Zentyal Forum, Linux Small Business Server

Zentyal Server => Email and Groupware => Topic started by: Giblet535 on May 16, 2016, 09:33:49 pm

Title: Zentyal (postfix) will relay email without authentication
Post by: Giblet535 on May 16, 2016, 09:33:49 pm
Zentyal 4.2...

If an outsider requests mail relay and the message's "From:" includes one of Zentyal's configured virtual domains, then postfix will relay that email, no authentication at all.

I have fairly restrictive rules set in /etc/postfix/main.cf:
...
reject_non_fqdn_recipient, reject_non_fqdn_sender, reject_unlisted_recipient, reject_unauth_pipelining, permit_sasl_authenticated, reject_unauth_destination, reject_invalid_hostname, reject_invalid_helo_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, check_helo_access pcre:/etc/postfix/helo_checks.pcre
...

Not even local host should be able to relay w/o authenticating and yet I can see mail being relayed in /var/log/mail.log! One way to relay, a dozen ways to fail... Yet it's like an open relay!

I see no authentication messages in mail.log, and I suspect that Zentyal's authentication mechanism through LDAP is broken somehow.

Please. Someone help me troubleshoot this before anyone else gets spammed.
Title: Re: Zentyal (postfix) will relay email without authentication
Post by: igp on June 15, 2016, 03:34:35 am
What does your /etc/postfix/master.cf look like?
Title: Re: Zentyal (postfix) will relay email without authentication
Post by: trysomething on June 16, 2016, 12:01:36 am
No matter what you do to main.cf and master.cf every time you restart the Zentyal server it will be undone.
Go change the heck out of it then run the following command to test it out:
sudo service Zentyal mail restart

So holy cow, what happened?  if you go to /usr/share/Zentyal/stubs/mail you'll see what are called stub files like main.cf.mas and master.cf.mas - but you don't edit those either.  Make the following 2 directories like so:
sudo mkdir -p /etc/Zentyal/stubs
sudo mkdir -p /etc/Zentyal/stubs/mail

Now copy main.cf.mas and master.cf.mas over to the /etc/Zentyal/stubs/mail from /usr/share/Zentyal/stubs/mail and you have 2 stubs files to edit.
Inside of these files you can find the place to turn off basic authentication, and tighten down the settings.
By default Zentyal does NOT allow open relays, but you can setup open relays inside of the Mail configuration from the web GUI.  I'd venture a guess that someone didn't read the whole Wiki and couldn't figure out why clients couldn't connect to the server and just opened everything up.  Zentyal creates a self signed certificate and you have to go into the admin panel to download it - https://your servers IP:8443/
Login with any user that is a member of the local sudoers group on the machine and navigate to Mail>Openchange
Click the Download Certificate button and download the Root CA Certificate file.
Now, on every client you have to install that certificate file into the Trusted Root Certificates container - which doesn't happen automatically you have to manually pick that container.
Once that's all done you're good to go and you can connect up to the server like normal and you'll be able to lock down your relay policies.
If you've tinkered with the Firewall settings you're likely going to need to find the default settings for that and revert back too, otherwise the open relay will never be closed.