Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: My Zimbra work as open relay

  1. #1
    robert1b is offline Intermediate Member
    Join Date
    Oct 2013
    Posts
    17
    Rep Power
    1

    Default My Zimbra work as open relay

    By default Zimbra is not open relay, but with massive attac from spammers it stay as open relay.
    Most of the connections are blocked but many of them are relayed.
    How can I tune my zimbra to stop this.
    My Zimbra version is 8.0.5 and work on SUSE Linux 11 SP3.

    Dec 5 11:47:02 dotmail1 postfix/smtp[11912]: CD46D2A2036: to=<meishanchen@yahoo.com.tw>, relay=mx-tw.mail.gm0.yahoodns.net[27.123.206.55]:25, delay=978, delays=976/0.06/1.6/0, dsn=4.7.0, status=deferred (host mx-tw.mail.gm0.yahoodns.net[27.123.206.55] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.13.98.162 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
    Dec 5 11:47:03 dotmail1 postfix/smtp[11912]: CD46D2A2036: to=<mgp01@yahoo.com.tw>, relay=mx-tw.mail.gm0.yahoodns.net[27.123.206.55]:25, delay=978, delays=976/0.06/1.6/0, dsn=4.7.0, status=deferred (host mx-tw.mail.gm0.yahoodns.net[27.123.206.55] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.13.98.162 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,506
    Rep Power
    57

    Default

    Quote Originally Posted by robert1b View Post
    By default Zimbra is not open relay, but with massive attac from spammers it stay as open relay.
    That can't be true unless you've modified Zimbra to act as an open relay. I'd suggest you go to one of the internet web sites that check your mail server for being an open relay and see what results you get.
    Most of the connections are blocked but many of them are relayed.

    Quote Originally Posted by robert1b View Post
    How can I tune my zimbra to stop this.
    My Zimbra version is 8.0.5 and work on SUSE Linux 11 SP3.

    Dec 5 11:47:02 dotmail1 postfix/smtp[11912]: CD46D2A2036: to=<meishanchen@yahoo.com.tw>, relay=mx-tw.mail.gm0.yahoodns.net[27.123.206.55]:25, delay=978, delays=976/0.06/1.6/0, dsn=4.7.0, status=deferred (host mx-tw.mail.gm0.yahoodns.net[27.123.206.55] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.13.98.162 temporarily deferred due to user complaints - 4.16.55.1; see http://postmlaster.yahoo.com/421-ts01.htm)
    Dec 5 11:47:03 dotmail1 postfix/smtp[11912]: CD46D2A2036: to=<mgp01@yahoo.com.tw>, relay=mx-tw.mail.gm0.yahoodns.net[27.123.206.55]:25, delay=978, delays=976/0.06/1.6/0, dsn=4.7.0, status=deferred (host mx-tw.mail.gm0.yahoodns.net[27.123.206.55] refused to talk to me: 421 4.7.0 [TS01] Messages from 83.13.98.162 temporarily deferred due to user complaints - 4.16.55.1; see http://postmaster.yahoo.com/421-ts01.html)
    From the limited information you've provided, that would appear to be a message being (sent to (or relayed through) a Yahoo! server not relayed through your server. You should never post out-of-context lines from the log files, there's more information in those files and you need to look at that to see who (or where) the mail is coming from. If the mail is from one of your servers accounts then you probably have a "compromised account" - search the forums for that information and many threads on open relays (if you are one) and make sure you implement strong password for your users (you do that in the Admin UI).
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    robert1b is offline Intermediate Member
    Join Date
    Oct 2013
    Posts
    17
    Rep Power
    1

    Default

    No this emails are not from my servers. They are come from internet. Most of the connection finished with message "relay access denied" but some of them go to amavis and then act as send from local server.
    I tried to block connections by RBL list but I don't know if it work. How to check it ?

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,506
    Rep Power
    57

    Default

    Quote Originally Posted by robert1b View Post
    No this emails are not from my servers.
    The problems is you've posted out-of-context log entries, you need to give further details.

    Quote Originally Posted by robert1b View Post
    They are come from internet. Most of the connection finished with message "relay access denied" but some of them go to amavis and then act as send from local server.
    Then provide some evidence of that.

    Quote Originally Posted by robert1b View Post
    I tried to block connections by RBL list but I don't know if it work.
    That's not how you solve this problem.

    Quote Originally Posted by robert1b View Post
    How to check it ?
    I've already told you, go to an internet site that provides an open relay check and see whether it says your server is an open relay. As I've already mentioned, unless you've modified something on your server (or some other misconfiguration of your network) ZCS will not act as an open relay. You need to tell us what you've done (if anything) and the configuration of your server/network/firewall/NAT router. There are threads in the forums that cover this topic, have you read any of them and the debugging tips they contain?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    robert1b is offline Intermediate Member
    Join Date
    Oct 2013
    Posts
    17
    Rep Power
    1

    Default

    I did it, all sites to check say that my server is not relay. But problem exist.
    Below is part of screen dump from Zimbra Console Queue . There are mails not originated from my network and destination is also not to my domain.
    Zimbra_deferred.jpg

    I configured as below RBLs
    zimbra@dotmail1:~> zmprov gacf | grep zimbraMtaRestriction
    zimbraMtaRestriction: reject_invalid_hostname
    zimbraMtaRestriction: reject_non_fqdn_hostname
    zimbraMtaRestriction: reject_non_fqdn_sender
    zimbraMtaRestriction: reject_unknown_client
    zimbraMtaRestriction: reject_unknown_hostname
    zimbraMtaRestriction: reject_unknown_sender_domain
    zimbraMtaRestriction: reject_rbl_client bl.spamcop.net
    zimbraMtaRestriction: reject_rbl_client sbl-xbl.spamhaus.org
    zimbraMtaRestriction: reject_rbl_client dnsbl.sorbs.net
    zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
    zimbraMtaRestriction: reject_rhsbl_client blackhole.securitysage.com
    zimbraMtaRestriction: reject_rhsbl_reverse_client dul.dnsbl.sorbs.net
    zimbraMtaRestriction: reject_rhsbl_sender blackhole.securitysage.com

    But I check that IP from which connections are made is not listed in any upper RBL listing.
    Maybe problem is on Firewall or Gateway ?

  6. #6
    chauvetp is offline Elite Member
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    315
    Rep Power
    7

    Default

    [edited my message based on the last response]

    Look through your logs (/var/log/maillog especially) for spam messages. Follow the trail of these messages. What IP did they come from? Did that IP authenticate somehow? Were the messages sent from a compromised account on your site, etc.

    The messages may be coming from outside your network but WHY is Zimbra accepting them is what you should be looking for.
    ---
    Paul Chauvet
    State University of New York at New Paltz

  7. #7
    chauvetp is offline Elite Member
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    315
    Rep Power
    7

    Default

    Oh - and also RBLs are irrelevant if YOUR mail server is passing the spam through. RBLs are to protect your users from receiving mail, not for blocking mail from leaving your mail server. You need to find if you have a compromised account, or if you have some other issue.

    For example, check your postfix configuration, specifically the mynetworks setting (postconf mynetworks).
    ---
    Paul Chauvet
    State University of New York at New Paltz

  8. #8
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,506
    Rep Power
    57

    Default

    [QUOTE=robert1b;321238]I did it, all sites to check say that my server is not relay.[/QUOTE}Then it's not an open relay, is it.

    Quote Originally Posted by robert1b View Post
    But problem exist.
    The 'problem' is something other than an open relay

    Quote Originally Posted by robert1b View Post
    Below is part of screen dump from Zimbra Console Queue . There are mails not originated from my network and destination is also not to my domain.
    That doesn't mean anything, you need to look in the log files.

    Quote Originally Posted by robert1b View Post
    I configured as below RBLs
    The two Spamhaus RBLs are unnecessary, you only need the 'zen' one and they should be in order of most effective first.

    Quote Originally Posted by robert1b View Post
    But I check that IP from which connections are made is not listed in any upper RBL listing.
    Maybe problem is on Firewall or Gateway ?
    I've no idea, you've given us no information about your configuration (as I mentioned earlier).
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  9. #9
    robert1b is offline Intermediate Member
    Join Date
    Oct 2013
    Posts
    17
    Rep Power
    1

    Default

    dotmail1:/var/log # postconf mynetworks
    mynetworks = 127.0.0.0/8

    But this is strange because in Zimbra Console I have configured more networks.
    also
    192.168.0.0/20 192.168.100.0/24

    Probably mail come with source address of my Gateway. That why it is relayed.

    Here is part of main.cf
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_rbl_client bl.spamcop.net, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, reject_rbl_client zen.spamhaus.org, reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_reverse_client dul.dnsbl.sorbs.net, reject_rhsbl_sender blackhole.securitysage.com, permit
    smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
    smtpd_sender_restrictions = check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
    mynetworks = 127.0.0.0/8 192.168.0.0/20 192.168.100.0/24

    zmprov gacf | grep zimbraMtaMyNetworks
    zimbraMtaMyNetworks: 127.0.0.1/32 127.0.0.2/32 192.168.0.0/21 83.13.98.164/32 83.13.98.166/32 83.144.69.30/32

    Totaly different config. Why ?

  10. #10
    robert1b is offline Intermediate Member
    Join Date
    Oct 2013
    Posts
    17
    Rep Power
    1

    Default

    There are more relevant logs to my problem. I follow log to find begin and end track of mail in server. Begin is OK but after disconnect there is connection from gateway with same ID 5881 and connection is accepted because IP address belong to MyNetworks.

    Dec 5 17:27:36 dotmail1 postfix/smtpd[5881]: connect from vps96053382.123-vps.co.uk[212.67.215.150]
    Dec 5 17:27:36 dotmail1 postfix/smtpd[5881]: NOQUEUE: filter: RCPT from vps96053382.123-vps.co.uk[212.67.215.150]: <paypal@e.paypal.it>: Sender address triggers FILTER smtp-amavis:[127.0.
    0.1]:10026; from=<paypal@e.paypal.it> to=<aeaudio@earthlink.net> proto=ESMTP helo=<DEDICAT-C8IQ54K>
    Dec 5 17:27:36 dotmail1 postfix/smtpd[5881]: NOQUEUE: filter: RCPT from vps96053382.123-vps.co.uk[212.67.215.150]: <paypal@e.paypal.it>: Sender address triggers FILTER smtp-amavis:[127.0.
    0.1]:10024; from=<paypal@e.paypal.it> to=<aeaudio@earthlink.net> proto=ESMTP helo=<DEDICAT-C8IQ54K>
    Dec 5 17:27:36 dotmail1 postfix/smtpd[5881]: NOQUEUE: reject: RCPT from vps96053382.123-vps.co.uk[212.67.215.150]: 554 5.7.1 <aeaudio@earthlink.net>: Relay access denied; from=<paypal@e.p
    aypal.it> to=<aeaudio@earthlink.net> proto=ESMTP helo=<DEDICAT-C8IQ54K>
    Dec 5 17:27:36 dotmail1 postfix/smtpd[5881]: lost connection after RCPT from vps96053382.123-vps.co.uk[212.67.215.150]
    Dec 5 17:27:36 dotmail1 postfix/smtpd[5881]: disconnect from vps96053382.123-vps.co.uk[212.67.215.150]
    Dec 5 17:27:40 dotmail1 postfix/smtpd[5881]: connect from gw.dotsystems.pl[192.168.0.254]
    Dec 5 17:27:41 dotmail1 postfix/smtpd[5881]: NOQUEUE: filter: RCPT from gw.dotsystems.pl[192.168.0.254]: <paypal@e.paypal.it>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026
    ; from=<paypal@e.paypal.it> to=<cwblack45@gmail.com> proto=ESMTP helo=<DEDICAT-C8IQ54K>
    Dec 5 17:27:41 dotmail1 postfix/smtpd[5881]: 12C562A2032: client=gw.dotsystems.pl[192.168.0.254]
    Dec 5 17:27:41 dotmail1 postfix/cleanup[11199]: 12C562A2032: message-id=<20131205162741.12C562A2032@dotmail1.dotsystems .pl>
    Dec 5 17:27:41 dotmail1 postfix/qmgr[28064]: 12C562A2032: from=<paypal@e.paypal.it>, size=1015, nrcpt=1 (queue active)
    Dec 5 17:27:41 dotmail1 postfix/smtp[11200]: 12C562A2032: to=<cwblack45@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.61, delays=0.39/0.01/0/0.22, dsn=2.0.0, status=sent (250 2.0.
    0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 72C082A2033)
    Dec 5 17:27:41 dotmail1 postfix/qmgr[28064]: 12C562A2032: removed
    Dec 5 17:27:41 dotmail1 postfix/qmgr[28064]: 783E32A2034: from=<paypal@e.paypal.it>, size=1015, nrcpt=1 (queue active)
    Dec 5 17:27:42 dotmail1 postfix/qmgr[28064]: DAD8F2A2035: from=<paypal@e.paypal.it>, size=1475, nrcpt=1 (queue active)
    Dec 5 17:27:42 dotmail1 postfix/qmgr[28064]: 72C082A2033: removed
    Dec 5 17:27:42 dotmail1 postfix/qmgr[28064]: D86ED2A2032: from=<paypal@e.paypal.it>, size=1859, nrcpt=1 (queue active)
    Dec 5 17:27:42 dotmail1 postfix/qmgr[28064]: 783E32A2034: removed
    Dec 5 17:27:42 dotmail1 postfix/smtpd[5881]: NOQUEUE: filter: RCPT from gw.dotsystems.pl[192.168.0.254]: <paypal@e.paypal.it>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026
    ; from=<paypal@e.paypal.it> to=<donhar@twol.com> proto=ESMTP helo=<DEDICAT-C8IQ54K>
    Dec 5 17:27:42 dotmail1 postfix/smtpd[5881]: 1139B2A2033: client=gw.dotsystems.pl[192.168.0.254]
    Dec 5 17:27:42 dotmail1 postfix/cleanup[11199]: 1139B2A2033: message-id=<20131205162742.1139B2A2033@dotmail1.dotsystems .pl>
    Dec 5 17:27:42 dotmail1 postfix/qmgr[28064]: 1139B2A2033: from=<paypal@e.paypal.it>, size=1003, nrcpt=1 (queue active)
    Dec 5 17:27:42 dotmail1 postfix/cleanup[11205]: 7527F2A2034: message-id=<20131205162742.1139B2A2033@dotmail1.dotsystems .pl>
    Dec 5 17:27:42 dotmail1 postfix/smtpd[5881]: NOQUEUE: filter: RCPT from gw.dotsystems.pl[192.168.0.254]: <paypal@e.paypal.it>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026
    ; from=<paypal@e.paypal.it> to=<ed_65@hotmail.com> proto=ESMTP helo=<DEDICAT-C8IQ54K>
    Dec 5 17:27:42 dotmail1 postfix/smtp[11214]: 1139B2A2033: to=<donhar@twol.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.6, delays=0.39/0/0/0.21, dsn=2.0.0, status=sent (250 2.0.0 from M
    TA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as C2CA82A2037)

    Dec 5 17:27:42 dotmail1 postfix/qmgr[28064]: 1139B2A2033: removed
    Dec 5 17:27:43 dotmail1 postfix/smtp[11214]: 800B22A2036: to=<ed_65@hotmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.63, delays=0.32/0.09/0/0.22, dsn=2.0.0, status=sent (250 2.0.0
    from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as EE28B2A2034)
    Dec 5 17:27:43 dotmail1 postfix/qmgr[28064]: 800B22A2036: removed
    Dec 5 17:27:43 dotmail1 postfix/smtp[11214]: 7E0E72A2032: to=<entr0py@comcast.net>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.42, delays=0.14/0/0/0.28, dsn=2.0.0, status=sent (250 2.0.0 f
    rom MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as CA7712A2035)
    Dec 5 17:27:43 dotmail1 postfix/qmgr[28064]: 7E0E72A2032: removed
    Dec 5 17:27:44 dotmail1 postfix/smtp[11214]: 136F12A2032: to=<fdgt@aol.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.44, delays=0.12/0/0/0.31, dsn=2.0.0, status=sent (250 2.0.0 from MTA
    (smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5C8792A2034)
    Dec 5 17:27:44 dotmail1 postfix/qmgr[28064]: 136F12A2032: removed

    Dec 5 17:27:52 dotmail1 postfix/smtp[11230]: C2CA82A2037: to=<donhar@twol.com>, relay=kci-ster-dtc1.kci.net[64.187.64.108]:25, delay=9.7, delays=0.09/0.07/8.5/1, dsn=4.7.1, status=deferre
    d (host kci-ster-dtc1.kci.net[64.187.64.108] said: 450 4.7.1 <paypal@e.paypal.it>: Sender address rejected: Service unavailable, greylisted (Greylisting: The Next Step in the Spam Control War). (i
    n reply to RCPT TO command))

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. My Zimbra 8.0 is an Open Relay
    By Andre81 in forum Administrators
    Replies: 2
    Last Post: 11-08-2012, 07:40 AM
  2. First Zimbra Installation - How to block open relay
    By kaioh84 in forum Administrators
    Replies: 4
    Last Post: 07-06-2012, 10:25 PM
  3. Replies: 15
    Last Post: 05-14-2012, 09:32 AM
  4. Zimbra being an open relay?
    By gkra in forum Installation
    Replies: 6
    Last Post: 06-29-2007, 10:59 AM
  5. Zimbra acts as open relay by default?
    By lilwong in forum Administrators
    Replies: 2
    Last Post: 06-21-2006, 09:09 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •