How-to-restrict-ssl-login: Difference between revisions
No edit summary |
No edit summary |
||
| Line 12: | Line 12: | ||
== Here are the steps to so. == | == Here are the steps to so. == | ||
1. Switch to Zimbra user and open smtpd_sender_restrictions.cf using vim editor. | 1. Switch to Zimbra user and open '''smtpd_sender_restrictions.cf''' using vim editor. | ||
su - zimbra | su - zimbra | ||
vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf | vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf | ||
2. Add this line '''check_sasl_access lmdb:/opt/zimbra/conf/sasl_access''' between permit_mynetworks and permit_sasl_authenticated. | 2. Add this line '''check_sasl_access lmdb:/opt/zimbra/conf/sasl_access''' between '''permit_mynetworks''' and permit_sasl_authenticated. | ||
permit_mynetworks, reject_sender_login_mismatch | permit_mynetworks, reject_sender_login_mismatch | ||
| Line 23: | Line 23: | ||
permit_sasl_authenticated | permit_sasl_authenticated | ||
3. Create sasl_access_block file and add a user which has to be restricted using sasl authentication. | 3. Create '''sasl_access_block''' file and add a user which has to be restricted using sasl authentication. | ||
vim /opt/zimbra/conf/sasl_access_block | vim /opt/zimbra/conf/sasl_access_block | ||
| Line 30: | Line 30: | ||
'''Note:''' You may also use other condition like HOLD or DISCARD etc. | '''Note:''' You may also use other condition like HOLD or DISCARD etc. | ||
4. Save this file and run postmap command. | 4. Save this file and run '''postmap''' command. | ||
postmap /opt/zimbra/conf/sasl_access_block | postmap /opt/zimbra/conf/sasl_access_block | ||
Revision as of 09:26, 5 October 2020
How to restrict SASL login for a user on postfix level.
Overview: We can restrict SASL login for a user on postfix level in Zimbra. Sometime a system administrator needs to block SASL authentication of a user due to various reasons like company policy where web-client is allowed only for some users, account was compromised and spammer is sending spam emails using SASL authentication etc.
Here are the steps to so.
1. Switch to Zimbra user and open smtpd_sender_restrictions.cf using vim editor.
su - zimbra vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
2. Add this line check_sasl_access lmdb:/opt/zimbra/conf/sasl_access between permit_mynetworks and permit_sasl_authenticated.
permit_mynetworks, reject_sender_login_mismatch check_sasl_access lmdb:/opt/zimbra/conf/sasl_access_block permit_sasl_authenticated
3. Create sasl_access_block file and add a user which has to be restricted using sasl authentication.
vim /opt/zimbra/conf/sasl_access_block user1@labzimbra.com REJECT Sorry, you are not allowed to use SMTP SASL authentication.
Note: You may also use other condition like HOLD or DISCARD etc.
4. Save this file and run postmap command.
postmap /opt/zimbra/conf/sasl_access_block
5. Reload postfix service.
postfix reload
The following logs entries in the zimbra.log and message should be appeared if a restricted user tries to send an email using SASL authentication.
Log lines from zimbra.log
Oct 5 14:00:33 proxy postfix/smtps/smtpd[32649]: NOQUEUE: reject: RCPT from unknown[172.16.7.222]: 554 5.7.1 <user1@labzimbra.com>: SASL login name rejected: Sorry, you are not allowed to use SMTP SASL authentication.; from=<user1@labzimbra.com> to=<user2@labzimbra.com> proto=ESMTP helo=<PNQWB7S2PRKUMA>Rejected
The following sample email is received by restricted user.
| Submitted by: Prabhat Kumar |
