| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | 
06-29-2007, 09:47 AM
| | |  Zimbra being an open relay?
Running Zimbra Open Source version, and about to install the Network trial, but a security scan pointed out that the Zimbra system is acting as an open relay.
Zimbra is configured to send all mail through an external SMTP server.
Doing a simple open relay test confirms that Zimbra is happily relaying any mail it gets. (Telnet to SMTP port, MAIL FROM: , RCPT TO: , DATA, some text, and off it goes.)
Why is Zimbra relaying mail for everything? Even if I tell Zimbra to use an external SMTP server for all outgoing mail, it should still only be accepting mail for the domains that it's configured for.
zimbra.log output for the test message is below. Please let me know if there's anything else I can provide to help diagnose this.
HTML Code: Jun 29 09:15:50 zimbraserver postfix/smtpd[13993]: 8F77870048: client=tachikoma.ourdomain.tld[AAA.BBB.CCC.31]
Jun 29 09:16:11 zimbraserver postfix/cleanup[13994]: 8F77870048: message-id=<20070629161550.8F77870048@zimbraserver.ourdomain.tld>
Jun 29 09:16:11 zimbraserver postfix/qmgr[28445]: 8F77870048: from=<user@externaldomain.tld>, size=404, nrcpt=1 (queue active)
Jun 29 09:16:11 zimbraserver postfix/smtpd[27396]: 9EB5F7003C: client=localhost[127.0.0.1]
Jun 29 09:16:11 zimbraserver postfix/cleanup[27136]: 9EB5F7003C: message-id=<20070629161550.8F77870048@zimbraserver.ourdomain.tld>
Jun 29 09:16:11 zimbraserver postfix/qmgr[28445]: 9EB5F7003C: from=<user@externaldomain.tld>, size=1063, nrcpt=1 (queue active)
Jun 29 09:16:11 zimbraserver amavis[27303]: (27303-04) FWD via SMTP: <user@externaldomain.tld> -> <user@externaldomain.tld>, BODY=8BITMIME 250 2.6.0 Ok, id=27303-04, from MTA([127.0.0.1]:10025): 250 Ok: queued as 9EB5F7003C
Jun 29 09:16:11 zimbraserver amavis[27303]: (27303-04) Passed CLEAN, [AAA.BBB.CCC.31] [AAA.BBB.CCC.31] <user@externaldomain.tld> -> <user@externaldomain.tld>, Message-ID: <20070629161550.8F77870048@zimbraserver.ourdomain.tld>, mail_id: 1zldVdAwLx+r, Hits: -0.825, queued_as: 9EB5F7003C, 336 ms
Jun 29 09:16:11 zimbraserver postfix/smtp[27143]: 8F77870048: to=<user@externaldomain.tld>, relay=127.0.0.1[127.0.0.1], delay=27, status=sent (250 2.6.0 Ok, id=27303-04, from MTA([127.0.0.1]:10025): 250 Ok: queued as 9EB5F7003C)
Jun 29 09:16:11 zimbraserver postfix/qmgr[28445]: 8F77870048: removed
Jun 29 09:16:11 zimbraserver postfix/smtp[27615]: 9EB5F7003C: to=<user@externaldomain.tld>, relay=cse-smtp.ourdomain.tld[AAA.BBB.CCC.63], delay=0, status=sent (250 Ok: queued as AE3162C14C)
Jun 29 09:16:11 zimbraserver postfix/qmgr[28445]: 9EB5F7003C: removed
Last edited by gkra; 06-29-2007 at 09:56 AM..
Reason: formatting fixup
|
06-29-2007, 10:01 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,317
| |
Zimbra is not, by default, an open relay. You must have configured it to be an open relay or you are misunderstanding what's happening - search the forums on the subject.
__________________
Regards
Bill
|
06-29-2007, 10:14 AM
| | | 
The extent of my configuration was to do the following using the web admin console:
Global Settings -> MTA:
Web mail MTA Hostname: cse-smtp.ucsd.edu
Relay MTA for external delivery: cse-smtp.ucsd.edu
The Zimbra system is configured for the following domains:
cs.ucsd.edu
cse.ucsd.edu
csezimbra.ucsd.edu
It was installed for the "cs.ucsd.edu" domain, and the other two were added as domain aliases for "cs.ucsd.edu" via the zmprov tool, as per documentation found here in the forums and the administrator's guide.
We're bringing Zimbra in as an additional server in an existing mail domain, which means that other systems are handling mail routing. We have to send all "sent" mail from the zimbra system through the seperate smtp server to take care of resolving aliases and mailing lists which are not, and will not be managed by zimbra.
If configuring an external SMTP box is all it takes to turn Zimbra into an open relay, I'd consider that a bug.
If that's not supposed to happen, then where do I look for what might be causing this?
For now I've firewalled the SMTP services so that they're only reachable by our mailhub (which is the only system that's supposed to be injecting mail into the zimbra system anyway). I want to isolate the root cause, though.  |
06-29-2007, 10:43 AM
| | | *groan*
Okay, please forgive me, everyone, for my own stupidity.
Going through all the thread when I searched for "open relay", I found reference to checking the postfix "mynetworks" variable. This made something click in my head, because $mynetworks is used extensively in our own postfix servers for a lot of the *_restrictions variables in our gateways.
Sure enough, when I checked it on the zimbra server, it was including the CIDR block where the network security scanner lives. Now it makes perfect sense why it seems like the Zimbra server was being an open relay. Hosts on $mynetworks are allowed to do much more than hosts not on $mynetworks.
So, now I have to figure out where in the admin console that was set, and remove that CIDR block.
Any pointers for *that*? It's not listed in Global Settings -> MTA or Servers -> servername -> MTA anywhere... |
06-29-2007, 10:53 AM
| | Zimbra Consultant & Moderator | |
Posts: 20,317
| |
You can use these instructions in the wiki.
__________________
Regards
Bill
|
06-29-2007, 10:55 AM
| | | you sure it's a "open" relay?
Quote: |
Jun 29 09:15:50 zimbraserver postfix/smtpd[13993]: 8F77870048: client=tachikoma.ourdomain.tld[AAA.BBB.CCC.31]
| So, is AAA.BBB.CCC.0/24 the same network as your Zimbra server? Looks like you are just being allowed to relay due to your proximity to the server.
By default postfix allows relay to hosts on the same subnet. Postfix Basic Configuration Postfix Configuration Parameters Code: [zimbra@zebra conf]$ postconf |grep networks
mynetworks = 127.0.0.0/8 10.10.10.128/26
mynetworks_style = subnet
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
permit_mx_backup_networks =
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_hostname, reject_unknown_sender_domain, reject_unauth_destination, permit
smtpd_sasl_exceptions_networks = To truly test if you're an open relay you'll have to test from a client completely removed from your environment.
My Zimbra server has port 25 firewalled and, like you, email all comes in and out via an SMTP gateway. Including IMAP clients sending messages. OT: like this. |
06-29-2007, 10:59 AM
| | |
I'm feeling like a spastic puppy today...
Okay, the MTA Trusted Hosts field in Global settings is what I needed.
I've set it to the loopback address and the local subnet (which should be the only things submitting mail to it), and looks like everything is okay now. | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
