Enforcing a match between the FROM address and the sasl username

Article Information
This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0



RFE To Support This

Currently [Oct. 1, 2013] this is unsupported in ZCS8.0 and previous.

Issue

If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.


A message header from that user looks like this:

zimbra1 postfix/smtpd[29431]: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=user
zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com>
zimbra1 postfix/qmgr[20690]: B28914D5978: from=<spam@spam.com>, size=6026, nrcpt=10 (queue active)
zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>

where the sender's user name and the from address are indicated in bold. This article explains how to ensure that the from address matches the sender's username.

How-to

Unsupported methods for ZCS8 and prior

To require that the from address of an email match the sender's username:

   Edit the zmmta.cf file, by running this command:
   vim /opt/zimbra/conf/zmmta.cf 
   Find this line:
   POSTCONF smtpd_sender_restrictions LOCAL postfix_smtpd_sender_restrictions
   Below that line add :
   Note: Do not forget to include the tab at the beginning of each line:
   POSTCONF smtpd_sender_login_maps       FILE postfix_sender_login_maps.cf
   In ZCS 8 
   vim /opt/zimbra/conf/zmconfigd.cf 
   Find this line:
   POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
   Below that line add :
   Note: Do not forget to include the tab at the beginning of each line:
   POSTCONF smtpd_sender_login_maps       FILE postfix_sender_login_maps.cf
   Set sender_restriction : (For ZCS 7 and below)
   zmlocalconfig -e postfix_smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
   
   Set sender_restriction : (For ZCS 8 and above)
   Edit - /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
   At the very top add - reject_authenticated_sender_login_mismatch
   Create file - postfix_sender_login_maps.cf
   vim /opt/zimbra/conf/postfix_sender_login_maps.cf
   Add :
   hash:/opt/zimbra/conf/exceptions-db ldap:/opt/zimbra/conf/ldap-restricrelay.cf
   
   An exceptions file, allows you to declare a different email sender address that a user can have, as a way of bypassing the restriction. Create the exceptions file, by running this command:
   vim /opt/zimbra/conf/exceptions-db
   (Optional) Add text to the file, one line per address, where the first word is the email sender address and the second word is the username.
   Example: johndoe@otherdomain.com admin
   Note: You can leave the file empty.
   Create the DB file, by running this command:
   /opt/zimbra/postfix/sbin/postmap exceptions-db
   Create /opt/zimbra/conf/ldap-restricrelay.cf
   Obtain the LDAP server_host and the bind_pw of the user uid=zmpostfix,cn=appaccts,cn=zimbra:
   Seek and record the data from the file /opt/zimbra/conf/ldap-vam.cf, by running these commands:
       grep server_host /opt/zimbra/conf/ldap-vam.cf
       grep bind_pw /opt/zimbra/conf/ldap-vam.cf
   vim /opt/zimbra/conf/ldap-restricrelay.cf
   Adjust the server_host and bind_pw values to match your server hostname and password:
   
   server_host = ldap://srvXX.company.com:389 
   server_port = 389 
   search_base = 
   query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled)) 
   result_attribute = uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
   version = 3
   start_tls = yes
   tls_ca_cert_dir = /opt/zimbra/conf/ca
   bind = yes 
   bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
   bind_pw = XXXXXXXXXX
   timeout = 30
   Set the permissions on the necessary files, by running this command:
   chown zimbra: postfix_sender_* exceptions-db* ldap-restricrelay.cf
   For the new policy to come into effect:
   zmmtactl restart
Jump to: navigation, search