Allowing specific internal sender addresses through the MTA without a mailbox

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
MightyGorilla
Posts: 32
Joined: Fri Sep 12, 2014 11:48 pm

Allowing specific internal sender addresses through the MTA without a mailbox

Postby MightyGorilla » Wed Jun 13, 2018 3:16 pm

I'll admit this feels like a really dumb question- and there may be a simple term for this concept, but I'm not aware of it, so my searches were fruitless. :(

We have a pretty common scenario of hardware devices that may periodically send internal notifications to a few administrative email addresses.
I'm not sure what might have been changed in our system (we haven't done an upgrade in a while ZCS8.6.0) but this was allowed previously, and now Zimbra rejects the unknown sender unless we add an account for it.

Is there a suggested way to handle these types of senders?

Thanks,
Travis-


MightyGorilla
Posts: 32
Joined: Fri Sep 12, 2014 11:48 pm

Re: Allowing specific internal sender addresses through the MTA without a mailbox

Postby MightyGorilla » Wed Jun 13, 2018 3:23 pm

I see that I can disable zimbraMtaSmtpdRejectUnlistedSender, but it would be nice to only allow certain senders...
User avatar
DavidMerrill
Posts: 45
Joined: Thu Jul 30, 2015 2:44 pm
Location: Portland, ME
Contact:

Re: Allowing specific internal sender addresses through the MTA without a mailbox

Postby DavidMerrill » Wed Jun 13, 2018 5:26 pm

Do these devices have static IPs?

Check out: https://wiki.zimbra.com/wiki/ZimbraMtaMyNetworks
___________________________________
David Merrill - Zimbra Practice Lead
Reliable Networks - Zimbra Hosting, Licensing and Professional Services
Zeta Alliance
MightyGorilla
Posts: 32
Joined: Fri Sep 12, 2014 11:48 pm

Re: Allowing specific internal sender addresses through the MTA without a mailbox

Postby MightyGorilla » Wed Jun 13, 2018 6:28 pm

Thanks David-

Yeah, That's how we've had them setup in Zimbra for many years.
Now, the MTA seems to still allow the devices to submit messages, but rejects the messages afterward for having a sender address that doesn't exist on the Zimbra server.

I certainly don't want to create a bunch of mailboxes for "server-A@mydomain.net" just so that the MTA will allow messages through.
I think I did do an apt-get upgrade recently, but I didn't expect anything to affect our Zimbra install since it's not installed that way...
MightyGorilla
Posts: 32
Joined: Fri Sep 12, 2014 11:48 pm

Re: Allowing specific internal sender addresses through the MTA without a mailbox

Postby MightyGorilla » Thu Jun 14, 2018 12:02 pm

For now, disabling zimbraMtaSmtpdRejectUnlistedSender resolved the problem, but that setting certainly isn't what started the problem, as I'm the only one here that could have changed it, and I didn't.
If anyone has a preferred method for handling these types of senders, I'd love to hear it.
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1829
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.8 Patch 6 Network Edition
Contact:

Re: Allowing specific internal sender addresses through the MTA without a mailbox

Postby L. Mark Stone » Thu Jun 14, 2018 6:06 pm

MightyGorilla wrote:For now, disabling zimbraMtaSmtpdRejectUnlistedSender resolved the problem, but that setting certainly isn't what started the problem, as I'm the only one here that could have changed it, and I didn't.
If anyone has a preferred method for handling these types of senders, I'd love to hear it.


Still on 8.6?

It's also possible you might be seeing the effects from the Mailsploit phishing/spoofing remediation work (I haven't touched an 8.6 system since early January except to migrate them to 8.8.8...). See https://bugzilla.zimbra.com/show_bug.cgi?id=108709. Barry deGraff has a nice zimlet for this too: https://github.com/Zimbra-Community/spo ... ert-zimlet

You can check if zimbraPrefShortEmailAddress is set to FALSE (no Mailsploit):

Code: Select all

zmprov gc <name-of-ClassofService> zimbraPrefShortEmailAddress


For hardware devices on the LAN that are too old or otherwise can't do encrypted SMTP-Auth on Port 587, I'll assign them a static IP address and then add that IP address to zimbraMailTrustedIP.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
MightyGorilla
Posts: 32
Joined: Fri Sep 12, 2014 11:48 pm

Re: Allowing specific internal sender addresses through the MTA without a mailbox

Postby MightyGorilla » Thu Aug 16, 2018 2:10 pm

Thanks Mark,
I didn't see your post until waaay later. We are still on 8.6 but will upgrade as soon as I get a good chance.

I haven't used zimbraMailTrustedIP before, and I'm not sure how it's different from zimbraMtaMyNetworks.
To add a single machine to zimbraMtaMyNetworks, I have just used its IP with a /32

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 12 guests