[SOLVED] SMTP Auth not working

[alapierre]

I have my Zimbra install setup to authenticate for SMTP, but it doesn't appear to be actually enforcing anything. I setup my AOL account in Thunderbird, then added my Zimbra server as the outgoing SMTP and it went through fine.
My Auth settings are

zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthHost: ******
zimbraMtaAuthTarget: TRUE
zimbraMtaAuthURL: http://*******:80/service/soap/
zimbraMtaTlsAuthOnly: FALSE

Version: Release 5.0.9_GA_2533.RHEL4_64_20080814162041 RHEL4_64 FOSS edition

I've checked to make sure my server isn't an open relay, and it passes all the tests. Any idea what's going on? Thanks

[phoenix]

Quote:

Originally Posted by alapierre

I have my Zimbra install setup to authenticate for SMTP, but it doesn't appear to be actually enforcing anything. I setup my AOL account in Thunderbird, then added my Zimbra server as the outgoing SMTP and it went through fine.

That would hardly be surprising as, I guess, you sent the message from a machine on your local LAN and they don't need authentication if they're in the Trusted Networks. Sending mail through port 25 from a client is incorrect and you should use Port 587 (the correct Submission port) which does require authentication.

[alapierre]

Ok, I'm able to do the same thing from my home, are you saying it's because my Zimbra server accepts Port 25 which doesn't require authentication? If so, how do I disable port 25 on my Zimbra server? Thanks for your help

[phoenix]

Quote:

Originally Posted by alapierre

Ok, I'm able to do the same thing from my home, are you saying it's because my Zimbra server accepts Port 25 which doesn't require authentication? If so, how do I disable port 25 on my Zimbra server? Thanks for your help

Why do you want to disable port 25, that's how mail servers communicate with each other and if you disable it you won't be receiving any mail at all.

The point I made earlier is that you will be able to connect to your mail server from anywhere on the internet on port 25 to send mail to your own domain but you won't be able to send mail anywhere else unless you've modified Zimbra to do that.

[alapierre]

Ok, let me explain why I think I'm having problems. I've been looking through my mail logs, and there are a bunch of strange things that make me think somebody has been able to use my server to send mail through it, or at least attempt to. I'm also a little paranoid right now because last month one of our account credentials was compromised, and the user account was used to send out tons of spam which resulted in our server being put on a lot of block lists. So I'm still trying to get the effects of that fixed. Anything even remotely strange makes me worried now...here is some of the log.

Code:

Jan  3 04:08:57 mail postfix/qmgr[30323]: 918D3C8940A: from=, size=10234, nrcpt=50 (queue active)
Jan  3 04:08:57 mail postfix/qmgr[30323]: E9FD4C89404: from=, size=10244, nrcpt=50 (queue active)
Jan  3 04:08:57 mail postfix/qmgr[30323]: EDC63C89324: from=, size=10244, nrcpt=50 (queue active)
Jan  3 04:08:57 mail postfix/qmgr[30323]: 23B09C885DF: from=, size=10234, nrcpt=50 (queue active)
Jan  3 04:08:57 mail postfix/qmgr[30323]: 3B5BDC886D7: from=, size=10234, nrcpt=50 (queue active)
Jan  3 04:08:58 mail postfix/smtp[17340]: 918D3C8940A: to=, relay=none, delay=29902, delays=29901/0.09/1.1/0, dsn=4.4.3, status=def
erred (Host or domain name not found. Name service error for name=freelinuxemail.com type=MX: Host not found, try again)
Jan  3 04:09:10 mail postfix/smtpd[16461]: connect from unknown[95.58.20.122]
Jan  3 04:09:12 mail postfix/smtpd[16461]: C9AE5C88624: client=unknown[95.58.20.122]
Jan  3 04:09:15 mail postfix/cleanup[16464]: C9AE5C88624: message-id=<006201ca8c86$b586d820$20948860$@com>
Jan  3 04:09:15 mail postfix/qmgr[30323]: C9AE5C88624: from=, size=5908, nrcpt=3 (queue active)
Jan  3 04:09:15 mail postfix/smtpd[16461]: disconnect from unknown[95.58.20.122]
Jan  3 04:09:19 mail postfix/qmgr[30323]: C9AE5C88624: removed
Jan  3 04:09:27 mail postfix/smtp[17339]: connect to mail.dotstandards.com[216.178.7.253]: Connection timed out (port 25)
Jan  3 04:09:27 mail postfix/smtp[17341]: connect to mail.dotstandards.com[216.178.7.253]: Connection timed out (port 25)
Jan  3 04:09:27 mail postfix/smtp[17342]: connect to mail.maildomination.com[216.178.7.253]: Connection timed out (port 25)
Jan  3 04:09:27 mail postfix/smtp[17343]: connect to mail.mysmtpmail.com[216.178.7.253]: Connection timed out (port 25)
Jan  3 04:09:27 mail postfix/smtp[17346]: connect to mail.maildomination.com[216.178.7.253]: Connection timed out (port 25)
Jan  3 04:09:27 mail postfix/smtp[17347]: connect to mail.dotstandards.com[216.178.7.253]: Connection timed out (port 25)
Jan  3 04:09:27 mail postfix/smtp[17348]: connect to mail.maildomination.com[216.178.7.253]: Connection timed out (port 25)
Jan  3 04:09:27 mail postfix/smtp[17349]: connect to mail.mysmtpmail.com[216.178.7.253]: Connection timed out (port 25)
Jan  3 04:09:27 mail postfix/smtp[17345]: connect to alltel.net[166.102.165.202]: Connection timed out (port 25)
Jan  3 04:09:27 mail postfix/smtp[17339]: E9FD4C89404: to=, relay=none, delay=29824, delays=29794/0.04/30/0, dsn=4.4.1, status=defer
red (connect to mail.dotstandards.com[216.178.7.253]: Connection timed out)
Jan  3 04:09:27 mail postfix/smtp[17344]: connect to mail.faithus.com[69.64.155.127]: Connection timed out (port 25)
Jan  3 04:09:27 mail postfix/smtp[17341]: EDC63C89324: to=, relay=none, delay=30195, delays=30165/0.05/30/0, dsn=4.4.1, status=defer
red (connect to mail.dotstandards.com[216.178.7.253]: Connection timed out)
Jan  3 04:09:27 mail postfix/smtp[17347]: 3B5BDC886D7: to=, relay=none, delay=29778, delays=29748/0.06/30/0, dsn=4.4.1, status=defe
rred (connect to mail.dotstandards.com[216.178.7.253]: Connection timed out)

All of the "from"s and "to"s are strange addresses. Is it something I shouldn't be worried about?

[phoenix]

Quote:

Originally Posted by alapierre

Ok, let me explain why I think I'm having problems. I've been looking through my mail logs, and there are a bunch of strange things that make me think somebody has been able to use my server to send mail through it, or at least attempt to.

That's normal, that is what spammers try to do when a mail server is an open relay - I'll state it again for the record: by default Zimbra is not configured as an open relay. You can check that with any of the on-line open relay tests availble on the internet.

Quote:

Originally Posted by alapierre

I'm also a little paranoid right now because last month one of our account credentials was compromised, and the user account was used to send out tons of spam which resulted in our server being put on a lot of block lists.

I understand that this is a worry to you but that problem is a matter of your internal security, you can modify the requirements for more secure passwords in the Admin UI. You should also educate your users on what you're doing and why passwords need to be improved.

Quote:

Originally Posted by alapierre

So I'm still trying to get the effects of that fixed. Anything even remotely strange makes me worried now...here is some of the log.

At a quick glance there's nothing to worry about in those logs, they will be rejected for various reasons.

Quote:

Originally Posted by alapierre

All of the "from"s and "to"s are strange addresses. Is it something I shouldn't be worried about?

Not as far as I can see.

There are several techniques in the wiki article on improving the anti-spam system such as rejecting unlisted recipients that you could implement. Other than that, I'd suggest improving your users password requirements and keeping on the daily mail report and see if anything looks strange or is of concern to you.

[alapierre]

Thanks for your help Bill. I'll keep an eye on things.