[SOLVED] Help with SMTP over TLS authentication

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
tcauduro
Posts: 9
Joined: Fri Sep 12, 2014 10:45 pm

[SOLVED] Help with SMTP over TLS authentication

Postby tcauduro » Wed May 12, 2010 6:39 am

Currently running Zimbra 6.0.4 FOSS server.
We're in a situation where inbound email goes through an antispam server before reaching zimbra. However we have port 465 open and directly forwarded to zimbra so that external users can send out email when out of the office. TLS auth is turned on so they would have to authenticate to send.
Confirmed from "zmprov getServer server.domain.com | grep Auth"

zimbraMtaAuthEnabled: TRUE

zimbraMtaAuthHost: server.domain.com

zimbraMtaAuthTarget: TRUE

zimbraMtaAuthURL: https://server.domain.com:443/service/soap/

zimbraMtaSaslAuthEnable: TRUE

zimbraMtaTlsAuthOnly: TRUE
My problem is that we are now having spammers send mail through this port and they are logging in through TLS as an Anonymous user and getting access to send.
Maillog shows entries like this:

May 11 20:39:01 webmail postfix/smtpd[25302]: connect from unknown[186.120.141.91]

May 11 20:39:01 webmail postfix/smtpd[25302]: setting up TLS connection from unknown[186.120.141.91]

May 11 20:39:02 webmail postfix/smtpd[25302]: Anonymous TLS connection established from unknown[186.120.141.91]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
I've tried turning off anonymous access in LDAP and that hasn't helped.

("./libexec/zmldapanon -d")
Here's some more info from postfix main.cf:

"grep sasl main.cf"
broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_sender_domain, permit

smtpd_sasl_authenticated_header = no

local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated

smtpd_sasl_auth_enable = yes
Any ideas how to turn off this Anonymous TLS?
Thanks in advanced


tcauduro
Posts: 9
Joined: Fri Sep 12, 2014 10:45 pm

[SOLVED] Help with SMTP over TLS authentication

Postby tcauduro » Wed May 12, 2010 7:06 am

Oh forgot to mention my /cyrus-sasl/etc/saslauthd.conf file
zimbra_url: https://server.domain.com:7071/service/admin/soap/

zimbra_cert_file: /opt/zimbra/conf/smtpd.crt

zimbra_cert_check: off
I noticed other posts say to use something like https://server.domain.com/service/soap">https://server.domain.com/service/soap/" so I've changed both the saslauthd.conf and saslauthd.conf.in files and restarted the service.

[File now reads]

zimbra_url: https://server.domain.com/service/soap">https://server.domain.com/service/soap/

zimbra_cert_file: /opt/zimbra/conf/smtpd.crt

zimbra_cert_check: off
I'll have to see if this stops the spam. running testsaslauthd with a few user accounts seems to authenticate. Not sure how i would test the anonymous account as it requires the -p parameter to provide a password when running
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 2187
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

[SOLVED] Help with SMTP over TLS authentication

Postby L. Mark Stone » Wed May 12, 2010 8:22 am

Your profile shows you running ZCS 4.5.6; is that still the case?
All the best,

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
phoenix
Ambassador
Ambassador
Posts: 26699
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

[SOLVED] Help with SMTP over TLS authentication

Postby phoenix » Wed May 12, 2010 8:24 am

[quote user="tcauduro"]Currently running Zimbra 6.0.4 FOSS server.[/QUOTE]Please update your forum profile to reflect the correct Zimbra version in use.
[quote user="tcauduro"]We're in a situation where inbound email goes through an antispam server before reaching zimbra. However we have port 465 open and directly forwarded to zimbra so that external users can send out email when out of the office. TLS auth is turned on so they would have to authenticate to send.[/QUOTE]You should switch to the correct Submission port which is 587, that will do what you need. The RFC for the Submission port never ratified the use of port 456 and that has been deprecated in favour of 587.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
tcauduro
Posts: 9
Joined: Fri Sep 12, 2014 10:45 pm

[SOLVED] Help with SMTP over TLS authentication

Postby tcauduro » Mon May 17, 2010 9:16 am

Thanks for the suggestion. Switching to port 587 worked after a minor tweak was made.
I originally had my smtpd_recipient_restrictions configured as below:

reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_sender_domain,permit
This mail server is behind a spam filter and therefor does not receive email from outside directly aside from external authenticated users sending mail. With the last argument as 'permit', junk was still getting through, a switch to 'reject' solved the issue.
So smtpd_recipient_restrictions looks like this now:

reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unlisted_recipient, reject_invalid_hostname, reject_non_fqdn_sender, reject_unknown_client, reject_unknown_sender_domain, reject
Thanks again.
Tolma4
Posts: 2
Joined: Sat Sep 13, 2014 2:29 am

[SOLVED] Help with SMTP over TLS authentication

Postby Tolma4 » Mon Mar 05, 2012 2:18 am

Would you please explain how did you do that? I also have the problem with sending spam using my server because of anonymous TLS. Nut if I change "permit" to "reject" and restart zimbra it somehow changes to "permit" again.
tcauduro
Posts: 9
Joined: Fri Sep 12, 2014 10:45 pm

[SOLVED] Help with SMTP over TLS authentication

Postby tcauduro » Mon Mar 05, 2012 7:25 am

Go to Global Settings under the Administration Console -pick the 'MTA' tab. There's a check box under 'Protocol Checks' that does this for you.
I would assume Zimbra re-writes the file according to these settings every time it starts up.
Tolma4
Posts: 2
Joined: Sat Sep 13, 2014 2:29 am

[SOLVED] Help with SMTP over TLS authentication

Postby Tolma4 » Mon Mar 05, 2012 7:30 am

Thank's. I wil try :)

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 25 guests