How-to-restrict-ssl-login: Difference between revisions
No edit summary |
|||
| Line 2: | Line 2: | ||
__FORCETOC__ | __FORCETOC__ | ||
<div class="col-md-12 ibox-content"> | <div class="col-md-12 ibox-content"> | ||
=How to restrict SASL login for a user on postfix level | =How to restrict SASL login for a user on postfix level?= | ||
<hr> | <hr> | ||
{{KB|{{WIP}}|{{ZCS 9.0}}|{{ZCS 8.8}}|{{ZCS 8.7}}|}} | {{KB|{{WIP}}|{{ZCS 9.0}}|{{ZCS 8.8}}|{{ZCS 8.7}}|}} | ||
| Line 17: | Line 17: | ||
vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf | vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf | ||
2. Add this line '''check_sasl_access lmdb:/opt/zimbra/conf/sasl_access''' between '''permit_mynetworks | 2. Add this line '''check_sasl_access lmdb:/opt/zimbra/conf/sasl_access''' between '''"permit_mynetworks and permit_sasl_authenticated". | ||
permit_mynetworks, reject_sender_login_mismatch | permit_mynetworks, reject_sender_login_mismatch | ||
| Line 37: | Line 37: | ||
postfix reload | postfix reload | ||
The following logs entries in the zimbra.log and message should be appeared if a restricted user tries to send an email using SASL authentication. | The following logs entries in the zimbra.log and message should be appeared if a restricted user tries to send an email using SASL authentication. | ||
'''Log lines from zimbra.log''' | '''Log lines from zimbra.log''' | ||
Revision as of 09:30, 28 July 2021
How to restrict SASL login for a user on postfix level?
Overview: We can restrict SASL login for a user on postfix level in Zimbra. Sometime a system administrator needs to block SASL authentication of a user due to various reasons like company policy where web-client is allowed only for some users, account was compromised and spammer is sending spam emails using SASL authentication etc.
Here are the steps to do so.
1. Switch to Zimbra user and open smtpd_sender_restrictions.cf using vim editor.
su - zimbra vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
2. Add this line check_sasl_access lmdb:/opt/zimbra/conf/sasl_access between "permit_mynetworks and permit_sasl_authenticated".
permit_mynetworks, reject_sender_login_mismatch check_sasl_access lmdb:/opt/zimbra/conf/sasl_access_block permit_sasl_authenticated
3. Create sasl_access_block file and add a user which has to be restricted using sasl authentication.
vim /opt/zimbra/conf/sasl_access_block user1@labzimbra.com REJECT Sorry, you are not allowed to use SMTP SASL authentication.
Note: You may also use other condition like HOLD or DISCARD etc.
4. Save this file and run postmap command.
postmap /opt/zimbra/conf/sasl_access_block
5. Reload postfix service.
postfix reload
The following logs entries in the zimbra.log and message should be appeared if a restricted user tries to send an email using SASL authentication.
Log lines from zimbra.log
Oct 5 14:00:33 proxy postfix/smtps/smtpd[32649]: NOQUEUE: reject: RCPT from unknown[172.16.7.222]: 554 5.7.1 <user1@labzimbra.com>: SASL login name rejected: Sorry, you are not allowed to use SMTP SASL authentication.; from=<user1@labzimbra.com> to=<user2@labzimbra.com> proto=ESMTP helo=<PNQWB7S2PRKUMA>Rejected
The following sample email is received by restricted user.
| Submitted by: Prabhat Kumar |
