How-to-restrict-ssl-login: Difference between revisions
No edit summary |
No edit summary |
||
(16 intermediate revisions by one other user not shown) | |||
Line 2: | Line 2: | ||
__FORCETOC__ | __FORCETOC__ | ||
<div class="col-md-12 ibox-content"> | <div class="col-md-12 ibox-content"> | ||
=How to restrict SASL login on postfix level | =How to restrict SASL login for a user on postfix level?= | ||
<hr> | <hr> | ||
{{KB|{{ | {{KB|{{ZC}}|{{ZCS 9.0}}|{{ZCS 8.8}}|{{ZCS 8.7}}|}} | ||
<hr> | <hr> | ||
<h2>Problem:</h2> | |||
How to restrict SASL login for a user on postfix level in Zimbra? Sometime a system administrator needs to block SASL authentication of a user due to various reasons like company policy where web-client is allowed only for some users, | |||
account was compromised and spammer is sending spam emails using SASL authentication etc. | |||
<h2>Solution:</h2> | |||
Here are the steps to do so. | |||
1. Switch to Zimbra user and open smtpd_sender_restrictions.cf using vim editor. | 1. Switch to Zimbra user and open '''smtpd_sender_restrictions.cf''' using vim editor. | ||
su - zimbra | su - zimbra | ||
vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf | vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf | ||
2. Add this line '''check_sasl_access lmdb:/opt/zimbra/conf/sasl_access''' between permit_mynetworks and permit_sasl_authenticated. | 2. Add this line '''check_sasl_access lmdb:/opt/zimbra/conf/sasl_access''' between '''"permit_mynetworks and permit_sasl_authenticated". | ||
permit_mynetworks, reject_sender_login_mismatch | permit_mynetworks, reject_sender_login_mismatch | ||
Line 23: | Line 26: | ||
permit_sasl_authenticated | permit_sasl_authenticated | ||
3. Create sasl_access_block file and add a user which has to be restricted using sasl authentication. | 3. Create '''sasl_access_block''' file and add a user which has to be restricted using sasl authentication. | ||
vim /opt/zimbra/conf/sasl_access_block | vim /opt/zimbra/conf/sasl_access_block | ||
user1@ | user1@example.com REJECT Sorry, you are not allowed to use SMTP SASL authentication. | ||
'''Note:''' | '''Note:''' Other conditions can be also used like HOLD or DISCARD etc. | ||
4. Save this file and run postmap command. | 4. Save this file and run '''postmap''' command. | ||
postmap /opt/zimbra/conf/sasl_access_block | postmap /opt/zimbra/conf/sasl_access_block | ||
Line 38: | Line 41: | ||
postfix reload | postfix reload | ||
The following logs entries in the zimbra.log show up and a message should be appeared if a restricted user tries to send an email using SASL authentication. | |||
'''Log lines from zimbra.log''' | '''Log lines from zimbra.log''' | ||
Oct 5 14:00:33 proxy postfix/smtps/smtpd[32649]: NOQUEUE: reject: RCPT from unknown[172.16.7.222]: 554 5.7.1 <user1@ | Oct 5 14:00:33 proxy postfix/smtps/smtpd[32649]: NOQUEUE: reject: RCPT from unknown[172.16.7.222]: 554 5.7.1 <user1@example.com>: | ||
SASL login name rejected: Sorry, you are not allowed to use SMTP SASL authentication.; from=<user1@example.com> to=<user2@example.com> proto=ESMTP helo=<PNQWB7S2PRKUMA>Rejected | |||
{| class="wikitable" style="background-color:#d0f0c0;" cellpadding="10" | |||
|'''Submitted by''': Prabhat Kumar | |||
|} | |||
{{Article Footer|ZCS 9.0, 8.8, 8.7,|2017-08-23}} |
Latest revision as of 14:11, 13 June 2023
How to restrict SASL login for a user on postfix level?
Problem:
How to restrict SASL login for a user on postfix level in Zimbra? Sometime a system administrator needs to block SASL authentication of a user due to various reasons like company policy where web-client is allowed only for some users, account was compromised and spammer is sending spam emails using SASL authentication etc.
Solution:
Here are the steps to do so.
1. Switch to Zimbra user and open smtpd_sender_restrictions.cf using vim editor.
su - zimbra vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
2. Add this line check_sasl_access lmdb:/opt/zimbra/conf/sasl_access between "permit_mynetworks and permit_sasl_authenticated".
permit_mynetworks, reject_sender_login_mismatch check_sasl_access lmdb:/opt/zimbra/conf/sasl_access_block permit_sasl_authenticated
3. Create sasl_access_block file and add a user which has to be restricted using sasl authentication.
vim /opt/zimbra/conf/sasl_access_block user1@example.com REJECT Sorry, you are not allowed to use SMTP SASL authentication.
Note: Other conditions can be also used like HOLD or DISCARD etc.
4. Save this file and run postmap command.
postmap /opt/zimbra/conf/sasl_access_block
5. Reload postfix service.
postfix reload
The following logs entries in the zimbra.log show up and a message should be appeared if a restricted user tries to send an email using SASL authentication.
Log lines from zimbra.log
Oct 5 14:00:33 proxy postfix/smtps/smtpd[32649]: NOQUEUE: reject: RCPT from unknown[172.16.7.222]: 554 5.7.1 <user1@example.com>: SASL login name rejected: Sorry, you are not allowed to use SMTP SASL authentication.; from=<user1@example.com> to=<user2@example.com> proto=ESMTP helo=<PNQWB7S2PRKUMA>Rejected
Submitted by: Prabhat Kumar |