Zimbra, NATs, and YOU

Today’s lesson: Zimbra.

IF

  1. You have a NAT’ed environment…
  2. You’re installing Zimbra…
  3. You get slammed with 6 million plus SPAM messages flowing through your server overnight (despite following all best practices and ensuring you’re not an open relay)…

THEN

  1. Ignore Zimbra’s instructions that all your interfaces need to be in the “trusted networks” list.
  2. Use this command to override the admin interface rules:
    zmprov ms zimbra.example.com zimbraMtaMyNetworks '127.0.0.0/8'

    (Include any private networks that need access, too.)

  3. Tail the logs and enjoy all those “Relay access denied” messages.

This boils down to Zimbra not specifying that when you set up split-horizon DNS, you potentially open up your MTA to abuse right out of the box.