Results 1 to 10 of 10

Thread: MTA Trusted Networks

  1. #1
    Join Date
    Jan 2008
    Posts
    14
    Rep Power
    7

    Exclamation MTA Trusted Networks

    I have a box with Zimbra V5.0.1.

    My problem is this: When trying to set the MTA Trusted Networks in the Zimbra Admin Utility to only trust the local box, (not the entire local network) it won't let me do it.

    So to explain in a bit more detail:
    When I log into the admin control panel and click on "Servers" -> "zimbra.domain.com" and then I click on the "MTA" Tab,

    there is a field called "MTA Trusted Networks:".
    This field is set to: 127.0.0.0/8 192.168.0.64/26

    (the actual ip of the box is different and is a public address, I just used 192.168.0. for privacy reasons)

    This means that for any box within the ip address range of 192.168.0.65 to 192.168.0.125 basically has a free pass to send email to anywhere unchecked. In other words, it is an open relay for any box within the ip address range. (I have checked it. It allows any box within that ip range send messages from whomever to whomever)

    I tried to change the field from 127.0.0.0/8 192.168.0.64/26
    to 127.0.0.0/8 192.168.0.124/32

    and I get the following error:
    Code:
    Message: Error! Value for MTA Trusted Networks must contain local subnets: 192.168.0.64/26.
    Additional information about MTA Trusted Networks configuration can be found at Zi - Zimbra :: Wiki
    The "localnet" trusted network rule may be fine for most installations, but, for my case, there are untrusted boxes on the local network that have already exploited my box and started sending thousands of spam.

    The only way that I found to stop this is to simply block those IP addresses in the iptables firewall.

    That may be stop exploitations BUT: now I can't get legitimate email from those untrusted ip addresses.

    IS THERE A WAY AROUND THIS????
    Last edited by ray.perea; 01-21-2008 at 02:50 AM.

  2. #2
    Join Date
    Jan 2008
    Posts
    14
    Rep Power
    7

    Default

    OK, I found a way around this. All I did was:
    At the command prompt, login as root and execute the following commands
    Code:
    su zimbra
    zmprov modifyServer zimbra.domain.com zimbraMtaMyNetworks '127.0.0.0/8 192.168.0.124/32'
    postfix reload
    Make sure to substitute zimbra.domain.com with the actual name of your server as it shows in the admin panel and make sure to substitute 192.168.0.124 with the actual ip address of your server.

    Now, I have another problem. Anytime I want to make changes in the admin panel to the server, I get the same error as in the last post. So, to modify anything for the server within the admin panel, I have to set the field back to "127.0.0.0/8 192.168.0.64/26" and then save my changes and then go back to the command prompt and execute my commands again.

    WOW having to remember that every time can get tedious

  3. #3
    Join Date
    Feb 2006
    Location
    Newcastle, UK
    Posts
    17
    Rep Power
    9

    Default

    I've just been caught out by that too, and it's a long list on my box with 4 NIC's, two of which is part of a SAN subnet, which I don't want in the MTA config!

    All I wanted to do was turn on A&D on the boxes, but I can't without turning off relaying and reactivating at the command line.

    Is this an oversight or by design?

  4. #4
    Join Date
    Oct 2005
    Location
    Milwaukee, WI
    Posts
    34
    Rep Power
    9

    Default

    Can anyone from Zimbra address this? It's a pretty serious bug when you can't modify ANY server settings through the admin UI because of this.

    Quote Originally Posted by ray.perea View Post
    OK, I found a way around this. All I did was:
    At the command prompt, login as root and execute the following commands
    Code:
    su zimbra
    zmprov modifyServer zimbra.domain.com zimbraMtaMyNetworks '127.0.0.0/8 192.168.0.124/32'
    postfix reload
    Make sure to substitute zimbra.domain.com with the actual name of your server as it shows in the admin panel and make sure to substitute 192.168.0.124 with the actual ip address of your server.

    Now, I have another problem. Anytime I want to make changes in the admin panel to the server, I get the same error as in the last post. So, to modify anything for the server within the admin panel, I have to set the field back to "127.0.0.0/8 192.168.0.64/26" and then save my changes and then go back to the command prompt and execute my commands again.

    WOW having to remember that every time can get tedious

  5. #5
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    File away > bugzilla -be sure to post a #/link back here so we know where it's at

  6. #6
    Join Date
    Mar 2009
    Location
    Sarajevo
    Posts
    44
    Rep Power
    6

    Default

    Hello

    I'm not clear about this "MTA Trusted Networks". What should be there? Now, I have this:
    postconf mynetworks
    mynetworks = 127.0.0.0/8 X.X.X.X/27
    X is a public network where Zimbra is. Probably it should be behind a firewall, but it's a test.

    I can send mail from an internal network 10.0.0.0/8, from a client without user authetication and also from a telnet session without any authetication.
    How can I force clients to authenticate?

    zmprov getServer SERVER | grep Auth
    zimbraMtaAuthEnabled: TRUE
    zimbraMtaAuthHost: SERVER
    zimbraMtaAuthTarget: TRUE
    zimbraMtaAuthURL: https://SERVER:443/service/soap/
    zimbraMtaTlsAuthOnly: TRUE

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Details of the mynetworks setting here: ZimbraMtaMyNetworks. If you have the ip subnet in your mynetworks setting then a user will be able to send without authentication unless you force them to use it. The correct port for email Submission in Port 587 and that's authenticated, you need to make a change to a Zimbra config if you wish to use that port - search the forums for 'port 587' for the details.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    Join Date
    Mar 2009
    Location
    Sarajevo
    Posts
    44
    Rep Power
    6

    Default

    Thank you for a quick reply. Now, it's like this:
    $ postconf mynetworks
    mynetworks = 127.0.0.0/8 X.X.X.Y/32
    X.X.X.Y is a public address of Zimbra server.
    If I use Thunderbird with SMTP SSL on 465 and Authentication, it works. Without the authentication, it's not possible to send an email.
    I didn't quite understand about this port 587, but I hope I don't need it anyway.

    There still remains another issue, slightly related to this one, TLS is not working:
    http://www.zimbra.com/forums/install...t-working.html
    Now, with this, I have the following:
    - IMAP and POP3 work with TLS or SSL only (which is logical),
    - SMTP works with SSL only (TLS doesn't work, which doesn't make sense for me, and SMTP without security receives "Relay access denied" message in Thunderbird).

  9. #9
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by tim_ba View Post
    Thank you for a quick reply. Now, it's like this:
    $ postconf mynetworks
    mynetworks = 127.0.0.0/8 X.X.X.Y/32
    X.X.X.Y is a public address of Zimbra server.
    If I use Thunderbird with SMTP SSL on 465 and Authentication, it works. Without the authentication, it's not possible to send an email.
    I didn't quite understand about this port 587, but I hope I don't need it anyway.
    Port 587 is actually the correct port for submitting email from a client and not 25 or 465.

    Quote Originally Posted by tim_ba View Post
    There still remains another issue, slightly related to this one, TLS is not working:
    http://www.zimbra.com/forums/install...t-working.html
    Now, with this, I have the following:
    - IMAP and POP3 work with TLS or SSL only (which is logical),
    - SMTP works with SSL only (TLS doesn't work, which doesn't make sense for me, and SMTP without security receives "Relay access denied" message in Thunderbird).
    I'd have to disagree with you on this, TLS works correctly. You don't say whether the clients you're talking about are on your LAN, whether you want them to authenticate when they send mail or what? You mention above that you have a LAN with a subnet of 10.0.0.x, is this where your user are located? Is this subnet in your mynetworks configuration?

    Have you enabled the setting 'Enable authentication' in the admin UI? What about the TLS setting?

    From the Admin Help Desk:

    Enables SMTP client authentication, so users can authenticate. Only authenticated users or users from trusted networks are allowed to relay mail.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  10. #10
    Join Date
    Mar 2009
    Location
    Sarajevo
    Posts
    44
    Rep Power
    6

    Default

    Quote Originally Posted by phoenix View Post
    You don't say whether the clients you're talking about are on your LAN, whether you want them to authenticate when they send mail or what? You mention above that you have a LAN with a subnet of 10.0.0.x, is this where your user are located? Is this subnet in your mynetworks configuration?
    Have you enabled the setting 'Enable authentication' in the admin UI? What about the TLS setting?
    Clients are on LAN 10.0.0.x, this is where test are performed from, while Zimbra is outside, on a public address. I set authentication to avoid spam, and I wanted all clients to use it. Otherwise, I (and any spammer) would be able to use some other's account to send an email outside. When I had:
    $ postconf mynetworks
    mynetworks = 127.0.0.0/8 X.X.X.Y/32 10.0.0.0/8
    authentication was not requested for clients from 10.0.0.0/8, even if 'Enable authentication' was on with 'TLS authentication only'.
    This is shown here, that hasn't been changed:
    zmprov getServer SERVER | grep Auth
    zimbraMtaAuthEnabled: TRUE
    zimbraMtaAuthHost: SERVER
    zimbraMtaAuthTarget: TRUE
    zimbraMtaAuthURL: https://SERVER:443/service/soap/
    zimbraMtaTlsAuthOnly: TRUE

    I tried TLS with Thunderbird only, OE doesn't offer it.
    I found this:
    Adding additional SMTP listener ports - Zimbra :: Wiki
    but didin't understand what this means:
    "As of ZCS v4.0.x, the default Zimbra postfix config does not have TLS enabled on separate port."

Similar Threads

  1. Daily mail report always reports "No messages found"
    By McPringle in forum Installation
    Replies: 42
    Last Post: 06-13-2011, 08:57 AM
  2. Error in my /tmp/gengraphs.out file
    By Xao in forum Installation
    Replies: 9
    Last Post: 01-04-2008, 08:32 PM
  3. Trusted Networks question
    By dwmtractor in forum Administrators
    Replies: 4
    Last Post: 09-28-2007, 02:15 PM
  4. MTA Trusted Networks - broken?
    By davespigot in forum Administrators
    Replies: 3
    Last Post: 03-07-2007, 04:01 AM
  5. Server Stats Cont...
    By DMRDave in forum Administrators
    Replies: 15
    Last Post: 02-16-2006, 12:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •