Results 1 to 5 of 5

Thread: Understanding the Daily Mail Report - Open Relay?

  1. #1
    Join Date
    Sep 2006
    Posts
    21
    Rep Power
    9

    Default Understanding the Daily Mail Report - Open Relay?

    I Need some help understanding the Daily Mail Report, specifically "Most active senders" and "Most active recipients".

    We're Running Zimbra OSS 4.0.2 on CentOS 4.4. Running behind a Cable/DSL router with no open ports. Zimbra communicates to the outside Internet via "Relay MTA for external delivery" set to our ISP's mail server for out bound mail and Fetchmail setup for inbound.

    I am seeing addresses with foreign domains in both Most active senders and Most active recipients.

    I assume "Senders" would be Zimbra accounts sending mail and "Recipients" would be Zimbra accounts receiving mail. Am I misunderstanding these terms, or do I have an open relay situation.

    Please enlighten me.

    Regards,

    -Glen

  2. #2
    Join Date
    Mar 2006
    Location
    L'Aquila, ITALIA
    Posts
    59
    Rep Power
    9

    Default

    Glen,
    Stats works as you described...
    But if you did a clean zimbra install (with no manual change on postifix config files) you are not an open relay.
    Postifix itself default to relay localhost only unless you change your config...

    But if a user of yours is sending messages through your zimbra smtp as an autenticated zimbra user with another sending address this is what you got in the report of most active sender.

    This does not justify the recipient stats, so probably you have opened too much your network without authentication.
    Check your logs under /var/log/zimbra and /opt/zimbra/log. If they are too big, you can check your logger database (where your stats came from....)

    PS:
    Sorry, i did not realize your "fetchmail setup"... it may be you are importing someone-else emails, check logs

    Bye
    Claudio
    Last edited by claros; 10-07-2006 at 05:24 PM.

  3. #3
    Join Date
    Sep 2006
    Posts
    21
    Rep Power
    9

    Default

    Hi Claudio,

    Thank you for the reply!

    My system is built from the "bare metal" for this Zimbra installation. The only software installed beyond CentOS and Zimbra is Webmin version 1.300-minimal (with no mail or postfix related modules installed).

    I don't think I have opened any undesired access to Postfix, but, of course I could be mistaken, that's what I'm concerned about.

    The only changes to Postfix config are as directed in the Zimbra Wiki for "Outgoing SMTP Authentication" details here.

    Code:
    First check what auth mechanism postfix is configured to use - by default,
    you will see:
    
     $ postconf smtp_sasl_security_options
     smtp_sasl_security_options = noplaintext, noanonymous
    
    Since noplaintext is present, postfix will refuse to use a mechanism that sends
    passwords in the clear. If your upstream relay host only supports PLAIN or 
    LOGIN mechanisms (both of which send password in the clear), you have to 
    remove noplaintext from smtp_sasl_security_options:
    
     $ postconf -e smtp_sasl_security_options=noanonymous
     $ postfix reload
    These changes only affect outgoing smtp authentication, as near as I can tell...

    As for fetchmail setup, fetchmail is configured to retrieve mail for individual pop accounts with user and password for each (no multi-drop). All users I am retrieving for are on my domain, hosted by my ISP. fetchmail config is strictly under my control, so I'm pretty sure I'm not retrieving unexpected mail.

    ==============================

    Your comments have given me the idea that "Senders" and "Recipients" are not the _real_ or absolute sender or recipient, but the stated or _listed_ sender and recipient.

    To clarify, my understanding of your reply is that if a user on my domain joe@mydomain.com sends a message from my private LAN via my Zimbra server and configures his mail client so as to report his sending address as his home email account joe123@yahoo.com, I would then see joe123@yahoo.com listed in my senders report.

    If that is correct, would it also be true that if my user sue@mydomain.com receives a message addressed to listserver@yahoo.com bcc: sue@mydomain.com, that I would see listserver@yahoo.com in my recipients list?

    If the above examples are reasonable, then I presume I can safely disregard the detail in these reports, and look only for large changes in volume as indicators of problems.


    Please correct my assumptions if needed, and thanks again for your reply, it was helpful.


    Regards,

    -Glen

  4. #4
    Join Date
    Mar 2006
    Location
    L'Aquila, ITALIA
    Posts
    59
    Rep Power
    9

    Default

    Quote Originally Posted by gihrig

    Your comments have given me the idea that "Senders" and "Recipients" are not the _real_ or absolute sender or recipient, but the stated or _listed_ sender and recipient.

    To clarify, my understanding of your reply is that if a user on my domain joe@mydomain.com sends a message from my private LAN via my Zimbra server and configures his mail client so as to report his sending address as his home email account joe123@yahoo.com, I would then see joe123@yahoo.com listed in my senders report.
    Absolutely correct. And in /opt/zimbra/log/zimbra.log you can check his authentication username and punish him...


    Quote Originally Posted by gihrig
    If that is correct, would it also be true that if my user sue@mydomain.com receives a message addressed to listserver@yahoo.com bcc: sue@mydomain.com, that I would see listserver@yahoo.com in my recipients list?

    If the above examples are reasonable, then I presume I can safely disregard the detail in these reports, and look only for large changes in volume as indicators of problems.


    -Glen
    Correct too.
    There is a cront script, zmlogprocess that takes syslog logs into mysql
    to be processed. If a message have more than one recipient, or it is addressed to a list, only the first destination address is inserted into mysql. And that address is what you see in your zimbra daily report.
    Again a check to /var/log/zimbra.log will tell you the recipient list of that message.
    You can connect the logger database using a command (mylogger I think but not sure now) as zimbra user.


    Ciao,
    Claudio

  5. #5
    Join Date
    Sep 2006
    Posts
    21
    Rep Power
    9

    Default

    Claudio,

    Thank you very much for the help, these and similar reports on other systems, have been of great concern to me in the past.

    You have helped me take one more solid step on sysadmin journey.

    Thank you!

    -Glen

Similar Threads

  1. Problems with port 25
    By yogiman in forum Installation
    Replies: 57
    Last Post: 06-13-2011, 01:55 PM
  2. Replies: 7
    Last Post: 02-03-2011, 06:01 AM
  3. fresh install down may be due to tomcat
    By gon in forum Installation
    Replies: 10
    Last Post: 07-25-2007, 08:09 AM
  4. DynDNS and Zimbra
    By afterwego in forum Installation
    Replies: 30
    Last Post: 04-01-2007, 03:34 PM
  5. receiveing mail
    By maybethistime in forum Administrators
    Replies: 15
    Last Post: 12-09-2005, 03:55 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •