Zimbra being an open relay?

Ask questions about your setup or get help installing ZCS server (ZD section below).
gkra
Advanced member
Advanced member
Posts: 53
Joined: Fri Sep 12, 2014 10:36 pm

Zimbra being an open relay?

Postby gkra » Fri Jun 29, 2007 11:47 am

Running Zimbra Open Source version, and about to install the Network trial, but a security scan pointed out that the Zimbra system is acting as an open relay.
Zimbra is configured to send all mail through an external SMTP server.
Doing a simple open relay test confirms that Zimbra is happily relaying any mail it gets. (Telnet to SMTP port, MAIL FROM: , RCPT TO: , DATA, some text, and off it goes.)
Why is Zimbra relaying mail for everything? Even if I tell Zimbra to use an external SMTP server for all outgoing mail, it should still only be accepting mail for the domains that it's configured for.
zimbra.log output for the test message is below. Please let me know if there's anything else I can provide to help diagnose this.
Jun 29 09:15:50 zimbraserver postfix/smtpd[13993]: 8F77870048: client=tachikoma.ourdomain.tld[AAA.BBB.CCC.31]

Jun 29 09:16:11 zimbraserver postfix/cleanup[13994]: 8F77870048: message-id=

Jun 29 09:16:11 zimbraserver postfix/qmgr[28445]: 8F77870048: from=, size=404, nrcpt=1 (queue active)

Jun 29 09:16:11 zimbraserver postfix/smtpd[27396]: 9EB5F7003C: client=localhost[127.0.0.1]

Jun 29 09:16:11 zimbraserver postfix/cleanup[27136]: 9EB5F7003C: message-id=

Jun 29 09:16:11 zimbraserver postfix/qmgr[28445]: 9EB5F7003C: from=, size=1063, nrcpt=1 (queue active)

Jun 29 09:16:11 zimbraserver amavis[27303]: (27303-04) FWD via SMTP: -> , BODY=8BITMIME 250 2.6.0 Ok, id=27303-04, from MTA([127.0.0.1]:10025): 250 Ok: queued as 9EB5F7003C

Jun 29 09:16:11 zimbraserver amavis[27303]: (27303-04) Passed CLEAN, [AAA.BBB.CCC.31] [AAA.BBB.CCC.31] -> , Message-ID: , mail_id: 1zldVdAwLx+r, Hits: -0.825, queued_as: 9EB5F7003C, 336 ms

Jun 29 09:16:11 zimbraserver postfix/smtp[27143]: 8F77870048: to=, relay=127.0.0.1[127.0.0.1], delay=27, status=sent (250 2.6.0 Ok, id=27303-04, from MTA([127.0.0.1]:10025): 250 Ok: queued as 9EB5F7003C)

Jun 29 09:16:11 zimbraserver postfix/qmgr[28445]: 8F77870048: removed

Jun 29 09:16:11 zimbraserver postfix/smtp[27615]: 9EB5F7003C: to=, relay=cse-smtp.ourdomain.tld[AAA.BBB.CCC.63], delay=0, status=sent (250 Ok: queued as AE3162C14C)

Jun 29 09:16:11 zimbraserver postfix/qmgr[28445]: 9EB5F7003C: removed



phoenix
Ambassador
Ambassador
Posts: 26701
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Zimbra being an open relay?

Postby phoenix » Fri Jun 29, 2007 12:01 pm

Zimbra is not, by default, an open relay. You must have configured it to be an open relay or you are misunderstanding what's happening - search the forums on the subject.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
gkra
Advanced member
Advanced member
Posts: 53
Joined: Fri Sep 12, 2014 10:36 pm

Zimbra being an open relay?

Postby gkra » Fri Jun 29, 2007 12:14 pm

The extent of my configuration was to do the following using the web admin console:
Global Settings -> MTA:

Web mail MTA Hostname: cse-smtp.ucsd.edu

Relay MTA for external delivery: cse-smtp.ucsd.edu
The Zimbra system is configured for the following domains:
cs.ucsd.edu

cse.ucsd.edu

csezimbra.ucsd.edu
It was installed for the "cs.ucsd.edu" domain, and the other two were added as domain aliases for "cs.ucsd.edu" via the zmprov tool, as per documentation found here in the forums and the administrator's guide.
We're bringing Zimbra in as an additional server in an existing mail domain, which means that other systems are handling mail routing. We have to send all "sent" mail from the zimbra system through the seperate smtp server to take care of resolving aliases and mailing lists which are not, and will not be managed by zimbra.
If configuring an external SMTP box is all it takes to turn Zimbra into an open relay, I'd consider that a bug.
If that's not supposed to happen, then where do I look for what might be causing this?
For now I've firewalled the SMTP services so that they're only reachable by our mailhub (which is the only system that's supposed to be injecting mail into the zimbra system anyway). I want to isolate the root cause, though.
gkra
Advanced member
Advanced member
Posts: 53
Joined: Fri Sep 12, 2014 10:36 pm

Zimbra being an open relay?

Postby gkra » Fri Jun 29, 2007 12:43 pm

Okay, please forgive me, everyone, for my own stupidity.
Going through all the thread when I searched for "open relay", I found reference to checking the postfix "mynetworks" variable. This made something click in my head, because $mynetworks is used extensively in our own postfix servers for a lot of the *_restrictions variables in our gateways.
Sure enough, when I checked it on the zimbra server, it was including the CIDR block where the network security scanner lives. Now it makes perfect sense why it seems like the Zimbra server was being an open relay. Hosts on $mynetworks are allowed to do much more than hosts not on $mynetworks.
So, now I have to figure out where in the admin console that was set, and remove that CIDR block.
Any pointers for *that*? It's not listed in Global Settings -> MTA or Servers -> servername -> MTA anywhere...
phoenix
Ambassador
Ambassador
Posts: 26701
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Zimbra being an open relay?

Postby phoenix » Fri Jun 29, 2007 12:53 pm

You can use these instructions in the wiki.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
dlbewley
Advanced member
Advanced member
Posts: 82
Joined: Fri Sep 12, 2014 10:15 pm

Zimbra being an open relay?

Postby dlbewley » Fri Jun 29, 2007 12:55 pm

[QUOTE]Jun 29 09:15:50 zimbraserver postfix/smtpd[13993]: 8F77870048: client=tachikoma.ourdomain.tld[AAA.BBB.CCC.31][/QUOTE]
So, is AAA.BBB.CCC.0/24 the same network as your Zimbra server? Looks like you are just being allowed to relay due to your proximity to the server.

By default postfix allows relay to hosts on the same subnet.
Postfix Basic Configuration

Postfix Configuration Parameters
[zimbra@zebra conf]$ postconf |grep networks

mynetworks = 127.0.0.0/8 10.10.10.128/26

mynetworks_style = subnet

parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,relay_domains,smtpd_access_maps

permit_mx_backup_networks =

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks

smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetworks}

smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_hostname, reject_unknown_sender_domain, reject_unauth_destination, permit

smtpd_sasl_exceptions_networks =


To truly test if you're an open relay you'll have to test from a client completely removed from your environment.
My Zimbra server has port 25 firewalled and, like you, email all comes in and out via an SMTP gateway. Including IMAP clients sending messages. OT: like this.
gkra
Advanced member
Advanced member
Posts: 53
Joined: Fri Sep 12, 2014 10:36 pm

Zimbra being an open relay?

Postby gkra » Fri Jun 29, 2007 12:59 pm

I'm feeling like a spastic puppy today...
Okay, the MTA Trusted Hosts field in Global settings is what I needed.
I've set it to the loopback address and the local subnet (which should be the only things submitting mail to it), and looks like everything is okay now.

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 12 guests