Page 1 of 3 123 LastLast
Results 1 to 10 of 30

Thread: open relay??

Hybrid View

  1. #1
    Join Date
    Sep 2005
    Location
    Calgary
    Posts
    208
    Rep Power
    10

    Default open relay??

    Not to alarm anyone but is zimbra functioning as an open relay??

    I have checked authentication enabled and TLS authentication only everywhere i can see inside zimbra admin.

    However in outlook express i can send mail without setting any username or password for outbound smtp server and also did NOT have to check the this server requires authentication not to mention not enabling the ssl only settings for port 25

    am I overlooking something or is zimbra really functioning as an open relay?
    Last edited by rmvg; 09-12-2005 at 08:32 PM.

  2. #2
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    Hi. I believe postfix will trust hosts on the same network/subnet as itself. auth is only required if the requesting IP is outside of that network.

    See /opt/zimbra/postfix/conf/main.cf, and look for "trust", as it describes the behavior that you are seeing.

    roland

  3. #3
    Join Date
    Aug 2009
    Posts
    4
    Rep Power
    6

    Post

    Quote Originally Posted by schemers View Post
    Hi. I believe postfix will trust hosts on the same network/subnet as itself. auth is only required if the requesting IP is outside of that network.

    See /opt/zimbra/postfix/conf/main.cf, and look for "trust", as it describes the behavior that you are seeing.

    roland
    I've just installed Zimbra CS on a vm for testing purpose. ZCS is on a private lan, natted to Internet with port 25 forwarded from the firewall to zimbra private ip.

    I've tested smtp authentication with Email Server Test - Online SMTP diagnostics tool. Seems like zimbra accepts rcpt to without asking for authentication.

    What's wrong with this ? Is a nat problem ? Or is that service not reliable ?

    Thanks for your help.

    Leonardo

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by sgatto View Post
    I've tested smtp authentication with Email Server Test - Online SMTP diagnostics tool. Seems like zimbra accepts rcpt to without asking for authentication.
    Of course it accepts the connection without authentication, that's what mail servers do on port 25 - they accept connections from other mail servers and do not need authentication for that.

    Quote Originally Posted by sgatto View Post
    What's wrong with this ? Is a nat problem ? Or is that service not reliable ?
    Nothing is wrong with that, the output from that test should also show the 'Relay access is denied'. Zimbra is not, by default, an open relay unless you've made it one.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Aug 2009
    Posts
    4
    Rep Power
    6

    Default

    Quote Originally Posted by phoenix View Post
    Of course it accepts the connection without authentication, that's what mail servers do on port 25 - they accept connections from other mail servers and do not need authentication for that.

    Nothing is wrong with that, the output from that test should also show the 'Relay access is denied'. Zimbra is not, by default, an open relay unless you've made it one.
    Sorry, I'm relatively new to email trasport systems. Please take this post as an help-request not something against zimbra (which I'm evaluating for my company).

    I made a handmade test. From a remote host I telnet my zimbra on 25 and after this sequence:

    helo ....
    mail from...
    rcpt to...
    data
    .

    zimbra accepted my email. From the admin console I can see this email (I paused it) and here is the screenshot (it's in italian). Obviously my domain is not super.com or poor.com but it is ciavatta.hopto.org (a no-ip.com test domain, created for this zimbra evaluation).

    Now, I'm running ubuntu (ubuntu-8.04.3-server-i386.iso) and zimbra CS (zcs-5.0.18_GA_3011.UBUNTU8.20090708092550.tgz). I don't think I have changed something in zimbra configuration. But, as I'm human and not perfect, maybe this is my mistake. Can you guys please help me locating my conf mistake ? I'll post here all of my configuration files, just say what.

    Thanks in advance,
    Leonardo.

  6. #6
    Join Date
    May 2006
    Location
    England.
    Posts
    927
    Rep Power
    10

    Default

    I think postfix is configured to trust the local network, so it wont matter what domain you say you are if you have physical access.

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by sgatto View Post
    Sorry, I'm relatively new to email trasport systems. Please take this post as an help-request not something against zimbra (which I'm evaluating for my company).
    I didn't think it was anything against Zimbra.

    When you did the open relay test did it say that relaying was denied or not? When you did your test above, what errors for that message did you see in the log files ? When you did your 'handmade' test did you send an email to an external domain, was the test done from an IP address on your LAN? Without details of your domain name and server IP it's impossible for us to verify what your saying (or trying to do) is correct.

    As mentioned earlier, by default Zimbra will not act as an open relay. By default, for any user on the LAN IP (Trusted Networks) Zimbra will relay mail to anywhere (that's normal). Without details it's impossible to tell if you have a problem or if you are misunderstanding what's happening.

    Go to this page: Open Relay Test enter the IP address of your mail server and look at the results. They should almost all say £Relay access denied" and the others should tell you what restrictions there are on your server. Let us know what happens with that test.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default mail delivery

    Quote Originally Posted by sgatto View Post
    . Seems like zimbra accepts rcpt to without asking for authentication.
    Leonardo
    As Phoenix said, this is what mail servers do. The issue then becomes where is the e-mail to be delivered. It will only deliver locally from a unauthenticated connection. That is how someone else send mail to one of your users. It will not, if configured properly, send mail to someone external, or in other words, relay.

  9. #9
    Join Date
    May 2007
    Location
    Oklahoma
    Posts
    703
    Rep Power
    9

    Default Encrypted SMTP

    My take on this is the client and server make an SSL connection at which point all communication is encrypted, including the authentication. However, if the authentication takes place before an SSL connection is made then the login would be unencrypted. I believe the former is the case and and that is why when you specify no plain text authentication it works when the SSL connection only is specified.

    If my take on this is wrong then I would appreciate someone correcting me.

    If you specify using encrypted authentication in , say, Outlook Express, the login fails because OE chokes at the AUTH command. IMHO.

  10. #10
    Join Date
    Jun 2010
    Posts
    4
    Rep Power
    5

    Default

    Quote Originally Posted by Bill Brock View Post
    My take on this is the client and server make an SSL connection at which point all communication is encrypted, including the authentication. However, if the authentication takes place before an SSL connection is made then the login would be unencrypted. I believe the former is the case and and that is why when you specify no plain text authentication it works when the SSL connection only is specified.

    If my take on this is wrong then I would appreciate someone correcting me.

    If you specify using encrypted authentication in , say, Outlook Express, the login fails because OE chokes at the AUTH command. IMHO.
    Well here's the problem. While it is encrypted already if the user connects using an SSL connection, there is nothing to enforce that. They could just as easily be connecting over port 25. But if there was a non-clear-text authentication method going on, then it would be better... or at the very least, SMTP AUTH refusing to work over a non SSL link.

Similar Threads

  1. Replies: 15
    Last Post: 05-14-2012, 10:32 AM
  2. Error message in Server status
    By Max Ma in forum Installation
    Replies: 20
    Last Post: 04-19-2007, 09:55 AM
  3. Understanding the Daily Mail Report - Open Relay?
    By gihrig in forum Administrators
    Replies: 4
    Last Post: 10-16-2006, 09:53 AM
  4. Zimbra acts as open relay by default?
    By lilwong in forum Administrators
    Replies: 2
    Last Post: 06-21-2006, 10:09 PM
  5. The mailbox and mta dies in FC4 GA version
    By meikka in forum Installation
    Replies: 72
    Last Post: 03-16-2006, 05:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •