Results 1 to 6 of 6

Thread: SMTP authenticated ONLY access ?

  1. #1
    Join Date
    Dec 2006
    Posts
    184
    Rep Power
    8

    Default SMTP authenticated ONLY access ?

    We currently have a split domain setup, with Zimbra as a secondary server. We also currently do a high level antispam/virus at the edge, so there's no outside access at port 25.

    Internally, we allow users to have access to SMTP and they can relay outside the domain if authed. Of course, since it's a split domain setup, zimbra accepts emails for ANY email address at the domain without the need to authenticate.

    What we would like to do is to allow them SMTP access from the outside world but only if authenticated, while preventing spam/spoofs.

    This should be easier to do with SSL, forcing that connection to perform auth regardless, while leaving port 25 as is (and firewalling it). Otherwise, if port 25 is forced to do authentication (TLS) then the edge mtas would have to do this as well, right ?

    TIA and let me know if it's confusing and I'll try to clarify this...

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    You have a couple of choices, you can open port 25 to the outside world and add the edge MTAs IP addresses to your 'mynetworks' (a trusted network and no authentication needed). You could leave port 25 closed and get the external clients to use the correct submissions port 587 for sending mail and 443 or 993 for retrieving their mail.
    Last edited by phoenix; 12-27-2007 at 12:39 AM.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Dec 2006
    Posts
    184
    Rep Power
    8

    Default

    opening port 25 as is not an option, as in a split domain, zimbra would still accept port 25 spam attacks...

    So option A would be to force TLS authentication on port 25, if outside mynetworks (edge MTAs would be on mynetworks)

    Option B would be to allow port 25 to accept in TLS auth mode ONLY regardless of mynetworks (and I set up the edge MTAs to TLS auth)

    Or option C would be to maintain port 25 blocked via firewall, but open up 465 (SMTP over SSL) provided that it's set up to force authentication regardless of mynetworks

    587 (sendmail submission) is not enabled by default on zimbra (at least I don't see anything listening on that port)

    No problems with incoming mail (http/imap/pop3).

    TIA...

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    The wiki article describes SMTP over SSL and is (IIRC correctly) enabled by default in Zimbra 5, the submissions port 587 is not enabled by default. You should have a look in /opt/zimbra/postfix/conf/master.cf for the following lines:

    Code:
    #submission inet n      -       n       -       -       smtpd
    #        -o smtpd_etrn_restrictions=reject
    #        -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    and uncomment them, the white space in front of the second and third lines is important and must be there.

    Modify your Zimbra server to require authentication and restart it and you should be set. The port 587 will not survive an upgrade and you'll need to modify that after you do any Zimbra upgrade, there's an RFE in bugzilla to make that change permanent if you want to vote on it.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Dec 2006
    Posts
    184
    Rep Power
    8

    Default

    Thanks - currently testing 4.5.10 and 465 is enabled there using:

    Code:
    465    inet  n       -       n       -       -       smtpd
      -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
    And I would guess that here or in the default one would be where I would add any options to force the authentication, right ? And what options would that be ?

    TIA

  6. #6
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    The correct port to use for Submissions would be 587 as that's the one defined in the RFC, it's also required to use Authentication on that port. You can enable Authentication on the server by checking the Admin UI MTA tab on either the Global or Server settings and checking the following:

    Code:
    Enable authentication
    TLS authentication only
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Similar Threads

  1. sms zimlet troubleshooting
    By switchnetworks in forum Zimlets
    Replies: 19
    Last Post: 09-09-2009, 04:37 AM
  2. server dropped connection
    By ferra in forum Installation
    Replies: 20
    Last Post: 10-06-2008, 04:32 PM
  3. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  4. SMTP relay access denied through VPN
    By Thibaut in forum Administrators
    Replies: 8
    Last Post: 11-28-2006, 07:48 AM
  5. smtp access to network
    By changux in forum Users
    Replies: 4
    Last Post: 06-06-2006, 07:19 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •