Difference between revisions of "Enforcing a match between the FROM address and the sasl username"

(How-to)
 
(16 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 +
{{BC|Community Sandbox}}
 +
__FORCETOC__
 +
<div class="col-md-12 ibox-content">
 +
=Enforcing a match between the FROM address and the sasl username=
 +
{{KB|{{Unsupported}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}
 +
{{WIP}}
 +
==RFE To Support This==
 +
Currently [Oct. 1, 2013] this is unsupported in ZCS8.0 and previous. 
  
 
== Issue ==  
 
== Issue ==  
 
If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.
 
If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.
 
  
 
A message header from that user looks like this:
 
A message header from that user looks like this:
Line 14: Line 21:
  
 
== How-to ==
 
== How-to ==
 +
=== Unsupported methods for ZCS8 and prior ===
  
 
To require that the from address of an email match the sender's username:
 
To require that the from address of an email match the sender's username:
Line 54: Line 62:
 
     /opt/zimbra/postfix/sbin/postmap exceptions-db
 
     /opt/zimbra/postfix/sbin/postmap exceptions-db
  
     Create ldap-restrictions.cf
+
     Create /opt/zimbra/conf/ldap-restricrelay.cf
 
     Obtain the LDAP server_host and the bind_pw of the user uid=zmpostfix,cn=appaccts,cn=zimbra:
 
     Obtain the LDAP server_host and the bind_pw of the user uid=zmpostfix,cn=appaccts,cn=zimbra:
 
     Seek and record the data from the file /opt/zimbra/conf/ldap-vam.cf, by running these commands:
 
     Seek and record the data from the file /opt/zimbra/conf/ldap-vam.cf, by running these commands:
Line 67: Line 75:
 
     search_base =  
 
     search_base =  
 
     query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))  
 
     query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))  
     result_attribute uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
+
     result_attribute = uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
 
     version = 3
 
     version = 3
 
     start_tls = yes
 
     start_tls = yes
Line 81: Line 89:
 
     For the new policy to come into effect:
 
     For the new policy to come into effect:
 
     zmmtactl restart
 
     zmmtactl restart
 +
{{Article Footer|Zimbra Collaboration 8.0, 7.0|04/16/2014}}

Latest revision as of 18:08, 11 July 2015

Enforcing a match between the FROM address and the sasl username

   KB 20401        Last updated on 2015-07-11  




0.00
(0 votes)

RFE To Support This

Currently [Oct. 1, 2013] this is unsupported in ZCS8.0 and previous.

Issue

If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.

A message header from that user looks like this:

zimbra1 postfix/smtpd[29431]: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=user
zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com>
zimbra1 postfix/qmgr[20690]: B28914D5978: from=<spam@spam.com>, size=6026, nrcpt=10 (queue active)
zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>

where the sender's user name and the from address are indicated in bold. This article explains how to ensure that the from address matches the sender's username.

How-to

Unsupported methods for ZCS8 and prior

To require that the from address of an email match the sender's username:

   Edit the zmmta.cf file, by running this command:
   vim /opt/zimbra/conf/zmmta.cf 
   Find this line:
   POSTCONF smtpd_sender_restrictions LOCAL postfix_smtpd_sender_restrictions
   Below that line add :
   Note: Do not forget to include the tab at the beginning of each line:
   POSTCONF smtpd_sender_login_maps       FILE postfix_sender_login_maps.cf
   In ZCS 8 
   vim /opt/zimbra/conf/zmconfigd.cf 
   Find this line:
   POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
   Below that line add :
   Note: Do not forget to include the tab at the beginning of each line:
   POSTCONF smtpd_sender_login_maps       FILE postfix_sender_login_maps.cf
   Set sender_restriction : (For ZCS 7 and below)
   zmlocalconfig -e postfix_smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
   
   Set sender_restriction : (For ZCS 8 and above)
   Edit - /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
   At the very top add - reject_authenticated_sender_login_mismatch
   Create file - postfix_sender_login_maps.cf
   vim /opt/zimbra/conf/postfix_sender_login_maps.cf
   Add :
   hash:/opt/zimbra/conf/exceptions-db ldap:/opt/zimbra/conf/ldap-restricrelay.cf
   
   An exceptions file, allows you to declare a different email sender address that a user can have, as a way of bypassing the restriction. Create the exceptions file, by running this command:
   vim /opt/zimbra/conf/exceptions-db
   (Optional) Add text to the file, one line per address, where the first word is the email sender address and the second word is the username.
   Example: johndoe@otherdomain.com admin
   Note: You can leave the file empty.
   Create the DB file, by running this command:
   /opt/zimbra/postfix/sbin/postmap exceptions-db
   Create /opt/zimbra/conf/ldap-restricrelay.cf
   Obtain the LDAP server_host and the bind_pw of the user uid=zmpostfix,cn=appaccts,cn=zimbra:
   Seek and record the data from the file /opt/zimbra/conf/ldap-vam.cf, by running these commands:
       grep server_host /opt/zimbra/conf/ldap-vam.cf
       grep bind_pw /opt/zimbra/conf/ldap-vam.cf
   vim /opt/zimbra/conf/ldap-restricrelay.cf
   Adjust the server_host and bind_pw values to match your server hostname and password:
   
   server_host = ldap://srvXX.company.com:389 
   server_port = 389 
   search_base = 
   query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled)) 
   result_attribute = uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
   version = 3
   start_tls = yes
   tls_ca_cert_dir = /opt/zimbra/conf/ca
   bind = yes 
   bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
   bind_pw = XXXXXXXXXX
   timeout = 30
   Set the permissions on the necessary files, by running this command:
   chown zimbra: postfix_sender_* exceptions-db* ldap-restricrelay.cf
   For the new policy to come into effect:
   zmmtactl restart
Verified Against: Zimbra Collaboration 8.0, 7.0 Date Created: 04/16/2014
Article ID: https://wiki.zimbra.com/index.php?title=Enforcing_a_match_between_the_FROM_address_and_the_sasl_username Date Modified: 2015-07-11



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search