Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17

Thread: My Zimbra work as open relay

  1. #11
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,495
    Rep Power
    56

    Default

    Quote Originally Posted by robert1b View Post
    zmprov gacf | grep zimbraMtaMyNetworks
    zimbraMtaMyNetworks: 127.0.0.1/32 127.0.0.2/32 192.168.0.0/21 83.13.98.164/32 83.13.98.166/32 83.144.69.30/32Totaly different config. Why ?
    Different because you've added (or someone has) those IP addresses to your config. It's a big mistake to have external mail servers in your Trusted Networks, if any of those server gets compromised you have just created an open relay - I'd suggest you remove them from that setting and just have your loopback address and the LAN IP of your Zimbra server.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  2. #12
    robert1b is offline Intermediate Member
    Join Date
    Oct 2013
    Posts
    17
    Rep Power
    1

    Default

    Thanks for advise.
    I removed those ip.They are my routers IP, but it realy is mistake.
    Now it look like:
    zimbraMtaMyNetworks: 127.0.0.0/8 192.168.0.0/22 192.168.100/0/24

    But I'm still looking for solution of my problem. This was not a cause.

  3. #13
    sardula is offline Starter Member
    Join Date
    Nov 2013
    Location
    Jakarta, Indonesia
    Posts
    2
    Rep Power
    1

    Default

    I used to have same problem. Someone hacking to our mail server, sending thousand of spams making us banned by others mail servers for few weeks.

    These what we done to diagnose and protect Zimbra mail server:

    1. Setup Outgoing SMTP Auth (also change submission from port 465 to 587 respectively)
    2. Enforcing sender matching between FROM and SASL username
    3. Setup CBPOLICYD with appropriate low number
    4. Setup COS to lock user who failed to provide legitimate credential after several consecutive attempt
    5. At Linux box, install Fail2Ban to detect, deter and block any illegal activities (sadly it might include user who forgot their password)

    After monitoring the system and find user which hacked by the spammer: notify user, reset password and enforce user to use more complicated password (include limitation on password repetition).

    Hope you can have more better solutions. Just sharing what I've done here.

  4. #14
    robert1b is offline Intermediate Member
    Join Date
    Oct 2013
    Posts
    17
    Rep Power
    1

    Default

    Thanks for reply.

    Ad. 1 Should I change zimbraSmtpPort ? Now it is 25
    Ad. 2 How do I do this ? Which parameter ?
    Next points I change as You suggest.

    Also I change on firewall where is spam/antyvirus module to reject spam mail, not only stamp them.
    This help something but I still need hardening my zimbra mailserver.

  5. #15
    robert1b is offline Intermediate Member
    Join Date
    Oct 2013
    Posts
    17
    Rep Power
    1

    Default

    Now it look on my server much better.
    I still receive milins of mails not directed to my domain but they are Rejected.

    Dec 9 11:10:57 dotmail1 postfix/smtpd[18230]: connect from 118-168-42-140.dynamic.hinet.net[118.168.42.140]
    Dec 9 11:10:57 dotmail1 postfix/smtpd[20295]: NOQUEUE: filter: RCPT from 118-161-100-46.dynamic.hinet.net[118.161.100.46]: <qqgkfwqoxtjz@yahoo.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<qqgkfwqoxtjz@yahoo.com> to=<shurangamakimo@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:57 dotmail1 postfix/smtpd[20295]: NOQUEUE: filter: RCPT from 118-161-100-46.dynamic.hinet.net[118.161.100.46]: <qqgkfwqoxtjz@yahoo.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<qqgkfwqoxtjz@yahoo.com> to=<shurangamakimo@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:57 dotmail1 postfix/smtpd[20295]: NOQUEUE: reject: RCPT from 118-161-100-46.dynamic.hinet.net[118.161.100.46]: 554 5.7.1 <shurangamakimo@yahoo.com.tw>: Relay access denied; from=<qqgkfwqoxtjz@yahoo.com> to=<shurangamakimo@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:57 dotmail1 postfix/smtpd[21910]: NOQUEUE: filter: RCPT from 118-168-42-192.dynamic.hinet.net[118.168.42.192]: <ftgiwsiufk@yahoo.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<ftgiwsiufk@yahoo.com> to=<uxfu@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:57 dotmail1 postfix/smtpd[21910]: NOQUEUE: filter: RCPT from 118-168-42-192.dynamic.hinet.net[118.168.42.192]: <ftgiwsiufk@yahoo.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<ftgiwsiufk@yahoo.com> to=<uxfu@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:57 dotmail1 postfix/smtpd[21910]: NOQUEUE: reject: RCPT from 118-168-42-192.dynamic.hinet.net[118.168.42.192]: 554 5.7.1 <uxfu@yahoo.com.tw>: Relay access denied; from=<ftgiwsiufk@yahoo.com> to=<uxfu@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:58 dotmail1 postfix/smtpd[18036]: connect from 114-45-22-103.dynamic.hinet.net[114.45.22.103]
    Dec 9 11:10:59 dotmail1 postfix/smtpd[20295]: NOQUEUE: filter: RCPT from 118-161-100-46.dynamic.hinet.net[118.161.100.46]: <qqgkfwqoxtjz@yahoo.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<qqgkfwqoxtjz@yahoo.com> to=<t125772000@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:59 dotmail1 postfix/smtpd[20295]: NOQUEUE: filter: RCPT from 118-161-100-46.dynamic.hinet.net[118.161.100.46]: <qqgkfwqoxtjz@yahoo.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<qqgkfwqoxtjz@yahoo.com> to=<t125772000@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:59 dotmail1 postfix/smtpd[20295]: NOQUEUE: reject: RCPT from 118-161-100-46.dynamic.hinet.net[118.161.100.46]: 554 5.7.1 <t125772000@yahoo.com.tw>: Relay access denied; from=<qqgkfwqoxtjz@yahoo.com> to=<t125772000@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:59 dotmail1 postfix/smtpd[21910]: NOQUEUE: filter: RCPT from 118-168-42-192.dynamic.hinet.net[118.168.42.192]: <ftgiwsiufk@yahoo.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<ftgiwsiufk@yahoo.com> to=<hp771@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:59 dotmail1 postfix/smtpd[21910]: NOQUEUE: filter: RCPT from 118-168-42-192.dynamic.hinet.net[118.168.42.192]: <ftgiwsiufk@yahoo.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<ftgiwsiufk@yahoo.com> to=<hp771@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:59 dotmail1 postfix/smtpd[21910]: NOQUEUE: reject: RCPT from 118-168-42-192.dynamic.hinet.net[118.168.42.192]: 554 5.7.1 <hp771@yahoo.com.tw>: Relay access denied; from=<ftgiwsiufk@yahoo.com> to=<hp771@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:59 dotmail1 postfix/smtpd[18040]: NOQUEUE: filter: RCPT from 118-161-97-78.dynamic.hinet.net[118.161.97.78]: <apvlvtqxdgru@yahoo.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<apvlvtqxdgru@yahoo.com> to=<18s@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:59 dotmail1 postfix/smtpd[18040]: NOQUEUE: filter: RCPT from 118-161-97-78.dynamic.hinet.net[118.161.97.78]: <apvlvtqxdgru@yahoo.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<apvlvtqxdgru@yahoo.com> to=<18s@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:59 dotmail1 postfix/smtpd[18040]: NOQUEUE: reject: RCPT from 118-161-97-78.dynamic.hinet.net[118.161.97.78]: 554 5.7.1 <18s@yahoo.com.tw>: Relay access denied; from=<apvlvtqxdgru@yahoo.com> to=<18s@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:59 dotmail1 postfix/smtpd[18036]: NOQUEUE: filter: RCPT from 114-45-22-103.dynamic.hinet.net[114.45.22.103]: <aybxniww@yahoo.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<aybxniww@yahoo.com> to=<tako99i@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:59 dotmail1 postfix/smtpd[18036]: NOQUEUE: filter: RCPT from 114-45-22-103.dynamic.hinet.net[114.45.22.103]: <aybxniww@yahoo.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<aybxniww@yahoo.com> to=<tako99i@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>
    Dec 9 11:10:59 dotmail1 postfix/smtpd[18036]: NOQUEUE: reject: RCPT from 114-45-22-103.dynamic.hinet.net[114.45.22.103]: 554 5.7.1 <tako99i@yahoo.com.tw>: Relay access denied; from=<aybxniww@yahoo.com> to=<tako99i@yahoo.com.tw> proto=SMTP helo=<83.13.98.164>

  6. #16
    liverpoolfcfan's Avatar
    liverpoolfcfan is offline Outstanding Member
    Join Date
    Oct 2009
    Location
    Dublin, IRELAND
    Posts
    710
    Rep Power
    6

    Default

    I have not used fail2ban as yet but as I understand it, it will add individual IP addresses to a ban list.

    In addition you might want to prevent entire ranges of IP Addresses hitting your zimbra at all. I use a file of ip address ranges to add firewall rules to prevent access to the server using iptables.

    If I see any repeated attempts to relay through the system as above, or see any reported in the daily email report I ...

    1. Use Domain Tools "WhoIs" to look up the address - for example from your report above IP Address Whois | DomainTools.com
    The first line of the results page will give you the IP Address range associated with this address

    2. Use an IP address subnet calculator such as Online IP Subnet Calculator to enter the starting address from the range found in step 1, and then to change the "mask bits" setting repeatedly until the ending ip address in the "Host address range" window matches the ending address found in step 1 (note ignore the difference of 0 versus 1, or 254 versus 255 in the last address octet)

    3. Add the starting address followed by a "/" and the "mask bits" to the file firewallblacklist.txt. In this case 114.32.0.0/12

    4. Run the script /usr/bin/myFirewall to reprocess the firewallblacklist.txt file.

    An example /etc/firewallblacklist.txt file is attached with address ranges for 2 of the error messages you quoted. You can easily append to it.

    A copy of my script (myFirewall) is attached which you can customize for your system and use at your own risk, etc. Please ensure you read all the comments and understand the allowed/prevented connections before using it. Pay particular attention to ensuring you set the appropriate address ranges for localhost and local LAN at the top to prevent locking yourself out of your system. (Note - remove the .txt extension needed to allow upload, and chmod +x to make it executable)

    The basics building blocks of the rule set are
    Clear existing table rules
    Allow all access from localhost and local subnets
    Clear DROPLIST chain
    Add all address ranges from firewallblacklist.txt to DROPLIST chain (LOG and DROP)
    Append jump to DROPLIST to INPUT chain (THIS IS AN APPEND to preserve the localhost and local subnet rules already established above)
    Insert DROPLIST jump into each of the OUTPUT and FORWARD chains
    Add rules to allow remote access for http and/or https(webmail)/smtp and depending on what other connectivity you allow you will have to open the appropriate ports. I allow secure IMAP only so for me it is (submission and imaps). But you might also need to consider POP3/secure pop3/imap (unsecured)/etc. I don't know all the ports needed.
    Add rule to allow remote access through ssh if needed.
    Add the default policies for each chain if a connection does not match any of the above rules. INPUT and FORWARD (DROP) and OUTPUT (ACCEPT) - Note: Comment out these 3 lines until you are satisfied you have all other rules right.
    Save the iptables rule set so that it gets reloaded after a system restart
    Finally, list the active rules.
    Attached Files Attached Files

  7. #17
    robert1b is offline Intermediate Member
    Join Date
    Oct 2013
    Posts
    17
    Rep Power
    1

    Default

    Thanks for very good reply.
    Because I have possibilities to enter firewall rules on my router/firewall I do it on router.
    I use domaintools and IP calculator and create rules which block entire networks with hosts which try to use my zimbra server as relay.
    This will not increase load of my server.
    Traffic is decreased much after create this rules.

    But after some time o noticed one more thing on my zimbra.
    Another network and IP tried to use my server as relay.
    Of course I block this IP on router, but it was later.
    After clean unwanted traffic I start analyse log. What happend ?

    Dec 9 21:55:31 dotmail1 postfix/smtpd[11424]: warning: hostname customer-QRO-130-80.megared.net.mx does not resolve to address 189.194.130.80: Name or service not known
    Dec 9 21:55:31 dotmail1 postfix/smtpd[11424]: connect from unknown[189.194.130.80]
    Dec 9 21:55:32 dotmail1 postfix/smtpd[11424]: lost connection after EHLO from unknown[189.194.130.80]
    Dec 9 21:55:32 dotmail1 postfix/smtpd[11424]: disconnect from unknown[189.194.130.80]
    Dec 9 21:55:32 dotmail1 postfix/smtpd[11424]: connect from gw.dotsystems.pl[192.168.0.254]
    Dec 9 21:55:33 dotmail1 postfix/smtpd[11424]: NOQUEUE: filter: RCPT from gw.dotsystems.pl[192.168.0.254]: <diplomadoseducacincontinua@yahoo.com.mx>: Sender address triggers FILTER smtp-am
    avis:[127.0.0.1]:10026; from=<diplomadoseducacincontinua@yahoo.com.mx> to=<americas@sin1.telmex.net.mx> proto=ESMTP helo=<yahoo.com.mx>
    Dec 9 21:55:33 dotmail1 postfix/smtpd[11424]: 0312A2A2032: client=gw.dotsystems.pl[192.168.0.254]
    Dec 9 21:55:34 dotmail1 postfix/cleanup[15449]: 0312A2A2032: message-id=<20131209205533.0312A2A2032@dotmail1.dotsystems .pl>
    Dec 9 21:55:34 dotmail1 postfix/qmgr[18028]: 0312A2A2032: from=<diplomadoseducacincontinua@yahoo.com.mx>, size=2370, nrcpt=1 (queue active)
    Dec 9 21:55:34 dotmail1 postfix/qmgr[18028]: 53F952A2035: from=<diplomadoseducacincontinua@yahoo.com.mx>, size=2847, nrcpt=1 (queue active)
    Dec 9 21:55:34 dotmail1 postfix/smtp[15585]: 0312A2A2032: to=<americas@sin1.telmex.net.mx>, relay=127.0.0.1[127.0.0.1]:10026, delay=1.8, delays=1.4/0.05/0/0.32, dsn=2.0.0, status=sent (25
    0 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 53F952A2035)
    Dec 9 21:55:36 dotmail1 postfix/smtp[15593]: 53F952A2035: to=<americas@sin1.telmex.net.mx>, relay=127.0.0.1[127.0.0.1]:10032, delay=2.6, delays=0.2/0.02/0.01/2.3, dsn=2.0.0, status=sent (
    250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B533B2A2032)
    Dec 9 21:55:36 dotmail1 postfix/qmgr[18028]: 53F952A2035: removed
    Dec 9 21:55:36 dotmail1 postfix/qmgr[18028]: B533B2A2032: from=<diplomadoseducacincontinua@yahoo.com.mx>, size=3247, nrcpt=1 (queue active)
    Dec 9 21:58:48 dotmail1 postfix/smtp[15647]: B533B2A2032: to=<americas@sin1.telmex.net.mx>, relay=sin1.telmex.net.mx[148.235.52.50]:25, delay=192, delays=0.24/0.03/192/0, dsn=4.4.2, statu
    s=deferred (lost connection with sin1.telmex.net.mx[148.235.52.50] while receiving the initial server greeting)

    If You analyze logs before You will see that zimbra start relay messages. Problem is with connect from my Gateway which IP is relay allowed for zimbra server.
    But probably I found problem, which is related with my gateway spam filter and zimbra.

    My gateway spam filter reject mails stamped as spam, but send forward with own IP stamped mails as "Suspected Spam".
    Zimbra server got email as allowed relay but amavis should reject after analysis. But it doesn't.
    Problem is that Gateway and spam filter should not change source IP. Maybe I should disable spam filter on gateway ?
    I don't know but I will send this problem also to My Gateway support.

Page 2 of 2 FirstFirst 12

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. My Zimbra 8.0 is an Open Relay
    By Andre81 in forum Administrators
    Replies: 2
    Last Post: 11-08-2012, 07:40 AM
  2. First Zimbra Installation - How to block open relay
    By kaioh84 in forum Administrators
    Replies: 4
    Last Post: 07-06-2012, 10:25 PM
  3. Replies: 15
    Last Post: 05-14-2012, 09:32 AM
  4. Zimbra being an open relay?
    By gkra in forum Installation
    Replies: 6
    Last Post: 06-29-2007, 10:59 AM
  5. Zimbra acts as open relay by default?
    By lilwong in forum Administrators
    Replies: 2
    Last Post: 06-21-2006, 09:09 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •