Results 1 to 9 of 9

Thread: Relay domain allowed

  1. #1
    saresca is offline New Member
    Join Date
    Jan 2007
    Posts
    3
    Rep Power
    8

    Default Relay domain allowed

    I recently install Zimbra server on a lab server. I'm testing the security and the spamassin and clamav. The first security hole that i found was:

    The smtp ssl authenticated user are allowed to send mail from any domain.

    If there any way to stop it, please let me know.

    postconf -d | grep smtp

    smtp_always_send_ehlo = yes
    smtp_bind_address =
    smtp_bind_address6 =
    smtp_cname_overrides_servername = yes
    smtp_connect_timeout = 30s
    smtp_connection_cache_destinations =
    smtp_connection_cache_on_demand = yes
    smtp_connection_cache_reuse_limit = 10
    smtp_connection_cache_time_limit = 2s
    smtp_data_done_timeout = 600s
    smtp_data_init_timeout = 120s
    smtp_data_xfer_timeout = 180s
    smtp_defer_if_no_mx_address_found = no
    smtp_destination_concurrency_limit = $default_destination_concurrency_limit
    smtp_destination_recipient_limit = $default_destination_recipient_limit
    smtp_discard_ehlo_keyword_address_maps =
    smtp_discard_ehlo_keywords =
    smtp_enforce_tls = no
    smtp_generic_maps =
    smtp_helo_name = $myhostname
    smtp_helo_timeout = 300s
    smtp_host_lookup = dns
    smtp_line_length_limit = 990
    smtp_mail_timeout = 300s
    smtp_mx_address_limit = 0
    smtp_mx_session_limit = 2
    smtp_never_send_ehlo = no
    smtp_pix_workaround_delay_time = 10s
    smtp_pix_workaround_threshold_time = 500s
    smtp_quit_timeout = 300s
    smtp_quote_rfc821_envelope = yes
    smtp_randomize_addresses = yes
    smtp_rcpt_timeout = 300s
    smtp_rset_timeout = 20s
    smtp_sasl_auth_enable = no
    smtp_sasl_mechanism_filter =
    smtp_sasl_password_maps =
    smtp_sasl_security_options = noplaintext, noanonymous
    smtp_sasl_tls_security_options = $var_smtp_sasl_opts
    smtp_send_xforward_command = no
    smtp_skip_5xx_greeting = yes
    smtp_skip_quit_response = yes
    smtp_starttls_timeout = 300s
    smtp_tls_CAfile =
    smtp_tls_CApath =
    smtp_tls_cert_file =
    smtp_tls_cipherlist =
    smtp_tls_dcert_file =
    smtp_tls_dkey_file = $smtp_tls_dcert_file
    smtp_tls_enforce_peername = yes
    smtp_tls_key_file = $smtp_tls_cert_file
    smtp_tls_loglevel = 0
    smtp_tls_note_starttls_offer = no
    smtp_tls_per_site =
    smtp_tls_scert_verifydepth = 5
    smtp_tls_session_cache_database =
    smtp_tls_session_cache_timeout = 3600s
    smtp_use_tls = no
    smtp_xforward_timeout = 300s
    smtpd_authorized_verp_clients = $authorized_verp_clients
    smtpd_authorized_xclient_hosts =
    smtpd_authorized_xforward_hosts =
    smtpd_banner = $myhostname ESMTP $mail_name
    smtpd_client_connection_count_limit = 50
    smtpd_client_connection_rate_limit = 0
    smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetw orks}
    smtpd_client_message_rate_limit = 0
    smtpd_client_recipient_rate_limit = 0
    smtpd_client_restrictions =
    smtpd_data_restrictions =
    smtpd_delay_reject = yes
    smtpd_discard_ehlo_keyword_address_maps =
    smtpd_discard_ehlo_keywords =
    smtpd_end_of_data_restrictions =
    smtpd_enforce_tls = no
    smtpd_error_sleep_time = 1s
    smtpd_etrn_restrictions =
    smtpd_expansion_filter =
    smtpd_forbidden_commands = CONNECT GET POST
    smtpd_hard_error_limit = 20
    smtpd_helo_required = no
    smtpd_helo_restrictions =
    smtpd_history_flush_threshold = 100
    smtpd_junk_command_limit = 100
    smtpd_noop_commands =
    smtpd_null_access_lookup_key = <>
    smtpd_policy_service_max_idle = 300s
    smtpd_policy_service_max_ttl = 1000s
    smtpd_policy_service_timeout = 100s
    smtpd_proxy_ehlo = $myhostname
    smtpd_proxy_filter =
    smtpd_proxy_timeout = 100s
    smtpd_recipient_limit = 1000
    smtpd_recipient_overshoot_limit = 1000
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
    smtpd_reject_unlisted_recipient = yes
    smtpd_reject_unlisted_sender = no
    smtpd_restriction_classes =
    smtpd_sasl_application_name = smtpd
    smtpd_sasl_auth_enable = no
    smtpd_sasl_exceptions_networks =
    smtpd_sasl_local_domain =
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
    smtpd_sender_login_maps =
    smtpd_sender_restrictions =
    smtpd_soft_error_limit = 10
    smtpd_starttls_timeout = 300s
    smtpd_timeout = 300s
    smtpd_tls_CAfile =
    smtpd_tls_CApath =
    smtpd_tls_ask_ccert = no
    smtpd_tls_auth_only = no
    smtpd_tls_ccert_verifydepth = 5
    smtpd_tls_cert_file =
    smtpd_tls_cipherlist =
    smtpd_tls_dcert_file =
    smtpd_tls_dh1024_param_file =
    smtpd_tls_dh512_param_file =
    smtpd_tls_dkey_file = $smtpd_tls_dcert_file
    smtpd_tls_key_file = $smtpd_tls_cert_file
    smtpd_tls_loglevel = 0
    smtpd_tls_received_header = no
    smtpd_tls_req_ccert = no
    smtpd_tls_session_cache_database =
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_tls_wrappermode = no
    smtpd_use_tls = no

  2. #2
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Hi and welcome to the Zimbra Forums!

    I've forwarded this issue on to one of the developers for review. You should here from someone shortly.

    Thanks
    john

  3. #3
    saresca is offline New Member
    Join Date
    Jan 2007
    Posts
    3
    Rep Power
    8

    Default

    Thanks John.

    I found how to block unknown users, but still didn't find how to block no-local domains.

    To block unknown users, just add reject_unlisted_sender, before permit_sasl_authenticated:

    /opt/zimbra/conf/postfix_recipient_restrictions.cf

    reject_non_fqdn_recipient
    reject_unlisted_recipient
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
    %%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_client%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
    %%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
    %%contains VAR:zimbraMtaRestriction reject_rbl_client dnsbl.njabl.org%%
    %%contains VAR:zimbraMtaRestriction reject_rbl_client relays.ordb.org%%
    %%contains VAR:zimbraMtaRestriction reject_rbl_client cbl.abuseat.org%%
    %%contains VAR:zimbraMtaRestriction reject_rbl_client bl.spamcop.net%%
    %%contains VAR:zimbraMtaRestriction reject_rbl_client dnsbl.sorbs.net%%
    %%contains VAR:zimbraMtaRestriction reject_rbl_client sbl.spamhaus.org%%
    %%contains VAR:zimbraMtaRestriction reject_rbl_client xbl.spamhaus.org%%
    %%contains VAR:zimbraMtaRestriction reject_rbl_client sbl-xbl.spamhaus.org%%
    %%contains VAR:zimbraMtaRestriction reject_rbl_client relays.mail-abuse.org%%
    reject_unauth_destination
    permit

  4. #4
    anand is offline Zimbra Employee
    Join Date
    Sep 2005
    Posts
    274
    Rep Power
    9

  5. #5
    jholder's Avatar
    jholder is offline Former Zimbran
    Join Date
    Oct 2005
    Location
    Thatcher, AZ
    Posts
    5,606
    Rep Power
    20

    Default

    Hi,
    As anand pointed out, there is a bugzilla bug for this as an enhancement.

    The reason we are calling this an enhancement now, is because you should be able to send what ever you want, since you're authed.

    We're looking to add support for smtpd_sender_login_maps. Please go there and VOTE for it!

  6. #6
    cmargena is offline Active Member
    Join Date
    Mar 2009
    Location
    Arfgentina
    Posts
    26
    Rep Power
    6

    Default

    This post is an old one but I wanted to know if there have been any news regarding this issue, the bugzilla is in assigned status but there is no answer.

  7. #7
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,586
    Rep Power
    57

    Default

    Quote Originally Posted by cmargena View Post
    This post is an old one but I wanted to know if there have been any news regarding this issue, the bugzilla is in assigned status but there is no answer.
    Any specific answer would be in the bug report and, as you can see, it's still open. If you're interested in seeing it implemented then you should vote on it.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    cmargena is offline Active Member
    Join Date
    Mar 2009
    Location
    Arfgentina
    Posts
    26
    Rep Power
    6

    Default

    I understand what you say but I have been researching after posting and please let me say that there is another thread that is related How to enforce sasl_username=FROM ADDRESS and bugzilla 15808 and really, perhaps it's just me, but is not clear if it has been solved or not.

  9. #9
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,586
    Rep Power
    57

    Default

    Quote Originally Posted by cmargena View Post
    I understand what you say but I have been researching after posting and please let me say that there is another thread that is related How to enforce sasl_username=FROM ADDRESS and bugzilla 15808 and really, perhaps it's just me, but is not clear if it has been solved or not.
    They are two different RFEs, one has been 'fixed' i.e. it has been fixed in is in a version of Zimbra but has not been through QA and the other is still unresolved. It should be self explanatory in the bug report but..... the status of the bugs is mentioned in their bug report and the version that the are targeted for is in the Product Portal when it's been set for release. If you don't know what any of the 'status' fields means the click on them for an explanation.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Junk mail relay in split domain scenario
    By PNE in forum Administrators
    Replies: 2
    Last Post: 06-19-2007, 03:48 AM
  2. domain coexistence
    By marcmac in forum Administrators
    Replies: 14
    Last Post: 06-30-2006, 01:19 PM
  3. Replies: 1
    Last Post: 04-13-2006, 04:47 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •