Results 1 to 4 of 4

Thread: HELP - Open Relay Exploit

Hybrid View

  1. #1
    Join Date
    Jul 2007
    Location
    SFL
    Posts
    22
    Rep Power
    8

    Default HELP - Open Relay Exploit

    Guys -
    I need some thoughts and a solution. After 3 years using ZIMBRA and 10 yrs before doing OPWV I got my first breach - my Zimbra server got turned into an OPEN RELAY.

    Here is the config: I have 2 mail systems - one for ABC.com, and one ZIMBRA server for dealer1.ABC.com,dealer2.ABC.com,dealer3.ABC.com. There is an MX for ABC.com going to another mail server, and an MX for dealer1-X.ABC.com going to my ZIMBRA server.

    Zimbra is set up with users in the sub-domains ie: user@dealer1-X.ABC.com as the primary account and an alias for user@ABC.com. Each user also has an external account for ABC.com to POP mail from the other mail server via ZIMBRA.

    ABC.com is a domain in the domains list for the user aliases ie: myuser@ABC.com. That way any local mail sent to joe@ABC.com who IS one of our users gets delivered locally else he is relayed to ABC.com - used to be referred to as a non-authoritative domain

    ALL account Reply To's are set to user@ABC.com and ANY external incoming mail should go to the ABC.COM email server via the MX record ( at least that was the way it should have/did work) . Internal mail is delivered locally.

    The issue is that the black hats figured out that if they connect to MY server (dealer1.ABC.com) directly AND send mail msg to nouser@ABC.com (in with a batch of hundreds of other email addresses)

    ZIMBRA sees the DST domain in my list of domains but does not see the user in my LDAP and SpamAssasin complains that there is no local delivery and this may be a SPAM messageBUT then... I assume it does a MX lookup on nouser@ABC.com sees that the message goes to the other server and then forwards the msg via SMTP to ABC.com and since the message is now from Spam Assassin and the 127.0.0.1 trusted network (ME) Postfix goes to deliver the msg to all the rest of the recipients - OPEN RELAY!

    YES - ALL protocol, DNS and MTA checks are turned on and I have 5 RTBL in the MTA settings. I do not have TLS only authentication on because I believe the issue to be: Zimbra accepts the original SPAM messages because the ABC.com domain IS a domain on the domains list.

    Right now I have turned off port 25 on the firewall so that we take no outside SMTP traffic - but this has issues, roaming clients can't relay is just one issue. But this is better than 10k msg/hr being spewed like the oil in the Gulf.

    There must be a way to say - IF there is NO local recipient - KILL the message / relay ONLY with authentication I can do - but that will not stop what they are doing.

    Clearly the black hats are getting VERY clever.... the condition list to make this happen is very small - but this config has worked for over 2 years at this site, and it has uses for DR.

    As always, any thoughts and suggestions are welcome

    bobm
    ==============================================
    Robert Masterson

    bobm@windward-dev.com
    US Mobile:+1 954-647-7204
    -----------------------------------------------------------
    If you keep trying, 'you will occasionally do
    something worthwhile' - Seymour Cray
    ==============================================

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Let's start with this: Discarding Emails Sent to Invalid Addresses and what do you have in the mynetworks setting?

    Are you sure it was an open relay and not just a compromised account?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Jul 2007
    Location
    SFL
    Posts
    22
    Rep Power
    8

    Default

    Bill -
    ManyTHANKS for the link - the mynetworks are just the LAN and 127.

    This could be a fix, but I'm wondering about the accounts in ABC.com that are NOT in the zimbra LDAP, but ARE valid.

    Also - I'm pretty sure it's not a compromised account because in the msgs I lookded at the dst addr in ABC.com was not just one address, I did save the zimbra and maillog logs off to the side - so I'm still trying to track this down - but this is DAMN SNEEKY, the msg should never have got to the box via the MX.

    Again Many Thanks and I'll advise

    bobm
    ==============================================
    Robert Masterson

    bobm@windward-dev.com
    US Mobile:+1 954-647-7204
    -----------------------------------------------------------
    If you keep trying, 'you will occasionally do
    something worthwhile' - Seymour Cray
    ==============================================

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by bobm View Post
    This could be a fix, but I'm wondering about the accounts in ABC.com that are NOT in the zimbra LDAP, but ARE valid.
    How have you got MX records listed for these two servers, is one a backup MX of the other server?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

Similar Threads

  1. [SOLVED] Zimbra - acting as open relay
    By milind.v.patil in forum Administrators
    Replies: 14
    Last Post: 11-17-2009, 02:48 AM
  2. [SOLVED] Open Relay --> Zimbra OSE vs MS Exchange
    By benny_0924 in forum Administrators
    Replies: 8
    Last Post: 09-15-2009, 09:45 PM
  3. Error message in Server status
    By Max Ma in forum Installation
    Replies: 20
    Last Post: 04-19-2007, 09:55 AM
  4. Zimbra acts as open relay by default?
    By lilwong in forum Administrators
    Replies: 2
    Last Post: 06-21-2006, 10:09 PM
  5. The mailbox and mta dies in FC4 GA version
    By meikka in forum Installation
    Replies: 72
    Last Post: 03-16-2006, 05:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •