Enforcing a match between the FROM address and the sasl username

From Zimbra :: Wiki

Jump to: navigation, search
   Article-alert.png  - This article is a Work in Progress, and may be unfinished or missing sections.


Article Information
This article applies to the following ZCS versions.
  ZCS 8.0 Article  ZCS 8.0



Contents


RFE To Support This

Currently [Oct. 1, 2013] this is unsupported in ZCS8.0 and previous.

Issue

If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.


A message header from that user looks like this:

zimbra1 postfix/smtpd[29431]: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=user
zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com>
zimbra1 postfix/qmgr[20690]: B28914D5978: from=<spam@spam.com>, size=6026, nrcpt=10 (queue active)
zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>

where the sender's user name and the from address are indicated in bold. This article explains how to ensure that the from address matches the sender's username.

How-to

Unsupported methods for ZCS8 and prior

To require that the from address of an email match the sender's username:

   Edit the zmmta.cf file, by running this command:
   vim /opt/zimbra/conf/zmmta.cf 
   Find this line:
   POSTCONF smtpd_sender_restrictions LOCAL postfix_smtpd_sender_restrictions
   Below that line add :
   Note: Do not forget to include the tab at the beginning of each line:
   POSTCONF smtpd_sender_login_maps       FILE postfix_sender_login_maps.cf
   In ZCS 8 
   vim /opt/zimbra/conf/zmconfigd.cf 
   Find this line:
   POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
   Below that line add :
   Note: Do not forget to include the tab at the beginning of each line:
   POSTCONF smtpd_sender_login_maps       FILE postfix_sender_login_maps.cf
   Set sender_restriction : (For ZCS 7 and below)
   zmlocalconfig -e postfix_smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
   
   Set sender_restriction : (For ZCS 8 and above)
   Edit - /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
   At the very top add - reject_authenticated_sender_login_mismatch
   Create file - postfix_sender_login_maps.cf
   vim /opt/zimbra/conf/postfix_sender_login_maps.cf
   Add :
   hash:/opt/zimbra/conf/exceptions-db ldap:/opt/zimbra/conf/ldap-restricrelay.cf
   
   An exceptions file, allows you to declare a different email sender address that a user can have, as a way of bypassing the restriction. Create the exceptions file, by running this command:
   vim /opt/zimbra/conf/exceptions-db
   (Optional) Add text to the file, one line per address, where the first word is the email sender address and the second word is the username.
   Example: johndoe@otherdomain.com admin
   Note: You can leave the file empty.
   Create the DB file, by running this command:
   /opt/zimbra/postfix/sbin/postmap exceptions-db
   Create /opt/zimbra/conf/ldap-restricrelay.cf
   Obtain the LDAP server_host and the bind_pw of the user uid=zmpostfix,cn=appaccts,cn=zimbra:
   Seek and record the data from the file /opt/zimbra/conf/ldap-vam.cf, by running these commands:
       grep server_host /opt/zimbra/conf/ldap-vam.cf
       grep bind_pw /opt/zimbra/conf/ldap-vam.cf
   vim /opt/zimbra/conf/ldap-restricrelay.cf
   Adjust the server_host and bind_pw values to match your server hostname and password:
   
   server_host = ldap://srvXX.company.com:389 
   server_port = 389 
   search_base = 
   query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled)) 
   result_attribute = uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
   version = 3
   start_tls = yes
   tls_ca_cert_dir = /opt/zimbra/conf/ca
   bind = yes 
   bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
   bind_pw = XXXXXXXXXX
   timeout = 30
   Set the permissions on the necessary files, by running this command:
   chown zimbra: postfix_sender_* exceptions-db* ldap-restricrelay.cf
   For the new policy to come into effect:
   zmmtactl restart
Personal tools