Enforcing a match between FROM address and sasl username 8.5
|This article applies to the following ZCS versions.|
If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.
A message header from that user looks like this:
zimbra1 postfix/smtpd: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=user zimbra1 postfix/cleanup: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com> zimbra1 postfix/qmgr: B28914D5978: from=<email@example.com>, size=6026, nrcpt=10 (queue active) zimbra1 postfix/cleanup: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>
where the sender's user name and the from address are indicated in bold. This article explains how to ensure that the from address matches the sender's username.
Note: It is not required to add account aliases created via zmprov aaa to the exception database, as these are handled by Zimbra automatically (8.6 and later). Note: It is not required to add addresses stored in the zimbraAllowFromAddress attribute for an account, as these are handled by Zimbra automatically (8.6 and later)
- (optional) If you want an exceptions DB to allow people to send as alternate addresses
cd /opt/zimbra/conf edit slm-exceptions-db Add the alternate ID addresses and the real userid, for example for the user joe who has firstname.lastname@example.org email@example.com joe Then run postmap slm-exceptions-db to generate the database
- Set the zimbraMtaSmtpdSenderLoginMaps portion
- If the exception db is used:
zmprov mcf zimbraMtaSmtpdSenderLoginMaps 'lmdb:/opt/zimbra/conf/slm-exceptions-db, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf' +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
- If the exception db is not used:
zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
After a minute, zmconfigd will update the postfix configuration automatically and apply the new rules. Now if an account is hacked, and this is in place, they will not be able to send out emails with different "from" addresses.