Zimbra does not attempt to use TLS for outgoing email

RESOLVED FIXED

Status

task
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: st3fan, Assigned: limed)

Tracking

(Blocks 1 bug)

Details

Reporter

Description

5 years ago
When I send an email to my personal email account via Zimbra (web), I see no trace of our SMTP server attempting to setup a TLS connection with my personal email server:


Jan  6 15:24:33 localhost postfix/smtpd[8348]: connect from zmmta1.corp.phx1.mozilla.com[63.245.216.72]
Jan  6 15:24:34 localhost postfix/smtpd[8348]: 5949960067: client=zmmta1.corp.phx1.mozilla.com[63.245.216.72]
Jan  6 15:24:34 localhost postfix/cleanup[8381]: 5949960067: message-id=<848649259.2690885.1389018274862.JavaMail.zimbra@mozilla.com>
Jan  6 15:24:34 localhost postfix/qmgr[5014]: 5949960067: from=<sarentz@mozilla.com>, size=1176, nrcpt=1 (queue active)
Jan  6 15:24:34 localhost postfix/smtpd[8348]: disconnect from zmmta1.corp.phx1.mozilla.com[63.245.216.72]
Jan  6 15:24:34 localhost dovecot: lda(stefan@arentz.ca): msgid=<848649259.2690885.1389018274862.JavaMail.zimbra@mozilla.com>: saved mail to INBOX
Jan  6 15:24:34 localhost postfix/pipe[8382]: 5949960067: to=<stefan@arentz.ca>, relay=dovecot, delay=0.87, delays=0.82/0.01/0/0.05, dsn=2.0.0, status=sent (delivered via dovecot service)
Jan  6 15:24:34 localhost postfix/qmgr[5014]: 5949960067: removed


Compare this to for example this session where I send an email to myself from Gmail:


Jan  6 15:27:50 localhost postfix/smtpd[8387]: connect from mail-lb0-f173.google.com[209.85.217.173]
Jan  6 15:27:50 localhost postfix/smtpd[8387]: Anonymous TLS connection established from mail-lb0-f173.google.com[209.85.217.173]: TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)
Jan  6 15:27:50 localhost postfix/smtpd[8387]: CE70C60067: client=mail-lb0-f173.google.com[209.85.217.173]
Jan  6 15:27:50 localhost postfix/cleanup[8393]: CE70C60067: message-id=<CADgKnCKoBU_5mqyEpq8wLS=Ma8KDOEz1G5OTE_R+QmW+Vg3oow@mail.gmail.com>
Jan  6 15:27:50 localhost postfix/qmgr[5014]: CE70C60067: from=<stefan.arentz@gmail.com>, size=1821, nrcpt=1 (queue active)
Jan  6 15:27:50 localhost dovecot: auth-worker: mysql(127.0.0.1): Connected to database postfix
Jan  6 15:27:50 localhost postfix/smtpd[8387]: disconnect from mail-lb0-f173.google.com[209.85.217.173]
Jan  6 15:27:51 localhost dovecot: lda(stefan@arentz.ca): msgid=<CADgKnCKoBU_5mqyEpq8wLS=Ma8KDOEz1G5OTE_R+QmW+Vg3oow@mail.gmail.com>: saved mail to INBOX
Jan  6 15:27:51 localhost postfix/pipe[8394]: CE70C60067: to=<stefan@arentz.ca>, relay=dovecot, delay=0.84, delays=0.64/0.01/0/0.2, dsn=2.0.0, status=sent (delivered via dovecot service)
Jan  6 15:27:51 localhost postfix/qmgr[5014]: CE70C60067: removed


See the missing 'Anonymous TLS connection established' log entry for the case where Mozilla's Zimbra server is sending out email.

I think it would be really great if we can fix this. Now that we live in a post-Snowden era where we pretty much know that all plaintext email is captured by government agencies.

 S.
Is zimbra using Postfix as a MTA? I'm not familiar with zimbra's configuration details, but as far as postfix goes, configuring STARTTLS for outbound emails in the MTA is trivial:

# TLS client options
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
Flags: needinfo?(limed)

Comment 2

5 years ago
This article [1] documents the steps required for Zimbra 7, including the zmlocalconfig commands to finalize the postfix changes once confirmed working.

[1] http://www.oranged.to/2012/06/04/zimbra-outbound-smtp-tls-encryption/
Assignee

Comment 3

5 years ago
(In reply to Julien Vehent [:ulfr] from comment #1)
> Is zimbra using Postfix as a MTA? I'm not familiar with zimbra's
> configuration details, but as far as postfix goes, configuring STARTTLS for
> outbound emails in the MTA is trivial:
> 
> # TLS client options
> smtp_use_tls = yes
> smtp_tls_note_starttls_offer = yes

Correct it is using postfix
Flags: needinfo?(limed)
For definitions: postfix calls "smtp" the outbound mail client, and "smtpd" the inbound mail daemon. In this bug, we care about "smtp" only, because the SMTPD part is gated by Postini, and they provide STARTTLS already.

From what I'm reading in the link :atoll posted, the postfix conf needs to be edited directly. Is that right?

Comment 5

5 years ago
(In reply to Julien Vehent [:ulfr] from comment #4)
> From what I'm reading in the link :atoll posted, the postfix conf needs to
> be edited directly. Is that right?

Incorrect, based on my read. The postconf commands (which replace direct editing) are only to *test* the config and make sure it works as expected; if it works as desired, the zmlocalconfig commands make the changes permanent.
We already have this setting tweaked on existing servers.  There's a pair of them that gate all of the outbound mail via Postini (for purposes of encryption services), and those two are set to force TLS on outbound connections (also have postini set as the outbound relay).  So there's nothing really to learn here, just have to tweak that same setting on the rest of the servers, too (set it for "use if available" rather than "always" though).

I think the only action here is to get with CAB and pick a time to flip the switch.
Assignee

Updated

5 years ago
Assignee: infra → limed
Blocks: 982681
Assignee

Comment 7

5 years ago
Ran the following

[zimbra@zmmta1.mail.corp.phx1 ~]$ zmlocalconfig -e postfix_smtp_tls_security_level=may
[zimbra@zmmta1.mail.corp.phx1 ~]$ zmmtactl restart
Rewriting configuration files...done.
Stopping saslauthd...done.
Starting saslauthd...done.
/postfix-script: refreshing the Postfix mail system

[zimbra@zmmta2.mail.corp.phx1 elim]$ zmlocalconfig -e postfix_smtp_tls_security_level=may
[zimbra@zmmta2.mail.corp.phx1 elim]$ zmmtactl restart
Rewriting configuration files...done.
Stopping saslauthd...done.
Starting saslauthd...done.
/postfix-script: refreshing the Postfix mail system

We should be good here
Assignee

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Assignee

Updated

5 years ago
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
[zimbra@zmmta1.mail.corp.phx1 ~]$ zmlocalconfig postfix_smtp_tls_security_level
postfix_smtp_tls_security_level = may

It's still enabled on Zimbra.  It's smtp.mozilla.org that's still broken.  Needs a new bug.
Status: REOPENED → RESOLVED
Last Resolved: 5 years ago5 years ago
Resolution: --- → FIXED
Product: Infrastructure & Operations → Infrastructure & Operations Graveyard
You need to log in before you can comment on or make changes to this bug.