Enforcing a match between the FROM address and the sasl username

Revision as of 20:21, 6 August 2014 by Gayle (talk | contribs) (→‎ZCS 8.5)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

RFE To Support This

Currently [Oct. 1, 2013] this is unsupported in ZCS8.0 and previous. It is a new feature for ZCS 8.5 and later.

Issue

If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.


A message header from that user looks like this:

zimbra1 postfix/smtpd[29431]: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=user
zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com>
zimbra1 postfix/qmgr[20690]: B28914D5978: from=<spam@spam.com>, size=6026, nrcpt=10 (queue active)
zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>

where the sender's user name and the from address are indicated in bold. This article explains how to ensure that the from address matches the sender's username.

How-to

ZCS 8.5

  • (optional) If you want an exceptions DB to allow people to send as alternate addresses
 cd /opt/zimbra/conf
 edit slm-exceptions-db
 Add the alternate ID addresses and the real userid, for example for the user joe who has joe@gmail.com
 joe@gmail.com joe
 Then run postmap slm-exceptions-db to generate the database
  • Set the zimbraMtaSmtpdSenderLoginMaps portion
    • If the exception db is used:
zmprov mcf +zimbraMtaSmtpdSenderLoginMaps lmdb:/opt/zimbra/conf/slm-exceptions-db +zimbraMtaSmtpdSenderLoginMaps  proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
    • If the exception db is not used:
zmprov mcf +zimbraMtaSmtpdSenderLoginMaps  proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch

After a minute, zmconfigd will update the postfix configuration automatically and apply the new rules. Now if an account is hacked, and this is in place, they will not be able to send out emails with different "from" addresses.

Unsupported methods for ZCS8 and prior

To require that the from address of an email match the sender's username:

   Edit the zmmta.cf file, by running this command:
   vim /opt/zimbra/conf/zmmta.cf 
   Find this line:
   POSTCONF smtpd_sender_restrictions LOCAL postfix_smtpd_sender_restrictions
   Below that line add :
   Note: Do not forget to include the tab at the beginning of each line:
   POSTCONF smtpd_sender_login_maps       FILE postfix_sender_login_maps.cf
   In ZCS 8 
   vim /opt/zimbra/conf/zmconfigd.cf 
   Find this line:
   POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
   Below that line add :
   Note: Do not forget to include the tab at the beginning of each line:
   POSTCONF smtpd_sender_login_maps       FILE postfix_sender_login_maps.cf
   Set sender_restriction : (For ZCS 7 and below)
   zmlocalconfig -e postfix_smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
   
   Set sender_restriction : (For ZCS 8 and above)
   Edit - /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
   At the very top add - reject_authenticated_sender_login_mismatch
   Create file - postfix_sender_login_maps.cf
   vim /opt/zimbra/conf/postfix_sender_login_maps.cf
   Add :
   hash:/opt/zimbra/conf/exceptions-db ldap:/opt/zimbra/conf/ldap-restricrelay.cf
   
   An exceptions file, allows you to declare a different email sender address that a user can have, as a way of bypassing the restriction. Create the exceptions file, by running this command:
   vim /opt/zimbra/conf/exceptions-db
   (Optional) Add text to the file, one line per address, where the first word is the email sender address and the second word is the username.
   Example: johndoe@otherdomain.com admin
   Note: You can leave the file empty.
   Create the DB file, by running this command:
   /opt/zimbra/postfix/sbin/postmap exceptions-db
   Create /opt/zimbra/conf/ldap-restricrelay.cf
   Obtain the LDAP server_host and the bind_pw of the user uid=zmpostfix,cn=appaccts,cn=zimbra:
   Seek and record the data from the file /opt/zimbra/conf/ldap-vam.cf, by running these commands:
       grep server_host /opt/zimbra/conf/ldap-vam.cf
       grep bind_pw /opt/zimbra/conf/ldap-vam.cf
   vim /opt/zimbra/conf/ldap-restricrelay.cf
   Adjust the server_host and bind_pw values to match your server hostname and password:
   
   server_host = ldap://srvXX.company.com:389 
   server_port = 389 
   search_base = 
   query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled)) 
   result_attribute uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
   version = 3
   start_tls = yes
   tls_ca_cert_dir = /opt/zimbra/conf/ca
   bind = yes 
   bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
   bind_pw = XXXXXXXXXX
   timeout = 30
   Set the permissions on the necessary files, by running this command:
   chown zimbra: postfix_sender_* exceptions-db* ldap-restricrelay.cf
   For the new policy to come into effect:
   zmmtactl restart
Jump to: navigation, search