Author Topic: Zentyal (postfix) will relay email without authentication  (Read 1650 times)

Giblet535

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +1/-0
    • View Profile
Zentyal (postfix) will relay email without authentication
« on: May 16, 2016, 09:33:49 pm »
Zentyal 4.2...

If an outsider requests mail relay and the message's "From:" includes one of Zentyal's configured virtual domains, then postfix will relay that email, no authentication at all.

I have fairly restrictive rules set in /etc/postfix/main.cf:
...
reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, reject_unauth_pipelining, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_invalid_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_helo_access pcre:/etc/postfix/helo_checks.pcre
...

Not even local host should be able to relay w/o authenticating and yet I can see mail being relayed in /var/log/mail.log! One way to relay, a dozen ways to fail... Yet it's like an open relay!

I see no authentication messages in mail.log, and I suspect that Zentyal's authentication mechanism through LDAP is broken somehow.

Please. Someone help me troubleshoot this before anyone else gets spammed.

igp

  • Zen Apprentice
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Zentyal (postfix) will relay email without authentication
« Reply #1 on: June 15, 2016, 03:34:35 am »
What does your /etc/postfix/master.cf look like?

trysomething

  • Zen Warrior
  • ***
  • Posts: 119
  • Karma: +5/-0
  • Founder of The Tiki Lab
    • View Profile
    • The Tiki Lab | Bridging the gap between technology and vision impairment!
Re: Zentyal (postfix) will relay email without authentication
« Reply #2 on: June 16, 2016, 12:01:36 am »
No matter what you do to main.cf and master.cf every time you restart the Zentyal server it will be undone.
Go change the heck out of it then run the following command to test it out:
sudo service Zentyal mail restart

So holy cow, what happened?  if you go to /usr/share/Zentyal/stubs/mail you'll see what are called stub files like main.cf.mas and master.cf.mas - but you don't edit those either.  Make the following 2 directories like so:
sudo mkdir -p /etc/Zentyal/stubs
sudo mkdir -p /etc/Zentyal/stubs/mail

Now copy main.cf.mas and master.cf.mas over to the /etc/Zentyal/stubs/mail from /usr/share/Zentyal/stubs/mail and you have 2 stubs files to edit.
Inside of these files you can find the place to turn off basic authentication, and tighten down the settings.
By default Zentyal does NOT allow open relays, but you can setup open relays inside of the Mail configuration from the web GUI.  I'd venture a guess that someone didn't read the whole Wiki and couldn't figure out why clients couldn't connect to the server and just opened everything up.  Zentyal creates a self signed certificate and you have to go into the admin panel to download it - https://your servers IP:8443/
Login with any user that is a member of the local sudoers group on the machine and navigate to Mail>Openchange
Click the Download Certificate button and download the Root CA Certificate file.
Now, on every client you have to install that certificate file into the Trusted Root Certificates container - which doesn't happen automatically you have to manually pick that container.
Once that's all done you're good to go and you can connect up to the server like normal and you'll be able to lock down your relay policies.
If you've tinkered with the Firewall settings you're likely going to need to find the default settings for that and revert back too, otherwise the open relay will never be closed.
You will have to excuse my posts not having actual links in them.  I'm blind and can never find that insert hyperlink button LoL.  If you, or someone you know has vision problems check out The Tiki Lab.