Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Security Bug in Zimbra?

  1. #11
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Post some details of the IP ranges in use and what is in your 'postconf mynetworks'.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  2. #12
    Join Date
    Oct 2006
    Posts
    16
    Rep Power
    8

    Default

    The network which I use is 172.27.0.0/20.

    The result of 'postconf mynetworks' is:

    mynetworks = 127.0.0.0/8 172.27.0.0/20 a.b.c.d/25

    where a.b.c.d/25 represents my Public IP Address range( Obscured for privacy reasons).

    Please note that I am having two network interfaces on the Zimbra server. One private and one public.

    The IP Address of the PC from which relaying was possible is 172.26.105.127.

    Thanks.
    Last edited by generic31; 01-13-2007 at 08:06 AM.

  3. #13
    Join Date
    Aug 2006
    Location
    Madrid, Spain
    Posts
    124
    Rep Power
    9

    Default

    Generic31, I don't understand why do you think zimbra relay block is not working.

    If you host a domain in Zimbra, your server will ALWAYS ACCEPT all mails for your domain because it's YOUR DOMAIN.
    It will refuse send mails to other domains, but yours is yours. Don't bother about "mynetworks" and others in postfix. If it's for you, it's accepted.

    For not accepting emails for your domain, you should use antispam system, for example, or tune postfix with a blacklist system.

  4. #14
    Join Date
    Aug 2006
    Location
    Madrid, Spain
    Posts
    124
    Rep Power
    9

    Default

    Generic, re-reading your post, I understand that you have a "direct transport" for two domains (a.domain and b.domain) , and that you only host a third one (c.domain), and when you try to relay to a or b, zimbra do it without rejecting. Is it true?

    If yes, check zimbra postfix config for "mydestination" (exec postconf | grep mydestinatio as zimbra user). These property controls what domains are consider as local, and so mail are accepted without checking IP address...
    You could have found a bug.

  5. #15
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    11

    Default

    how have you implemented the 'direct transport'?

  6. #16
    Join Date
    Oct 2006
    Posts
    16
    Rep Power
    8

    Default

    Quote Originally Posted by inigoml View Post
    If yes, check zimbra postfix config for "mydestination" (exec postconf | grep mydestinatio as zimbra user). These property controls what domains are consider as local, and so mail are accepted without checking IP address...
    You could have found a bug.
    inigoml, the result of 'exec postconf | grep mydestination' is :


    mydestination = $myhostname, localhost.$mydomain, localhost

    dijichi2, let me explain my situation again.

    'Other' domains: 'cse.domain.net' and 'domain.net'
    My domain: 'security.domain.net'

    To these 'local' domains, I have configured Zimbra to deliver the mails directly by the following procedure:

    zmprov cd domain.net
    zmrov>md domain.net zimbraMailCatchAllAddress @domain.net
    zmprov>md domain.net zimbraMailCatchAllForwardingAddress @domain.net
    zmprov>md domain.net zimbraMailTransport smtp:172.31.1.1


    where, 172.31.1.1 is the internal address of the Mail Server running for the above domain.

    Same for the domain- 'cse.domain.net'


    Could I be wrong somewhere?

    Thanks.
    Last edited by generic31; 01-15-2007 at 03:57 AM.

  7. #17
    Join Date
    Aug 2006
    Location
    Madrid, Spain
    Posts
    124
    Rep Power
    9

    Default

    Quote Originally Posted by generic31 View Post
    zmprov cd domain.net
    zmrov>md domain.net zimbraMailCatchAllAddress @domain.net
    zmprov>md domain.net zimbraMailCatchAllForwardingAddress @domain.net
    zmprov>md domain.net zimbraMailTransport smtp:172.31.1.1


    where, 172.31.1.1 is the internal address of the Mail Server running for the above domain.
    Could I be wrong somewhere?
    You are bypassing relay rules. Delete this config (delete domain.net and csd.domain.net) and let your DNS work. You only need the config for your own domain, that is, security.domain.net. Email for those domains will be treated as external mail and relay rules will be applied.

    You have to check that there is a MX register at DNS server for cse.domain.net and domain.net or at least a default A register (or a hosts entry for csd.domain.net and domain.net if you don't have a DNS server or access to an external DNS server).

    Your server will receive mails, apply relay rules and if user authenticates, it will check with your defined DNS where to relay that mails. And no other configuration is needed.

  8. #18
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    11

    Default

    yup, as inigoml says, you've created an authoritative domain in your server then you're deliberately catching all incoming email to the domain and forwarding it through specific transport directive. Of course the server is going to relay email to those domains, you've explicity told it to

    this is what split dns is for - presumably your internal dns is setup with correct internal mx records for the other subnets, use those for delivery. this should be faster and more accurate (for instance, you're currently accepting email through catchalls that possibly should not be accepted).

  9. #19
    Join Date
    Oct 2006
    Posts
    16
    Rep Power
    8

    Default

    Quote Originally Posted by inigoml View Post
    You have to check that there is a MX register at DNS server for cse.domain.net and domain.net or at least a default A register (or a hosts entry for csd.domain.net and domain.net if you don't have a DNS server or access to an external DNS server).
    The problem is, that we do not have the DNS servers for these domains available for use.
    I did try the hosts file trick, but could not get it working. Could you please elaborate on how to setup my hosts file to point to 172.31.1.1 for the 'cse.domain.net' and 'domain.net'.

    Thanks.

  10. #20
    Join Date
    Oct 2006
    Posts
    16
    Rep Power
    8

    Thumbs up Solved!!!

    The problem has been solved. We just need to configure transports and get the required job done. Thank you all for your help.

Similar Threads

  1. QUE Failure
    By tbullock in forum Administrators
    Replies: 31
    Last Post: 07-30-2008, 12:17 PM
  2. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 03:48 PM
  3. Replies: 16
    Last Post: 09-07-2006, 06:39 AM
  4. Logger
    By jholder in forum Installation
    Replies: 24
    Last Post: 03-31-2006, 10:50 AM
  5. port 7071 not listening OS X install
    By leeimber in forum Installation
    Replies: 7
    Last Post: 03-21-2006, 09:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •