Difference between revisions of "Enforcing a match between FROM address and sasl username 8.5"

(ZCS 8.6, 8.5)
Line 20: Line 20:
  
 
== How-to ==
 
== How-to ==
=== ZCS 8.6, 8.5 ===
+
=== Zimbra Collaboration 8.6 and 8.5 ===
Note: It is not required to add account aliases created via zmprov aaa to the exception database, as these are handled by Zimbra automatically (8.6 and later).
+
'''Note:''' It is not required to add account aliases created via '''zmprov aaa''' to the exception database, as these are handled by Zimbra automatically (8.6 and later).
Note: It is not required to add addresses stored in the '''zimbraAllowFromAddress''' attribute for an account, as these are handled by Zimbra automatically (8.6 and later)
+
'''Note:''' It is not required to add addresses stored in the '''zimbraAllowFromAddress''' attribute for an account, as these are handled by Zimbra automatically (8.6 and later)
  
* (optional) If you want an exceptions DB to allow people to send as alternate addresses
+
====Optional, use an exception DB====
 +
If you want an exceptions DB to allow people to send as alternate addresses
 
   cd /opt/zimbra/conf
 
   cd /opt/zimbra/conf
 
   edit slm-exceptions-db
 
   edit slm-exceptions-db
  Add the alternate ID addresses and the real userid, for example for the user joe who has joe@gmail.com
+
Add the alternate ID addresses and the real userid, for example for the user joe who has joe@gmail.com
 
   joe@gmail.com joe
 
   joe@gmail.com joe
  Then run postmap slm-exceptions-db to generate the database
+
Then run postmap slm-exceptions-db to generate the database
 +
postmap slm-exceptions-db
  
* Set the zimbraMtaSmtpdSenderLoginMaps portion
+
====Set the zimbraMtaSmtpdSenderLoginMaps portion====
 
+
=====If the exception db is used=====
** If the exception db is used:
 
 
  zmprov mcf zimbraMtaSmtpdSenderLoginMaps 'lmdb:/opt/zimbra/conf/slm-exceptions-db, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf' +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
 
  zmprov mcf zimbraMtaSmtpdSenderLoginMaps 'lmdb:/opt/zimbra/conf/slm-exceptions-db, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf' +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
 
+
=====If the exception db is not used=====
** If the exception db is not used:
 
 
  zmprov mcf zimbraMtaSmtpdSenderLoginMaps  proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
 
  zmprov mcf zimbraMtaSmtpdSenderLoginMaps  proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
 +
=====Edit the file smtpd_sender_restrictions=====
 +
You need to edit the file '''opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf''' and add after the permit_mynetworks the line '''reject_sender_login_mismatch'''
 +
    vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
 +
Should look like this:
 +
    permit_mynetworks, reject_sender_login_mismatch
  
 
After a minute, zmconfigd will update the postfix configuration automatically and apply the new rules.  Now if an account is hacked, and this is in place, they will not be able to send out emails with different "from" addresses.
 
After a minute, zmconfigd will update the postfix configuration automatically and apply the new rules.  Now if an account is hacked, and this is in place, they will not be able to send out emails with different "from" addresses.
  
 
{{Article Footer|Zimbra Collaboration Suite 8.6, 8.5|08/15/2014}}
 
{{Article Footer|Zimbra Collaboration Suite 8.6, 8.5|08/15/2014}}

Revision as of 14:29, 20 July 2015

Enforcing a match between FROM address and sasl username

   KB 21131        Last updated on 2015-07-20  




5.00
(3 votes)


Issue

If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.


A message header from that user looks like this:

zimbra1 postfix/smtpd[29431]: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=user
zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com>
zimbra1 postfix/qmgr[20690]: B28914D5978: from=<spam@spam.com>, size=6026, nrcpt=10 (queue active)
zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>

where the sender's user name and the from address are indicated in bold. This article explains how to ensure that the from address matches the sender's username.

How-to

Zimbra Collaboration 8.6 and 8.5

Note: It is not required to add account aliases created via zmprov aaa to the exception database, as these are handled by Zimbra automatically (8.6 and later). Note: It is not required to add addresses stored in the zimbraAllowFromAddress attribute for an account, as these are handled by Zimbra automatically (8.6 and later)

Optional, use an exception DB

If you want an exceptions DB to allow people to send as alternate addresses

 cd /opt/zimbra/conf
 edit slm-exceptions-db

Add the alternate ID addresses and the real userid, for example for the user joe who has joe@gmail.com

 joe@gmail.com joe

Then run postmap slm-exceptions-db to generate the database

postmap slm-exceptions-db

Set the zimbraMtaSmtpdSenderLoginMaps portion

If the exception db is used
zmprov mcf zimbraMtaSmtpdSenderLoginMaps 'lmdb:/opt/zimbra/conf/slm-exceptions-db, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf' +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
If the exception db is not used
zmprov mcf zimbraMtaSmtpdSenderLoginMaps  proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
Edit the file smtpd_sender_restrictions

You need to edit the file opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add after the permit_mynetworks the line reject_sender_login_mismatch

   vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf

Should look like this:

   permit_mynetworks, reject_sender_login_mismatch

After a minute, zmconfigd will update the postfix configuration automatically and apply the new rules. Now if an account is hacked, and this is in place, they will not be able to send out emails with different "from" addresses.

Verified Against: Zimbra Collaboration Suite 8.6, 8.5 Date Created: 08/15/2014
Article ID: https://wiki.zimbra.com/index.php?title=Enforcing_a_match_between_FROM_address_and_sasl_username_8.5 Date Modified: 2015-07-20



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search