Difference between revisions of "Enforcing a match between the FROM address and the sasl username"

(ZCS 8.5)
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
__TOC__
+
{{BC|Community Sandbox}}
 
+
__FORCETOC__
 +
<div class="col-md-12 ibox-content">
 +
=Enforcing a match between the FROM address and the sasl username=
 +
{{KB|{{Unsupported}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}
 +
{{WIP}}
 
==RFE To Support This==
 
==RFE To Support This==
 
+
Currently [Oct. 1, 2013] this is unsupported in ZCS8.0 and previous.   
Currently [Oct. 1, 2013] this is unsupported in ZCS8.0 and previous.  It is a new feature for ZCS 8.5 and later.
 
  
 
== Issue ==  
 
== Issue ==  
 
If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.
 
If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.
 
  
 
A message header from that user looks like this:
 
A message header from that user looks like this:
Line 19: Line 21:
  
 
== How-to ==
 
== How-to ==
=== ZCS 8.5 ===
 
* (optional) If you want an exceptions DB to allow people to send as alternate addresses
 
  cd /opt/zimbra/conf
 
  edit slm-exceptions-db
 
  Add the alternate ID addresses and the real userid, for example for the user joe who has joe@gmail.com
 
  joe@gmail.com joe
 
  Then run postmap slm-exceptions-db to generate the database
 
 
* Set the zimbraMtaSmtpdSenderLoginMaps portion
 
 
** If the exception db is used:
 
zmprov mcf zimbraMtaSmtpdSenderLoginMaps 'lmdb:/opt/zimbra/conf/slm-exceptions-db, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf' +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
 
 
** If the exception db is not used:
 
zmprov mcf zimbraMtaSmtpdSenderLoginMaps  proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
 
 
After a minute, zmconfigd will update the postfix configuration automatically and apply the new rules.  Now if an account is hacked, and this is in place, they will not be able to send out emails with different "from" addresses.
 
 
 
=== Unsupported methods for ZCS8 and prior ===
 
=== Unsupported methods for ZCS8 and prior ===
  
Line 91: Line 75:
 
     search_base =  
 
     search_base =  
 
     query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))  
 
     query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))  
     result_attribute uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
+
     result_attribute = uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
 
     version = 3
 
     version = 3
 
     start_tls = yes
 
     start_tls = yes
Line 105: Line 89:
 
     For the new policy to come into effect:
 
     For the new policy to come into effect:
 
     zmmtactl restart
 
     zmmtactl restart
 +
{{Article Footer|Zimbra Collaboration 8.0, 7.0|04/16/2014}}

Latest revision as of 18:08, 11 July 2015

Enforcing a match between the FROM address and the sasl username

   KB 20401        Last updated on 2015-07-11  




0.00
(0 votes)

RFE To Support This

Currently [Oct. 1, 2013] this is unsupported in ZCS8.0 and previous.

Issue

If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.

A message header from that user looks like this:

zimbra1 postfix/smtpd[29431]: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=user
zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com>
zimbra1 postfix/qmgr[20690]: B28914D5978: from=<spam@spam.com>, size=6026, nrcpt=10 (queue active)
zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>

where the sender's user name and the from address are indicated in bold. This article explains how to ensure that the from address matches the sender's username.

How-to

Unsupported methods for ZCS8 and prior

To require that the from address of an email match the sender's username:

   Edit the zmmta.cf file, by running this command:
   vim /opt/zimbra/conf/zmmta.cf 
   Find this line:
   POSTCONF smtpd_sender_restrictions LOCAL postfix_smtpd_sender_restrictions
   Below that line add :
   Note: Do not forget to include the tab at the beginning of each line:
   POSTCONF smtpd_sender_login_maps       FILE postfix_sender_login_maps.cf
   In ZCS 8 
   vim /opt/zimbra/conf/zmconfigd.cf 
   Find this line:
   POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
   Below that line add :
   Note: Do not forget to include the tab at the beginning of each line:
   POSTCONF smtpd_sender_login_maps       FILE postfix_sender_login_maps.cf
   Set sender_restriction : (For ZCS 7 and below)
   zmlocalconfig -e postfix_smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
   
   Set sender_restriction : (For ZCS 8 and above)
   Edit - /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
   At the very top add - reject_authenticated_sender_login_mismatch
   Create file - postfix_sender_login_maps.cf
   vim /opt/zimbra/conf/postfix_sender_login_maps.cf
   Add :
   hash:/opt/zimbra/conf/exceptions-db ldap:/opt/zimbra/conf/ldap-restricrelay.cf
   
   An exceptions file, allows you to declare a different email sender address that a user can have, as a way of bypassing the restriction. Create the exceptions file, by running this command:
   vim /opt/zimbra/conf/exceptions-db
   (Optional) Add text to the file, one line per address, where the first word is the email sender address and the second word is the username.
   Example: johndoe@otherdomain.com admin
   Note: You can leave the file empty.
   Create the DB file, by running this command:
   /opt/zimbra/postfix/sbin/postmap exceptions-db
   Create /opt/zimbra/conf/ldap-restricrelay.cf
   Obtain the LDAP server_host and the bind_pw of the user uid=zmpostfix,cn=appaccts,cn=zimbra:
   Seek and record the data from the file /opt/zimbra/conf/ldap-vam.cf, by running these commands:
       grep server_host /opt/zimbra/conf/ldap-vam.cf
       grep bind_pw /opt/zimbra/conf/ldap-vam.cf
   vim /opt/zimbra/conf/ldap-restricrelay.cf
   Adjust the server_host and bind_pw values to match your server hostname and password:
   
   server_host = ldap://srvXX.company.com:389 
   server_port = 389 
   search_base = 
   query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled)) 
   result_attribute = uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
   version = 3
   start_tls = yes
   tls_ca_cert_dir = /opt/zimbra/conf/ca
   bind = yes 
   bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
   bind_pw = XXXXXXXXXX
   timeout = 30
   Set the permissions on the necessary files, by running this command:
   chown zimbra: postfix_sender_* exceptions-db* ldap-restricrelay.cf
   For the new policy to come into effect:
   zmmtactl restart
Verified Against: Zimbra Collaboration 8.0, 7.0 Date Created: 04/16/2014
Article ID: https://wiki.zimbra.com/index.php?title=Enforcing_a_match_between_the_FROM_address_and_the_sasl_username Date Modified: 2015-07-11



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search