[SOLVED] Security best-practices question

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
dwmtractor
Outstanding Member
Outstanding Member
Posts: 993
Joined: Fri Sep 12, 2014 10:41 pm

[SOLVED] Security best-practices question

Postby dwmtractor » Tue Feb 26, 2008 1:56 pm

HEY PEOPLE, I'M LOOKING FOR OPINIONS ON THE BEST PRACTICE FOR CONFIGURING MY FIREWALLS AND/OR ZIMBRA SO I CAN GET SECURITY NOTICES FROM THE FIREWALLS.
MY FIREWALL IS CAPABLE OF SENDING OUT BOTH NOTICES OF FAILED LOGINS, INTRUSIONS, ETC, AND ALSO BACKUP FILES TO AN EMAIL ADDRESS I SPECIFY. THIS FEATURE USES A SMTP ENGINE (EXIM) BUILT RIGHT INTO THE FIREWALL TO KICK THE NOTICES OUT, AND THEY GO OUT THROUGH THE WAN IP OF THE BOX. IF I SEND THEM TO A NEARLY-UNFILTERED ACCOUNT I HAVE ELSEWHERE (NOT ON ZIMBRA) THE MESSAGES COME THRU, EVEN WITH FETCHMAIL GRABBING THEM DOWN TO A ZIMBRA ACCOUNT. HOWEVER, IF I DIRECT THESE SAME MESSAGES TO AN ACCOUNT ON MY ZIMBRA BOX, THEY ARE REJECTED BY POSTFIX:

FEB 26 11:23:35 MAIL POSTFIX/SMTPD[24845]: NOQUEUE: REJECT: RCPT FROM UNKNOWN[XXX.XXX.XXX.XXX]: 504 : HELO COMMAND REJECTED: NEED FULLY-QUALIFIED HOSTNAME; FRO

M= TO= PROTO=ESMTP HELO=


I KNOW WHY THIS IS HAPPENING--I HAVE THE VARIOUS MTA RESTRICTIONS TURNED ON, INCLUDING:



  • REJECT_INVALID_HOSTNAME

  • REJECT_NON_FQDN_HOSTNAME

  • REJECT_NON_FQDN_SENDER

  • REJECT_UNKNOWN_SENDER_DOMAIN
AND GUESS WHAT, IT'S FOLLOWING MY INSTRUCTIONS TO THE LETTER! :D I DON'T REALLY WANT TO TURN THESE FEATURES OFF BECAUSE THEY STOP A LOT OF TRASH, BUT I DO WANT TO GET MY FIREWALL NOTICES. I CAN SEE A COUPLE LESS-THAN-DESIRABLE OPTIONS:



  • ADD THE WAN IP ADDRESSES OF MY "ALLOWED SENDERS" RELAY LIST. MY CONCERN WITH THIS IS THAT I DON'T MUCH LIKE TO HAVE A RELAY OPEN TO ANY PUBLIC IPS

  • REGISTER MY WAN IPS IN A DNS I CONTROL. I DON'T MUCH LIKE PUTTING THE GATEWAYS TO MY NETWORKS IN A PHONE BOOK. . .SEEMS KINDA LIKE INVITING TROUBLE.

  • THERE OUGHT TO BE A WAY TO WHITELIST THE ADDRESSES I CREATE, BUT MY FIRST ATTEMPTS AT WHITELISTING DIDN'T WORK--IT SEEMS POSTFIX IS REJECTING THE MESSAGE BEFORE SPAMASSASSIN GETS A CHANCE TO WHITELIST IT.
WOULD APPRECIATE ANY IDEAS YOU ALL MIGHT HAVE.
CHEERS,
DAN


bdial
Elite member
Elite member
Posts: 1633
Joined: Fri Sep 12, 2014 10:39 pm

[SOLVED] Security best-practices question

Postby bdial » Tue Feb 26, 2008 2:40 pm

i believe exim just uses whatever your hostname is for the helo. type the command 'hostname'
hercules:~ # hostname

hercules
so you can see it's using just the hostname minus the domain. Try setting your hostname to your fqdn
hercules:~ # hostname hercules.domain.com

hercules:~ # hostname

hercules.domain.com
then maybe restart exim and see if it works now
dependds on your distribution as to where you need to set this to be permanent.
dwmtractor
Outstanding Member
Outstanding Member
Posts: 993
Joined: Fri Sep 12, 2014 10:41 pm

[SOLVED] Security best-practices question

Postby dwmtractor » Tue Feb 26, 2008 5:18 pm

Well and good, but these are T1s sold to us by AT&T for internet access. They don't have DNS associated with them, and as nearly as I can tell they don't have a FQDN, or if they do I can't figure out what it is. I tried whois on the ip address and no permutation I'm able to come up with works.
Any more ideas?
dwmtractor
Outstanding Member
Outstanding Member
Posts: 993
Joined: Fri Sep 12, 2014 10:41 pm

[SOLVED] Security best-practices question

Postby dwmtractor » Tue Feb 26, 2008 5:31 pm

I'm truly embarrassed by what I discovered is the problem. I've been putting an address formatted like an email (firewallname@something.net) into the FQDN field of my firewall. Not surprisingly, Postfix sees that as an invalid domain and rejects the email. It had nothing to do with a reverse lookup, and everything to do with me overlooking the blindingly obvious.:p
Putting in a FQDN of my own invention that just looks right was good enough.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 9 guests