Results 1 to 6 of 6

Thread: permit_mynetworks

  1. #1
    Join Date
    Sep 2009
    Posts
    3
    Rep Power
    6

    Default permit_mynetworks

    Hello,

    I've got a problem with a brand new Zimbra NE 6.0.4 installation just made (on Ubuntu 8.04 if it matters) for a client. This machine is behind a firewall that NAT 25 port to it.

    In the trusted networks, I set "127../8" and "192.../32", so I intented to be able to send emails only in an authentificated tsl/ssl way as this configuration only allows anonymous mails from the machine where zimbra is installed itselfs.

    My problem is that some spams can be send via this installation from the other side of the firewall; it seems that the firewall (that cannot be changed) breaks something when it does its natting -> spams arrive in the MTA and in the queue, so it's like they were send from the trusted networks, locally so. Of course, trying to send an anonymous email from the network (that isn't trusted) won't work, as excepted; that's why I arrive to this conclusion (the firewall breaks something when it does natting).

    After digging into various files, I found the line
    permit_mynetworks (in the file /opt/zimbra/conf/postfix_recipient_restrictions.cf)
    and it's corresponding
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, permit (in /opt/zimbra/postfix/conf/main.cf)
    And in the same file:
    local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated

    So my question is: what would it be if I delete the line "permit_mynetworks" from postfix_recipient_restrictions.cf and restart? Would all outgoing mail coming from anywhere be rejected unless their sender is registered in the system? Or would it be totally impossible to send any mail at all, even for registered users (as in the queue, originating address is sometimes "amavisd [127.0.0.1]" )?

    As this parameter seems to be able to totally break the installation (that already is in production), I'd prefer to have an answer before trying to change this setting.

    Thanks in advance for answering
    Christophe

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Zimbra is not an open relay in it's default installation unless you've modified it to do that, that means that nobody can send spam via your server from outside your firewall. Being behind a firewall does not 'break' anything when you're behind a NAT router or firewall. You should clarify why you think spam is being sent via your server and (possibly) post some headers from a suspect email. You could always review some of the techniques in this article (you can also search the forums for further tips): Improving Anti-spam system - Zimbra :: Wiki - specifically Discarding Emails Sent to Invalid Addresses will get rid of a lot of spam as will adding effective RBLs.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Sep 2009
    Posts
    3
    Rep Power
    6

    Default

    Thanks for answering.

    I know it's not an open relay by default and did not configure it that way (as implied by my sentence "Of course, trying to send an anonymous email from the network (that isn't trusted) won't work"); but unless that some spams can be send using it. I also know in theory being behind a firewall should not 'break' anything. But the behavious I notice is that some anonymous mails are send via the zimbra server from the internet. The only explanation I see to this is that the natting rules somewhat rewrite IP headers so that packets coming to zimbra are rewritten with the originating IP being the one of the zimbra box.

    I think spam are being send via this zimbra box, because I saw hundreds of mails going out of it in the queues and the server has been blacklisted as Spam sender on some ISP. To prevent this, I used a functionnality of the firewall used to filter outgoing spam -> I thought mails would still reach the box and the queue but would have been deleted by the firewall when they tried to go out; what happens is that most of the outgoing spams didn't even reached the box anymore.

    I've added the reject_unknown_recipient_domain from the link you gave me and hope the last spams would be cleaned that way.

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by ChristOff View Post
    I also know in theory being behind a firewall should not 'break' anything.
    That's not a theory, it's reality. It makes no difference whether Zimbra is behind a firewall or not - it's behaviour is the same.

    Quote Originally Posted by ChristOff View Post
    But the behavious I notice is that some anonymous mails are send via the zimbra server from the internet. The only explanation I see to this is that the natting rules somewhat rewrite IP headers so that packets coming to zimbra are rewritten with the originating IP being the one of the zimbra box.
    That's not true, your NAT rules should not (and probably don't) rewrite the IP headers.

    Quote Originally Posted by ChristOff View Post
    I think spam are being send via this zimbra box, because I saw hundreds of mails going out of it in the queues and the server has been blacklisted as Spam sender on some ISP.
    If you actually have spam being sent from your server and you say you're not an open relay then I'd suggest you may have a compromised account on the server - or a compromised machine behind your firewall). You need to look in the log files (and daily report) and see which account is sending high volumes of mail - search the forums for details of a similar incident.

    BTW, you can limit MyNetworks to the loopback adapter (that must stay) and the IP of your Zimbra server only (meaning each LAN user must authenticate) - you'll also find details of that in the forums.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Sep 2009
    Posts
    3
    Rep Power
    6

    Default

    Quote Originally Posted by phoenix View Post
    That's not true, your NAT rules should not (and probably don't) rewrite the IP headers.
    I cannot see any other explanation knowing everything I've explained here (only trusted network is localhost and IP of zimbra itselfs; all accounts are protected with a strong renewed password).
    -> no mail could be send anonymously from anywhere but the zimbra machine itselfs (and as I've not activated the commands to send mails from command line, I'm pretty sure they don't come from "someone" logged onto the zimbra machine neither)

    Quote Originally Posted by phoenix View Post
    If you actually have spam being sent from your server and you say you're not an open relay then I'd suggest you may have a compromised account on the server - or a compromised machine behind your firewall). You need to look in the log files (and daily report) and see which account is sending high volumes of mail - search the forums for details of a similar incident.
    All checkboxes in MTA are thick to force authentification of users.
    All passwords have been changed with no incidence on the spams send; every machine on the network (15) have been disconnected from the network one by one with no incidence neither. Only machines left connected were 4 servers from which no mail account has been configured at all.
    But still (from the last daily report)
    top 50 Senders by message count
    -------------------------------
    61 from=<>

    Quote Originally Posted by phoenix View Post
    BTW, you can limit MyNetworks to the loopback adapter (that must stay) and the IP of your Zimbra server only (meaning each LAN user must authenticate) - you'll also find details of that in the forums.
    I already did this. Cfr my first message where I talk about trusted networks being 127..../8 and 192.../32.

    My original question was to know what would the impact be if a delete permit_mynetworks from /opt/zimbra/conf/postfix_recipient_restrictions.cf (the idea behind this is to force every single message from anywhere to be send by an authentified account and have not any place where to send anonymous mails from)?

  6. #6
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Are you basing your assumptions solely on the mail report??

    "Senders" is not just addresses that you are sending out... it is a list of ANY "from" address that the server saw, including inbound messages. So incoming spam that has no from address (a rather common case), will show in the top 50 "Senders" as a "from=<>" line.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •