How-to-restrict-ssl-login
How to restrict SASL login for a user on postfix level?
Problem:
How to restrict SASL login for a user on postfix level in Zimbra? Sometime a system administrator needs to block SASL authentication of a user due to various reasons like company policy where web-client is allowed only for some users, account was compromised and spammer is sending spam emails using SASL authentication etc.
Solution:
Here are the steps to do so.
1. Switch to Zimbra user and open smtpd_sender_restrictions.cf using vim editor.
su - zimbra vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
2. Add this line check_sasl_access lmdb:/opt/zimbra/conf/sasl_access between "permit_mynetworks and permit_sasl_authenticated".
permit_mynetworks, reject_sender_login_mismatch check_sasl_access lmdb:/opt/zimbra/conf/sasl_access_block permit_sasl_authenticated
3. Create sasl_access_block file and add a user which has to be restricted using sasl authentication.
vim /opt/zimbra/conf/sasl_access_block user1@example.com REJECT Sorry, you are not allowed to use SMTP SASL authentication.
Note: Other conditions can be also used like HOLD or DISCARD etc.
4. Save this file and run postmap command.
postmap /opt/zimbra/conf/sasl_access_block
5. Reload postfix service.
postfix reload
The following logs entries in the zimbra.log show up and a message should be appeared if a restricted user tries to send an email using SASL authentication.
Log lines from zimbra.log
Oct 5 14:00:33 proxy postfix/smtps/smtpd[32649]: NOQUEUE: reject: RCPT from unknown[172.16.7.222]: 554 5.7.1 <user1@example.com>: SASL login name rejected: Sorry, you are not allowed to use SMTP SASL authentication.; from=<user1@example.com> to=<user2@example.com> proto=ESMTP helo=<PNQWB7S2PRKUMA>Rejected
| Submitted by: Prabhat Kumar |
