Enforcing a match between the FROM address and the sasl username: Difference between revisions
No edit summary |
|||
Line 3: | Line 3: | ||
==RFE To Support This== | ==RFE To Support This== | ||
Currently [Oct. 1, 2013] this is unsupported in ZCS8.0 and previous. | Currently [Oct. 1, 2013] this is unsupported in ZCS8.0 and previous. | ||
== Issue == | == Issue == | ||
Line 19: | Line 19: | ||
== How-to == | == How-to == | ||
=== Unsupported methods for ZCS8 and prior === | === Unsupported methods for ZCS8 and prior === | ||
Revision as of 00:09, 15 August 2014
RFE To Support This
Currently [Oct. 1, 2013] this is unsupported in ZCS8.0 and previous.
Issue
If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.
A message header from that user looks like this:
zimbra1 postfix/smtpd[29431]: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=user zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com> zimbra1 postfix/qmgr[20690]: B28914D5978: from=<spam@spam.com>, size=6026, nrcpt=10 (queue active) zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>
where the sender's user name and the from address are indicated in bold. This article explains how to ensure that the from address matches the sender's username.
How-to
Unsupported methods for ZCS8 and prior
To require that the from address of an email match the sender's username:
Edit the zmmta.cf file, by running this command: vim /opt/zimbra/conf/zmmta.cf Find this line: POSTCONF smtpd_sender_restrictions LOCAL postfix_smtpd_sender_restrictions Below that line add : Note: Do not forget to include the tab at the beginning of each line: POSTCONF smtpd_sender_login_maps FILE postfix_sender_login_maps.cf
In ZCS 8 vim /opt/zimbra/conf/zmconfigd.cf Find this line: POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf Below that line add : Note: Do not forget to include the tab at the beginning of each line: POSTCONF smtpd_sender_login_maps FILE postfix_sender_login_maps.cf
Set sender_restriction : (For ZCS 7 and below) zmlocalconfig -e postfix_smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch Set sender_restriction : (For ZCS 8 and above) Edit - /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf At the very top add - reject_authenticated_sender_login_mismatch
Create file - postfix_sender_login_maps.cf vim /opt/zimbra/conf/postfix_sender_login_maps.cf Add : hash:/opt/zimbra/conf/exceptions-db ldap:/opt/zimbra/conf/ldap-restricrelay.cf An exceptions file, allows you to declare a different email sender address that a user can have, as a way of bypassing the restriction. Create the exceptions file, by running this command: vim /opt/zimbra/conf/exceptions-db (Optional) Add text to the file, one line per address, where the first word is the email sender address and the second word is the username. Example: johndoe@otherdomain.com admin Note: You can leave the file empty.
Create the DB file, by running this command: /opt/zimbra/postfix/sbin/postmap exceptions-db
Create /opt/zimbra/conf/ldap-restricrelay.cf Obtain the LDAP server_host and the bind_pw of the user uid=zmpostfix,cn=appaccts,cn=zimbra: Seek and record the data from the file /opt/zimbra/conf/ldap-vam.cf, by running these commands: grep server_host /opt/zimbra/conf/ldap-vam.cf grep bind_pw /opt/zimbra/conf/ldap-vam.cf
vim /opt/zimbra/conf/ldap-restricrelay.cf Adjust the server_host and bind_pw values to match your server hostname and password: server_host = ldap://srvXX.company.com:389 server_port = 389 search_base = query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled)) result_attribute uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress version = 3 start_tls = yes tls_ca_cert_dir = /opt/zimbra/conf/ca bind = yes bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra bind_pw = XXXXXXXXXX timeout = 30
Set the permissions on the necessary files, by running this command: chown zimbra: postfix_sender_* exceptions-db* ldap-restricrelay.cf
For the new policy to come into effect: zmmtactl restart