Results 1 to 6 of 6

Thread: Trusted Network ignored and sending SPAM, at random, as a result.

  1. #1
    JMoreno is offline Intermediate Member
    Join Date
    Sep 2012
    Posts
    15
    Rep Power
    2

    Exclamation Trusted Network ignored and sending SPAM, at random, as a result.

    Hi all,

    I can not make to work the Network Trusted functionality in my Zimbra server. My Zimbra server installation is:

    Code:
    # su - zimbra
    $ zmcontrol -v
    	Release 8.0.6.GA.5922.UBUNTU12.64 UBUNTU12_64 FOSS edition.
    At the begining, I set the Trusted Network as:

    Code:
    mynetworks = 127.0.0.1/32 192.168.0.0/24
    But, a few days ago, my Zimbra server started sending mails to the out World (Yahoo, GMail, Hotmail, ...) with no existing mail accounts in my server but with my domain name (e.g. ksdf@my-domain.com, ouyv@my-domain.com), as consequence I changed my settings to:

    Code:
    # su - zimbra
    $ postconf mynetworks
    	mynetworks = 127.0.0.1/32 192.168.0.61/32 192.168.0.31/32
    $ zmprov gs zimbra.my-domain.com zimbraMtaMyNetworks
    	zimbraMtaMyNetworks: 127.0.0.1/32 192.168.0.61/32 192.168.0.31/32
    $ logout
    As you can read, I want to be very precise which servers can send mail with no authentication request (/32). After applying these new settings, I still can send mails from a crontab from server 192.168.0.34, which is not included in the Network Trusted list.

    My network configuration is:

    Code:
    192.168.x.x = Network range (255.255.0.0 mask)
    192.168.0.X = IP servers range
    192.168.1.1 = Firewall IP
    192.168.10.1 to 192.168.255.254 = User PC IPs
    I would really appreciate you help. This is driving my crazy.

    Thanks.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by JMoreno View Post
    But, a few days ago, my Zimbra server started sending mails to the out World (Yahoo, GMail, Hotmail, ...) with no existing mail accounts in my server but with my domain name (e.g. ksdf@my-domain.com, ouyv@my-domain.com), as consequence I changed my settings to:

    Code:
    # su - zimbra
    $ postconf mynetworks
    	mynetworks = 127.0.0.1/32 192.168.0.61/32 192.168.0.31/32
    $ zmprov gs zimbra.my-domain.com zimbraMtaMyNetworks
    	zimbraMtaMyNetworks: 127.0.0.1/32 192.168.0.61/32 192.168.0.31/32
    $ logout
    From the statement you've made above about there being no mail accounts on you Zimbra server I would guess that spam is being relayed from one of the other machines in your Trusted Networks unless you're are an open relay - It isn't by default but have you checked via an internet test?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    JMoreno is offline Intermediate Member
    Join Date
    Sep 2012
    Posts
    15
    Rep Power
    2

    Default

    Hi Phoenix,

    Thank you for your reply.

    Yes, you are right. I was not clear enough regarding emails accounts. Let me try to clarify it.

    My Zimbra server:

    - is an stand-alone mail server which send my mails to the World directly (we do not relay in third servers)
    - it holds email accounts which are active and people use them on a daily basis (authentication is required for sending emails)
    - SPAM mails are sent with fake email addresses but with my domain (e.g. ksdf@my-domain.com, ouyv@my-domain.com). Those email addresses do not exist in my server.
    - my firewall (192.168.1.1) is out of the Trusted Network, as consequence we are not acting as an Open Relay server for the "out World". This point is veryfied with the availble internet tools.
    - it should act as an Open Relay server only for 127.0.0.1/32 192.168.0.61/32 192.168.0.31/32 (well, at least, this is my target!! ;-)

    Unfortunatelly, a crontab in 192.168.0.34 is still deliverying mails, which I understand should not be the case, based on my Trusted Network settings (127.0.0.1/32 192.168.0.61/32 192.168.0.31/32). As consequence, I understand this is not the only machines which overrides the Trusted Network settings.

    Thank you for your help.

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by JMoreno View Post
    - it should act as an Open Relay server only for 127.0.0.1/32 192.168.0.61/32 192.168.0.31/32 (well, at least, this is my target!! ;-)
    Why don't you restrict the Trusted Network setting to just the Zimbra server and force other servers on your network to use the authenticated Submission port 587?

    Take a look in the forums for "compromised account" and follow some of the diagnostic information that you'll find and determine where these mails are coming from.

    Quote Originally Posted by JMoreno View Post
    Unfortunatelly, a crontab in 192.168.0.34 is still deliverying mails, which I understand should not be the case,
    Is this the machine that's causing the problem? Have you restarted ZCS after making the changes to your Trusted Networks?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    JMoreno is offline Intermediate Member
    Join Date
    Sep 2012
    Posts
    15
    Rep Power
    2

    Default

    I do not think the issue comes from a "compromised account", indeed, it is inventing the source email address (e.g. ksdf@my-domain.com, ouyv@my-domain.com).

    Mails from 192.168.0.34 are valid. I removed it intentionally from the Trusted Network, in order to verify the system was working correctly. Unfortunatelly it was not the case. My first measure was to set:

    Code:
    mynetworks = 127.0.0.1/32
    Basically, "no body sends un-authenticated emails except me (the Zimbra server)". Suprisingly, this morning I saw the mid-night regular crontab emails from the other servers were delivered correctly!

    Thank so much for your help and tips!!

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,491
    Rep Power
    56

    Default

    Quote Originally Posted by JMoreno View Post
    Basically, "no body sends un-authenticated emails except me (the Zimbra server)".
    If that's the case then you need to investigate your logs for details of how those emails are being sent by your server (the "compromised account" posts have details on how to check that) or check your LAN (including your zimbra server) for a bot or compromised PC.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. what to add in MTA TRUSTED NETWORK
    By linuxguru in forum Users
    Replies: 2
    Last Post: 01-12-2010, 11:40 AM
  2. Replies: 1
    Last Post: 01-11-2010, 02:45 AM
  3. [SOLVED] about MTA trusted network
    By tianway in forum Installation
    Replies: 4
    Last Post: 06-19-2009, 10:53 AM
  4. Trusted Network Spam
    By b27520 in forum Administrators
    Replies: 4
    Last Post: 06-12-2009, 04:33 AM
  5. 4.5.3 Trusted Network
    By nickteagle in forum Administrators
    Replies: 1
    Last Post: 03-08-2007, 11:46 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •