Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Security Bug in Zimbra?

  1. #1
    Join Date
    Oct 2006
    Posts
    16
    Rep Power
    9

    Default Threat of Mass Mailing Softwares

    Hello all.
    I am concerned about Mass Mailing softwares like Mail Boy 2004 to send unsolicited messages to my Zimbra mail server.
    The default SMTP Authentication configuration does not seem to be eneough to stop such a software.
    Is there anything which can be done to mitigate this threat?

    Thanks.
    Last edited by generic31; 01-08-2007 at 06:58 AM.

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Zimbra is not an open relay and without any information about the subnet he was using or the content of your mynetworks or your logs it's impossible to say what the problem is. You can test it yourself with some of the online tests available. I'm sure Zimbra would be very interested to hear your experience if he's really been able to relay through your server. Some very large companies use Zimbra and I'd be very surprised if this description you've given was possible.

    What do you mean by "....act as Open Relay even when explicitly configured against it.", have you made some changes to ZImbra?

    Why did the Zimbra server crash? What's in the logs?

    As you've already been in touch with Zimbra sales, have you mentioned this problem to them?

    PS Why did you remove the rest of your post?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    How about a description of the settings used in MailBoy 2004 and I'll try it for you.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  4. #4
    Join Date
    Oct 2006
    Posts
    16
    Rep Power
    9

    Default

    Thanks for your response. Actually, MailBoy 2004 can act as an independent SMTP server and hence it need not 'relay' the mails through some other Mail Server.
    So in my case, my friend actually contacted the SMTP server directly- and he was located in a 'foreign' subnet - and delivered the mail to my mail account without using my server as a 'relay'. I realized this while testing Mail Boy and hence I edited the previous post.

    Now, the problem is that any Mass Mailer software like Mail Boy can be used to SEND mails to my server. Zimbra does not seem to check the validity of such rogue servers- if that is possible. Is there any way of disallowing such behaviour in Zimbra?

    Thanks.

  5. #5
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Well, the problem is that you friends server isn't a rogue server unless he's on a blacklist.

    If he were a genuine spammer then you'd know where the spam came from and you could have it blacklisted and/or report him to his ISP. If he was relaying mail through your system then the same thing would apply, he'd soon get blacklisted. In any of those scenario the anti-spam system in zimbra would catch them, plus you'd need to have RBLs activated.

    What you've done as a test is to allow another mail server to connect to you and send you mail, that's the normal function of a mail server and is not a test for relaying.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  6. #6
    Join Date
    Oct 2006
    Posts
    16
    Rep Power
    9

    Default Interesting results on further tests

    After doing further tests, I came up with something very interesting:

    There are two domains to which my Zimbra server sends mails directly to their Mail Servers- ‘cse.domain.net’ and ‘domain.net’.
    My domain is ‘security.domain.net’.

    Used the following settings in Mail Boy from a system in a FOREIGN network ( the network is not mentioned in the Postfix mynetworks parameter)

    Use external SMTP server to deliver the results-
    SMTP Server: Internal IP of my Zimbra server Port: 25


    Note that only the ‘Use external SMTP server to deliver the messages’ is selected and that the SMTP server Authentication username and Password is not specified.

    When trying to RELAY mails to standard internet domains like gmail, yahoo and rediff, I did receive a relay access denied message in the Zimbra logs and the mails did not go through. So far, good. This is the expected behaviour for relay attempts.

    But interestingly, with the same settings, I was able to RELAY the mails to the domains which I have configured to send mails directly (cse.domain.net and domain.net) even though a valid username and password was not specified in the ‘This SMTP server requires Authentication’ section.

    Hence, the anti-relay properties of Zimbra did not work on the domains for which Zimbra has been configured to deliver e-mails directly on their Mail Servers.

    I believe, this setup should not have worked until a valid username and password is specified for SMTP authentication.

    Any ideas?

    Thanks.

  7. #7
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Well, without seeing details of your logs and network configuration then it's impossible to pass comment on your assertions.

    One thing bothers me in your comments and it's this: "SMTP Server: Internal IP of my Zimbra server Port: 25" If he is indeed connected to the internal LAN IP of your zimbra then he's on your network and can relay. If he connects to the public IP then it's not possible to relay.

    There are many sites on the internet that can test whether you're an open relay, check your server at some of them.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  8. #8
    Join Date
    Oct 2006
    Posts
    16
    Rep Power
    9

    Default

    Well, my situation is as follows:

    I am the Administrator of my sub-network( security.domain.net) and plan to run my own Mail Server- Zimbra.
    There are two other domains which are under different administrative control- 'cse.domain.net' and 'domain.net'. Naturally, we share one Private Address range, but with subnetting. This effectively separates our networks into different sub-networks, independent of each other.
    As far as sending mails to these 'local' domains is concerned, we prefer to use the internal IP Address of their Mail Servers to send the mails directly.


    My simple requirement is that users from other sub-networks should not be able to relay mails through my Mail server to these . These sub-networks are NOT listed in the postconf mynetworks parameter.
    Hence, the default behaviour should be not to relay mails from these sub-networks also.

    I am unable to understand why it is failing in my case.

    Thanks.

  9. #9
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    12

    Default

    have you subnetted a class-C smaller than /24? I believe postfix allows to relay within /24 by default, if you search the forums from a while ago you'll find similar suprise from someone with a hosted server that someone else on the same network was using to relay. this is not a failing of zimbra, per say, rather the defaults set in postfix. perhaps zimbra could tighten default security by locking down relaying to /32 but then that would break many other people's setup!

    in less common situations such as what you find yourself in, the onus of responsibility lies with yourself to implement security.

  10. #10
    Join Date
    Oct 2006
    Posts
    16
    Rep Power
    9

    Default

    Well dijichi2, we are using a class B private IP Range.
    Does this mean that postfix MTA should allow relaying within the ENTIRE range even though only a subnet is listed in mynetwork parameter?

    Thanks.

Similar Threads

  1. QUE Failure
    By tbullock in forum Administrators
    Replies: 31
    Last Post: 07-30-2008, 01:17 PM
  2. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 04:48 PM
  3. Replies: 16
    Last Post: 09-07-2006, 07:39 AM
  4. Logger
    By jholder in forum Installation
    Replies: 24
    Last Post: 03-31-2006, 11:50 AM
  5. port 7071 not listening OS X install
    By leeimber in forum Installation
    Replies: 7
    Last Post: 03-21-2006, 10:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •