Guys -
I need some thoughts and a solution. After 3 years using ZIMBRA and 10 yrs before doing OPWV I got my first breach - my Zimbra server got turned into an OPEN RELAY.

Here is the config: I have 2 mail systems - one for, and one ZIMBRA server for,, There is an MX for going to another mail server, and an MX for going to my ZIMBRA server.

Zimbra is set up with users in the sub-domains ie: as the primary account and an alias for Each user also has an external account for to POP mail from the other mail server via ZIMBRA. is a domain in the domains list for the user aliases ie: That way any local mail sent to who IS one of our users gets delivered locally else he is relayed to - used to be referred to as a non-authoritative domain

ALL account Reply To's are set to and ANY external incoming mail should go to the ABC.COM email server via the MX record ( at least that was the way it should have/did work) . Internal mail is delivered locally.

The issue is that the black hats figured out that if they connect to MY server ( directly AND send mail msg to (in with a batch of hundreds of other email addresses)

ZIMBRA sees the DST domain in my list of domains but does not see the user in my LDAP and SpamAssasin complains that there is no local delivery and this may be a SPAM messageBUT then... I assume it does a MX lookup on sees that the message goes to the other server and then forwards the msg via SMTP to and since the message is now from Spam Assassin and the trusted network (ME) Postfix goes to deliver the msg to all the rest of the recipients - OPEN RELAY!

YES - ALL protocol, DNS and MTA checks are turned on and I have 5 RTBL in the MTA settings. I do not have TLS only authentication on because I believe the issue to be: Zimbra accepts the original SPAM messages because the domain IS a domain on the domains list.

Right now I have turned off port 25 on the firewall so that we take no outside SMTP traffic - but this has issues, roaming clients can't relay is just one issue. But this is better than 10k msg/hr being spewed like the oil in the Gulf.

There must be a way to say - IF there is NO local recipient - KILL the message / relay ONLY with authentication I can do - but that will not stop what they are doing.

Clearly the black hats are getting VERY clever.... the condition list to make this happen is very small - but this config has worked for over 2 years at this site, and it has uses for DR.

As always, any thoughts and suggestions are welcome