Results 1 to 5 of 5

Thread: Zimbra always relays if the recipient has a server e-mail address.

  1. #1
    Join Date
    Mar 2012
    Posts
    11
    Rep Power
    3

    Default Zimbra always relays if the recipient has a server e-mail address.

    Lets say our smtp server is mail.ourcompanyserver.com

    If I use an e-mail client that is outside the MTA Trusted addresses (such as outlook at home), I can send an e-mail using smtp:mail.ourcompanyserver.com (our e-mail server) to any_email_address@ourcompanyserver.com.

    Zimbra allows this to go through and does not reject as long as the recipient is a valid server address. It seems this is just happening because the recipient is @ourcompanyserver.com... Whenever the same external e-mail client tries to send to email@gmail.com or email@yahoo.com, it will get rejected by our server as it should...

    How do I keep Zimbra from allowing mail to be relayed through it if the mentioned^ criteria is met? Or is this intended behavior?

    Thanks in advance!

    Zimbra Version: 7.2.0
    OS: CentOS Linux 6.2

  2. #2
    Join Date
    Jul 2009
    Location
    Jyväskylä, Finland
    Posts
    83
    Rep Power
    6

    Default

    Quote Originally Posted by pinkstond View Post
    Lets say our smtp server is mail.ourcompanyserver.com

    If I use an e-mail client that is outside the MTA Trusted addresses (such as outlook at home), I can send an e-mail using smtp:mail.ourcompanyserver.com (our e-mail server) to any_email_address@ourcompanyserver.com.

    Zimbra allows this to go through and does not reject as long as the recipient is a valid server address. It seems this is just happening because the recipient is @ourcompanyserver.com...
    If I understood correctly what you're after, it's by design. The SMTP server allows any user to send email to an account which exists on local server.
    Regular spam filtering rules apply here.
    Some ISPs just filter out port 25 connections outside their network and force you to use their smtp for sending.
    That's why you want SSL/TLS.

    Whenever the same external e-mail client tries to send to email@gmail.com or email@yahoo.com, it will get rejected by our server as it should...

    How do I keep Zimbra from allowing mail to be relayed through it if the mentioned^ criteria is met? Or is this intended behavior?

    Thanks in advance!

    Zimbra Version: 7.2.0
    OS: CentOS Linux 6.2
    This sounds weird, email@gmail.com should go through or atleast return 500 error if the account doesn't exist at gmail.
    Are you sure you actually enabled the user authentication to send mail at the client end?
    Zimbra with default configuration will reject such messages if you didn't authenticate before trying to sending.

  3. #3
    Join Date
    Mar 2012
    Posts
    11
    Rep Power
    3

    Default

    Quote Originally Posted by kruon View Post
    If I understood correctly what you're after, it's by design. The SMTP server allows any user to send email to an account which exists on local server.
    Regular spam filtering rules apply here.
    Some ISPs just filter out port 25 connections outside their network and force you to use their smtp for sending.
    That's why you want SSL/TLS.
    So if I were a spammer/hacker/phisher, I could use the company's zimbra server (mail.ourcompanyserver.com) to relay messages to the company's zimbra users and I wouldn't even need to authenticate because the recipients are valid zimbra users. But the spammer would not be able to send spam using the server without authentication to send to a gmail user. This is basically the scenario that can/does happen.

    So there is no way to stop a spammer/hacker/phisher from using the mail server it's self to do the relaying when the recipient is a valid server user?

    Man, it's hard to explain this without sounding too confusing, I hope I've made it some-what understandable!

  4. #4
    Join Date
    Mar 2012
    Posts
    11
    Rep Power
    3

    Default

    Step by step directions of what's occuring:

    1.) Go home (or out side of MTA Trusted Networks) and setup outlook with the following settings:
    Name: Test
    E-Mail: doesnt_matter@whatever.com
    Account Type: POP3
    Incoming: mail.yourserver.com
    Outgoing: mail.yourserver.com
    User Name: doesnt_matter
    Password: (LEAVE BLANK)

    2.) Send an e-mail to an actual user on the server. IE: admin@yourserver.com

    This will actually get delivered even though the client is outside the MTA networks and the client didn't even authenticate...

    3.) Send an e-mail to a gmail (or hotmail, yahoo, etc) user from the same client with the same settings.

    This will NOT go through and gets a relayed denied message as it should

    It seems that the server will relay if the recipient is on the server. Even if the sender is outside the MTA networks and did not authenticate.

  5. #5
    Join Date
    Jul 2009
    Location
    Jyväskylä, Finland
    Posts
    83
    Rep Power
    6

    Default

    Quote Originally Posted by pinkstond View Post
    So if I were a spammer/hacker/phisher, I could use the company's zimbra server (mail.ourcompanyserver.com) to relay messages to the company's zimbra users and I wouldn't even need to authenticate because the recipients are valid zimbra users.
    This is called local delivery, not relaying mail.
    Your mx points to mail.ourcompanyserver.com, this means @ourcompanyserver.com will be delivered to that server.
    It can be sent via another server(relay) or by directly contacting your server.
    Arriving mail will process through standard postfix-amavis-(razor/pyzor/greylist)-clam-mailbox chain and unless message flags as spam, it's delivered to recipient.

    In a perfect world, all servers would require user authentication before accepting mail for delivery, but sadly this isn't the case in real world.

    But the spammer would not be able to send spam using the server without authentication to send to a gmail user. This is basically the scenario that can/does happen.
    Compromised account would allow sending to anywhere.
    Educate your users about good password policy.

    So there is no way to stop a spammer/hacker/phisher from using the mail server it's self to do the relaying when the recipient is a valid server user?

    Man, it's hard to explain this without sounding too confusing, I hope I've made it some-what understandable!
    The server has built-in detection for inbound mail, just search the forum for tuning amavis for details.
    You can also look into greylisting, but be advised that greylisting slightly delays your mail delivery but it also does wonders to reduce spam.

Similar Threads

  1. Change recipient address for Daily Mail Report
    By jasonboche in forum Administrators
    Replies: 10
    Last Post: 03-05-2012, 11:53 PM
  2. Recipient address rejected: need fully-qualified address
    By maremester in forum Administrators
    Replies: 4
    Last Post: 11-09-2011, 12:08 AM
  3. Zimbra appends server name to recipient address
    By Najtssob in forum Administrators
    Replies: 1
    Last Post: 07-20-2010, 12:38 PM
  4. Mail Relay Questions ? Local vs Outbound Relays
    By tribear in forum Administrators
    Replies: 3
    Last Post: 10-19-2009, 12:46 AM
  5. Replies: 2
    Last Post: 04-17-2006, 05:12 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •