlled subnet), this should apply to plain text and encrypted communication as well.

    Please get to a consistent solution!
    Last edited by arb.miz; 06-26-2013 at 11:25 PM. Reason: typo

  6. #6
    trantorvega is offline Junior Member
    Join Date
    Jun 2011
    Posts
    6
    Rep Power
    4

    Default

    Bug 85869 has been opened about this change in the 8.0.3 release.

    The loophole which would have been fixed in 8.0.3 resulted in rejecting any inbound connection to port 465 not originating from authenticated clients.
    Unfortunately many servers have the rather unfortunated habit of using port 465, when available, to deliver ordinary messages.
    Therefore a configuration «fixed» to allow connections only from authenticated clients now blocks server-to-server connections which should not require authentication.

    Since it's not in my power to coerce remote servers to use 25 instead of 465, that decision, and the consequent change in behaviour, which was not made widely known, blocked an unfortunate amount of legitimate traffic which should not have been blocked; all of which merely my updating a pre-8.0.3 to a 8.0.3+ system.

    Now I've manually commented out the overrides of the restrictions for port 465 in master.cf until a better solution is found.

  7. #7
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by trantorvega View Post
    ]Unfortunately many servers have the rather unfortunated habit of using port 465, when available, to deliver ordinary messages.
    No mail server should be using Port 465 to deliver mail as it's a Submission post, port 25 SMTP is for connections and you should be able to block port 465.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    trantorvega is offline Junior Member
    Join Date
    Jun 2011
    Posts
    6
    Rep Power
    4

    Default

    I could block port 465, and I would, if I didn't need to keep it open for clients which do not support STARTTLS but only smtps over port 465.

  9. #9
    trantorvega is offline Junior Member
    Join Date
    Jun 2011
    Posts
    6
    Rep Power
    4

    Default

    Checking more thoroughly the traffic on port 465 it's mostly spam, with very few exceptions.
    So I'll go back restoring the overrides, happy the non-standard behaviour is limited to a few misconfigured servers.

    Regards and thanks

  10. #10
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,566
    Rep Power
    57

    Default

    Quote Originally Posted by trantorvega View Post
    Checking more thoroughly the traffic on port 465 it's mostly spam, with very few exceptions.
    So I'll go back restoring the overrides, happy the non-standard behaviour is limited to a few misconfigured servers.
    That's a usual port for spammers to use, if there's any possibility to get users onto port 587 and use that with authentication then I'd recommend that and then block port 465.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 9
    Last Post: 07-19-2013, 01:09 PM
  2. Replies: 2
    Last Post: 04-12-2010, 12:13 PM
  3. Problem Building From Source Problem
    By Neoryder in forum Developers
    Replies: 0
    Last Post: 06-18-2009, 03:40 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •