Results 1 to 7 of 7

Thread: Zimbra being an open relay?

  1. #1
    gkra's Avatar
    gkra is offline Senior Member
    Join Date
    May 2007
    Location
    San Diego
    Posts
    53
    Rep Power
    8

    Angry Zimbra being an open relay?

    Running Zimbra Open Source version, and about to install the Network trial, but a security scan pointed out that the Zimbra system is acting as an open relay.

    Zimbra is configured to send all mail through an external SMTP server.

    Doing a simple open relay test confirms that Zimbra is happily relaying any mail it gets. (Telnet to SMTP port, MAIL FROM: , RCPT TO: , DATA, some text, and off it goes.)

    Why is Zimbra relaying mail for everything? Even if I tell Zimbra to use an external SMTP server for all outgoing mail, it should still only be accepting mail for the domains that it's configured for.

    zimbra.log output for the test message is below. Please let me know if there's anything else I can provide to help diagnose this.

    HTML Code:
    Jun 29 09:15:50 zimbraserver postfix/smtpd[13993]: 8F77870048: client=tachikoma.ourdomain.tld[AAA.BBB.CCC.31]
    Jun 29 09:16:11 zimbraserver postfix/cleanup[13994]: 8F77870048: message-id=<20070629161550.8F77870048@zimbraserver.ourdomain.tld>
    Jun 29 09:16:11 zimbraserver postfix/qmgr[28445]: 8F77870048: from=<user@externaldomain.tld>, size=404, nrcpt=1 (queue active)
    Jun 29 09:16:11 zimbraserver postfix/smtpd[27396]: 9EB5F7003C: client=localhost[127.0.0.1]
    Jun 29 09:16:11 zimbraserver postfix/cleanup[27136]: 9EB5F7003C: message-id=<20070629161550.8F77870048@zimbraserver.ourdomain.tld>
    Jun 29 09:16:11 zimbraserver postfix/qmgr[28445]: 9EB5F7003C: from=<user@externaldomain.tld>, size=1063, nrcpt=1 (queue active)
    Jun 29 09:16:11 zimbraserver amavis[27303]: (27303-04) FWD via SMTP: <user@externaldomain.tld> -> <user@externaldomain.tld>, BODY=8BITMIME 250 2.6.0 Ok, id=27303-04, from MTA([127.0.0.1]:10025): 250 Ok: queued as 9EB5F7003C
    Jun 29 09:16:11 zimbraserver amavis[27303]: (27303-04) Passed CLEAN, [AAA.BBB.CCC.31] [AAA.BBB.CCC.31] <user@externaldomain.tld> -> <user@externaldomain.tld>, Message-ID: <20070629161550.8F77870048@zimbraserver.ourdomain.tld>, mail_id: 1zldVdAwLx+r, Hits: -0.825, queued_as: 9EB5F7003C, 336 ms
    Jun 29 09:16:11 zimbraserver postfix/smtp[27143]: 8F77870048: to=<user@externaldomain.tld>, relay=127.0.0.1[127.0.0.1], delay=27, status=sent (250 2.6.0 Ok, id=27303-04, from MTA([127.0.0.1]:10025): 250 Ok: queued as 9EB5F7003C)
    Jun 29 09:16:11 zimbraserver postfix/qmgr[28445]: 8F77870048: removed
    Jun 29 09:16:11 zimbraserver postfix/smtp[27615]: 9EB5F7003C: to=<user@externaldomain.tld>, relay=cse-smtp.ourdomain.tld[AAA.BBB.CCC.63], delay=0, status=sent (250 Ok: queued as AE3162C14C)
    Jun 29 09:16:11 zimbraserver postfix/qmgr[28445]: 9EB5F7003C: removed
    Last edited by gkra; 06-29-2007 at 09:56 AM. Reason: formatting fixup

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    Zimbra is not, by default, an open relay. You must have configured it to be an open relay or you are misunderstanding what's happening - search the forums on the subject.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    gkra's Avatar
    gkra is offline Senior Member
    Join Date
    May 2007
    Location
    San Diego
    Posts
    53
    Rep Power
    8

    Default

    The extent of my configuration was to do the following using the web admin console:

    Global Settings -> MTA:
    Web mail MTA Hostname: cse-smtp.ucsd.edu
    Relay MTA for external delivery: cse-smtp.ucsd.edu

    The Zimbra system is configured for the following domains:

    cs.ucsd.edu
    cse.ucsd.edu
    csezimbra.ucsd.edu

    It was installed for the "cs.ucsd.edu" domain, and the other two were added as domain aliases for "cs.ucsd.edu" via the zmprov tool, as per documentation found here in the forums and the administrator's guide.

    We're bringing Zimbra in as an additional server in an existing mail domain, which means that other systems are handling mail routing. We have to send all "sent" mail from the zimbra system through the seperate smtp server to take care of resolving aliases and mailing lists which are not, and will not be managed by zimbra.

    If configuring an external SMTP box is all it takes to turn Zimbra into an open relay, I'd consider that a bug.

    If that's not supposed to happen, then where do I look for what might be causing this?

    For now I've firewalled the SMTP services so that they're only reachable by our mailhub (which is the only system that's supposed to be injecting mail into the zimbra system anyway). I want to isolate the root cause, though.

  4. #4
    gkra's Avatar
    gkra is offline Senior Member
    Join Date
    May 2007
    Location
    San Diego
    Posts
    53
    Rep Power
    8

    Default *groan*

    Okay, please forgive me, everyone, for my own stupidity.

    Going through all the thread when I searched for "open relay", I found reference to checking the postfix "mynetworks" variable. This made something click in my head, because $mynetworks is used extensively in our own postfix servers for a lot of the *_restrictions variables in our gateways.

    Sure enough, when I checked it on the zimbra server, it was including the CIDR block where the network security scanner lives. Now it makes perfect sense why it seems like the Zimbra server was being an open relay. Hosts on $mynetworks are allowed to do much more than hosts not on $mynetworks.

    So, now I have to figure out where in the admin console that was set, and remove that CIDR block.

    Any pointers for *that*? It's not listed in Global Settings -> MTA or Servers -> servername -> MTA anywhere...

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,585
    Rep Power
    57

    Default

    You can use these instructions in the wiki.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    dlbewley is offline Senior Member
    Join Date
    Sep 2006
    Location
    Davis, CA
    Posts
    64
    Rep Power
    8

    Default you sure it's a "open" relay?

    Jun 29 09:15:50 zimbraserver postfix/smtpd[13993]: 8F77870048: client=tachikoma.ourdomain.tld[AAA.BBB.CCC.31]
    So, is AAA.BBB.CCC.0/24 the same network as your Zimbra server? Looks like you are just being allowed to relay due to your proximity to the server.
    By default postfix allows relay to hosts on the same subnet.

    Postfix Basic Configuration
    Postfix Configuration Parameters

    Code:
    [zimbra@zebra conf]$ postconf |grep networks
    mynetworks = 127.0.0.0/8 10.10.10.128/26
    mynetworks_style = subnet
    parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps
    permit_mx_backup_networks =
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
    smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_hostname, reject_unknown_sender_domain, reject_unauth_destination, permit
    smtpd_sasl_exceptions_networks =
    To truly test if you're an open relay you'll have to test from a client completely removed from your environment.

    My Zimbra server has port 25 firewalled and, like you, email all comes in and out via an SMTP gateway. Including IMAP clients sending messages. OT: like this.

  7. #7
    gkra's Avatar
    gkra is offline Senior Member
    Join Date
    May 2007
    Location
    San Diego
    Posts
    53
    Rep Power
    8

    Default

    I'm feeling like a spastic puppy today...

    Okay, the MTA Trusted Hosts field in Global settings is what I needed.

    I've set it to the loopback address and the local subnet (which should be the only things submitting mail to it), and looks like everything is okay now.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 10:12 AM
  2. Error message in Server status
    By Max Ma in forum Installation
    Replies: 20
    Last Post: 04-19-2007, 08:55 AM
  3. zimbra-core missing
    By kinaole in forum Developers
    Replies: 1
    Last Post: 10-02-2006, 11:59 AM
  4. Replies: 16
    Last Post: 09-07-2006, 06:39 AM
  5. Logger
    By jholder in forum Installation
    Replies: 24
    Last Post: 03-31-2006, 11:50 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •