permit_mynetworks

[ChristOff]

Hello,

I've got a problem with a brand new Zimbra NE 6.0.4 installation just made (on Ubuntu 8.04 if it matters) for a client. This machine is behind a firewall that NAT 25 port to it.

In the trusted networks, I set "127../8" and "192.../32", so I intented to be able to send emails only in an authentificated tsl/ssl way as this configuration only allows anonymous mails from the machine where zimbra is installed itselfs.

My problem is that some spams can be send via this installation from the other side of the firewall; it seems that the firewall (that cannot be changed) breaks something when it does its natting -> spams arrive in the MTA and in the queue, so it's like they were send from the trusted networks, locally so. Of course, trying to send an anonymous email from the network (that isn't trusted) won't work, as excepted; that's why I arrive to this conclusion (the firewall breaks something when it does natting).

After digging into various files, I found the line
permit_mynetworks (in the file /opt/zimbra/conf/postfix_recipient_restrictions.cf)
and it's corresponding
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, permit (in /opt/zimbra/postfix/conf/main.cf)
And in the same file:
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated

So my question is: what would it be if I delete the line "permit_mynetworks" from postfix_recipient_restrictions.cf and restart? Would all outgoing mail coming from anywhere be rejected unless their sender is registered in the system? Or would it be totally impossible to send any mail at all, even for registered users (as in the queue, originating address is sometimes "amavisd [127.0.0.1]" )?

As this parameter seems to be able to totally break the installation (that already is in production), I'd prefer to have an answer before trying to change this setting.

Thanks in advance for answering
Christophe

[phoenix]

Zimbra is not an open relay in it's default installation unless you've modified it to do that, that means that nobody can send spam via your server from outside your firewall. Being behind a firewall does not 'break' anything when you're behind a NAT router or firewall. You should clarify why you think spam is being sent via your server and (possibly) post some headers from a suspect email. You could always review some of the techniques in this article (you can also search the forums for further tips): Improving Anti-spam system - Zimbra :: Wiki - specifically Discarding Emails Sent to Invalid Addresses will get rid of a lot of spam as will adding effective RBLs.

[ChristOff]

Thanks for answering.

I know it's not an open relay by default and did not configure it that way (as implied by my sentence "Of course, trying to send an anonymous email from the network (that isn't trusted) won't work"); but unless that some spams can be send using it. I also know in theory being behind a firewall should not 'break' anything. But the behavious I notice is that some anonymous mails are send via the zimbra server from the internet. The only explanation I see to this is that the natting rules somewhat rewrite IP headers so that packets coming to zimbra are rewritten with the originating IP being the one of the zimbra box.

I think spam are being send via this zimbra box, because I saw hundreds of mails going out of it in the queues and the server has been blacklisted as Spam sender on some ISP. To prevent this, I used a functionnality of the firewall used to filter outgoing spam -> I thought mails would still reach the box and the queue but would have been deleted by the firewall when they tried to go out; what happens is that most of the outgoing spams didn't even reached the box anymore.

I've added the reject_unknown_recipient_domain from the link you gave me and hope the last spams would be cleaned that way.

[phoenix]

Quote:

Originally Posted by ChristOff

I also know in theory being behind a firewall should not 'break' anything.

That's not a theory, it's reality. It makes no difference whether Zimbra is behind a firewall or not - it's behaviour is the same.

Quote:

Originally Posted by ChristOff

But the behavious I notice is that some anonymous mails are send via the zimbra server from the internet. The only explanation I see to this is that the natting rules somewhat rewrite IP headers so that packets coming to zimbra are rewritten with the originating IP being the one of the zimbra box.

That's not true, your NAT rules should not (and probably don't) rewrite the IP headers.

Quote:

Originally Posted by ChristOff

I think spam are being send via this zimbra box, because I saw hundreds of mails going out of it in the queues and the server has been blacklisted as Spam sender on some ISP.

If you actually have spam being sent from your server and you say you're not an open relay then I'd suggest you may have a compromised account on the server - or a compromised machine behind your firewall). You need to look in the log files (and daily report) and see which account is sending high volumes of mail - search the forums for details of a similar incident.

BTW, you can limit MyNetworks to the loopback adapter (that must stay) and the IP of your Zimbra server only (meaning each LAN user must authenticate) - you'll also find details of that in the forums.

[ChristOff]

Quote:

Originally Posted by phoenix

That's not true, your NAT rules should not (and probably don't) rewrite the IP headers.

I cannot see any other explanation knowing everything I've explained here (only trusted network is localhost and IP of zimbra itselfs; all accounts are protected with a strong renewed password).
-> no mail could be send anonymously from anywhere but the zimbra machine itselfs (and as I've not activated the commands to send mails from command line, I'm pretty sure they don't come from "someone" logged onto the zimbra machine neither)

Quote:

Originally Posted by phoenix

If you actually have spam being sent from your server and you say you're not an open relay then I'd suggest you may have a compromised account on the server - or a compromised machine behind your firewall). You need to look in the log files (and daily report) and see which account is sending high volumes of mail - search the forums for details of a similar incident.

All checkboxes in MTA are thick to force authentification of users.
All passwords have been changed with no incidence on the spams send; every machine on the network (15) have been disconnected from the network one by one with no incidence neither. Only machines left connected were 4 servers from which no mail account has been configured at all.
But still (from the last daily report)
top 50 Senders by message count
-------------------------------
61 from=<>

Quote:

Originally Posted by phoenix

BTW, you can limit MyNetworks to the loopback adapter (that must stay) and the IP of your Zimbra server only (meaning each LAN user must authenticate) - you'll also find details of that in the forums.

I already did this. Cfr my first message where I talk about trusted networks being 127..../8 and 192.../32.

My original question was to know what would the impact be if a delete permit_mynetworks from /opt/zimbra/conf/postfix_recipient_restrictions.cf (the idea behind this is to force every single message from anywhere to be send by an authentified account and have not any place where to send anonymous mails from)?

[ArcaneMagus]

Are you basing your assumptions solely on the mail report??

"Senders" is not just addresses that you are sending out... it is a list of ANY "from" address that the server saw, including inbound messages. So incoming spam that has no from address (a rather common case), will show in the top 50 "Senders" as a "from=<>" line.