Rejecting false "mail from" addresses

From Zimbra :: Wiki

Jump to: navigation, search

By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.

1. Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected. [This steps is for ZCS 7.x and older version only].

 su - zimbra
 zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit"

For ZCS 8.0.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines:

Add this:

 check_sender_access hash:/opt/zimbra/conf/domainrestrict

Here:

...
check_sender_access hash:/opt/zimbra/conf/domainrestrict
%%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%

For ZCS 8.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines:

Add this:

 check_sender_access texthash:/opt/zimbra/conf/domainrestrict

Here:

...
check_sender_access texthash:/opt/zimbra/conf/domainrestrict
%%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%

Remaining steps are same for all versions.

2. Create the file "/opt/zimbra/conf/domainrestrict" and add your domain(s) to it.

 localdomain.com   REJECT
 anotherlocaldomain.com   REJECT

You can also put some friendly/non-friendly message. Something like this.

 localdomain.com   REJECT You're not me!
 anotherlocaldomain.com REJECT You're not me!

3. Create the hash database of "/opt/zimbra/conf/domainrestrict". Run as 'zimbra' user.

 postmap  /opt/zimbra/conf/domainrestrict

4. Restart zmmtactl.

 zmmtactl stop
 zmmtactl start

Testing

Make following connection from a non-local host which is not part of mynetworks.

 telnet ZCS_server_address 25
 mail from: user@localdomain.com
 rcpt to: user2@localdomain.com

You should get following error at the rcpt command.

 554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me!

Special case of empty 'mail from' address

Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464:

The From field of the message header of the DSN SHOULD contain the address of a human who
is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that
a reply to the DSN will reach that person.
...
Whenever an SMTP transaction is used to send a DSN, the MAIL FROM command MUST use a
NULL return address, i.e., "MAIL FROM:<>".
Personal tools