Results 1 to 9 of 9

Thread: [SOLVED] Open Relay --> Zimbra OSE vs MS Exchange

Hybrid View

  1. #1
    Join Date
    Sep 2009
    Location
    Jakarta
    Posts
    12
    Rep Power
    6

    Default [SOLVED] Open Relay --> Zimbra OSE vs MS Exchange

    I am in the middle of evaluating Zimbra OSE to replace the existing MS Exchange Server.

    I found out that the open relay protection behavior is different between Zimbra and MS Exchange.

    Testing was done using simple telnet to port 25 of the server (eg. "telnet mailserver.mydomain.com 25").

    I have set in Zimbra's MTA to only allowed itself to relay email (x.x.x.0/32).

    My domain is "mydomain.com"

    Using telnet (on the zimbra server terminal screen), I did the following simulation:

    Scenario 1:
    - mail from: friend@yahoo.com
    - rcpt to: me@mydomain.com
    result: Zimbra accept the scenario (this is normal behavior for all mail server)

    Scenario 2:
    - mail from: friend@yahoo.com
    - rcpt to: someone@gmail.com
    result: Zimbra accept the scenario, this is not accepted by MS Exchange because exchange said that the rcpt to is not a valid domain (cannot relayed) --> this is open relay.

    Scenario 3:
    - mail from: me@mydomain.com
    - rcpt to: friend@yahoo.com
    result: Zimbra accept the scenario, this is not accepted by MS Exchange because exchange said that the rcpt to is not a valid domain (cannot relayed) --> this is open relay.

    I am questioning scenario 2 and 3, why is Zimbra allow that?

    I want this open relay protection behavior from Zimbra is the same as MS Exchange behavior, how to confgure it in Zimbra to not allow scenario 2 and 3?

    Could someone explain this? I need to replace my old MS Exchange with Zimbra, but if I cannot solve this open relay problem then I cannot move to Zimbra as well.

    Thanks in advance.

    Regards,
    Benny.

  2. #2
    Join Date
    May 2008
    Location
    Taiwan
    Posts
    296
    Rep Power
    7

    Default

    Set Postfix parameter : smtpd_reject_unlisted_recipient to YES and see if it helps.

    /opt/zimbra/conf/zmmta.cf
    /opt/zimbra/postfix/conf/main.cf
    /opt/zimbra/postfix/conf/main.cf.default

    Change smtpd_reject_unlisted_recipient to YES in these files and restart ZCS service.

    (someone may have better idea how to set Postfix parameter by postconf command)
    Last edited by tiger2000; 09-14-2009 at 08:48 PM.

  3. #3
    Join Date
    May 2008
    Location
    Sierra Vista, Az
    Posts
    74
    Rep Power
    7

    Default

    Not sure if I understand, but you set zimbra to only allow relay from itself.
    Quote Originally Posted by benny_0924 View Post
    Using telnet (on the zimbra server terminal screen), I did the following simulation:
    Does this mean you are on the zimbra server telneting to itself on port 25 and issuing these commands? If so, try doing it from another machine. By default, zimbra allows only machines on it's subnet to relay.

  4. #4
    Join Date
    Sep 2009
    Location
    Jakarta
    Posts
    12
    Rep Power
    6

    Default

    Quote Originally Posted by mtorres View Post
    Not sure if I understand, but you set zimbra to only allow relay from itself.


    Does this mean you are on the zimbra server telneting to itself on port 25 and issuing these commands? If so, try doing it from another machine. By default, zimbra allows only machines on it's subnet to relay.
    Yes I am telneting on zimbra to itself, if this is allowed then it is too danger for zimbra server if the server is compromised by spamvirus. MS Exchange won't allowed you even you telneting on itself.


    @tiger2000:
    I have set the smtpd_reject_unlisted_recipient parameter to Yes in all 3 files and restart the server, but still no luck, still got the same open relay behavior. Where else should I look for?

    Thanks.
    Last edited by benny_0924; 09-14-2009 at 09:58 PM.

  5. #5
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Quote Originally Posted by benny_0924 View Post
    Yes I am telneting on zimbra to itself, if this is allowed then it is too danger for zimbra server if the server is compromised by spamvirus.
    Email would be the least of your worries if the server is compromised!

  6. #6
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Quote Originally Posted by benny_0924 View Post
    Yes I am telneting on zimbra to itself, if this is allowed then it is too danger for zimbra server if the server is compromised by spamvirus. MS Exchange won't allowed you even you telneting on itself.
    As uxbod sort of implied, this may be a concern for Exchange admins, but it sounds like an overly-stringent requirement for the rest of us. In my experience (with other servers and now Zimbra), best practice is to allow relaying through the server as long the source is on the local subnet, a defined "trusted" subnet, or is authenticated.

    I'm not certain but you may be able to remove the local subnet from the list of "trusted" subnets in Zimbra. If so then you would have slightly better protection against spam coming from a compromised internal machine, but all clients would have to authenticate to send mail.

    I would also question how the server could be "compromised by a spamvirus" as no regular users should have access to the server to use it as a workstation that would accept mail...let alone have the privileges necessary for allowing a piece of malware to be installed.

  7. #7
    Join Date
    Sep 2009
    Location
    Jakarta
    Posts
    12
    Rep Power
    6

    Default

    Quote Originally Posted by ewilen View Post
    As uxbod sort of implied, this may be a concern for Exchange admins, but it sounds like an overly-stringent requirement for the rest of us. In my experience (with other servers and now Zimbra), best practice is to allow relaying through the server as long the source is on the local subnet, a defined "trusted" subnet, or is authenticated.

    I'm not certain but you may be able to remove the local subnet from the list of "trusted" subnets in Zimbra. If so then you would have slightly better protection against spam coming from a compromised internal machine, but all clients would have to authenticate to send mail.

    I would also question how the server could be "compromised by a spamvirus" as no regular users should have access to the server to use it as a workstation that would accept mail...let alone have the privileges necessary for allowing a piece of malware to be installed.
    Elliot, I am totally agree with you. Actually all email server (smtp server) must be able to relay from itself, its their job, right. And MS Exchange actually do the same, only that the way MS Exchange do is not really follow the smtp rule, it use their own rule.

    And for the spamvirus, I would not assume that the server will be safe although I am the only administrator that control and have access to the server. I can do something wrong also one day. So it is better to play safe (for me) and always be caution.

    OK, I think I can move to Zimbra now and throw away the Exchange.

    Thanks.

  8. #8
    Join Date
    Jun 2008
    Posts
    594
    Rep Power
    8

    Default

    Do this to see if your server is really an open relay
    telnet relay-test.mail-abuse.org 25 after the test it will tell you if it is open relay or not

  9. #9
    Join Date
    May 2008
    Location
    Sierra Vista, Az
    Posts
    74
    Rep Power
    7

    Default

    Hi Benny_0924, not sure if this will help but I have spoken with people on the phone that are migrating from exchange to zimbra, a few of them, and I have heard some good reasons of why they don't want to move off of exchange and read arguments in the forums, but security has never been one that I have encountered. Another good thing is Zimbra runs on linux/mac which is probably less susceptible to being compromised by a virus. Not that it is impossible, but less likely.

Similar Threads

  1. Zimbra and Exchange coexistence.
    By kajetan in forum Migration
    Replies: 10
    Last Post: 10-13-2010, 04:01 AM
  2. Replies: 8
    Last Post: 01-20-2009, 12:06 PM
  3. Major Issue - 5.0RC2 NE to 5.0GA NE failed
    By DougWare in forum Installation
    Replies: 7
    Last Post: 01-06-2008, 08:56 PM
  4. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 08:55 AM
  5. 4.5 Upgrade failure
    By brained in forum Installation
    Replies: 9
    Last Post: 03-03-2007, 02:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •