Difference between revisions of "Rejecting false "mail from" addresses"

Line 2: Line 2:
 
By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.
 
By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.
  
* Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected.  
+
1. Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected. '''[This steps is for ZCS 7.x and older version only]'''.
  
 
   su - zimbra
 
   su - zimbra
 
   zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/postfix/conf/access_table, permit"
 
   zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/postfix/conf/access_table, permit"
  
* Create the file "/opt/zimbra/postfix/conf/access_table" and add your domain(s) to it.
+
For '''ZCS 8.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line in the bottom and save the file.
 +
 
 +
  %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access hash:/opt/zimbra/postfix/conf/access_table%%
 +
 
 +
'''Remaining steps are same for all versions.'''
 +
 
 +
2. Create the file "/opt/zimbra/postfix/conf/access_table" and add your domain(s) to it.
 
   localdomain.com  REJECT
 
   localdomain.com  REJECT
 
   anotherlocaldomain.com  REJECT
 
   anotherlocaldomain.com  REJECT
Line 15: Line 21:
 
   anotherlocaldomain.com REJECT You're not me!
 
   anotherlocaldomain.com REJECT You're not me!
  
* Create the hash of "/opt/zimbra/postfix/conf/access_table".
+
3. Create the hash of "/opt/zimbra/postfix/conf/access_table".
 
   postmap  /opt/zimbra/postfix/conf/access_table
 
   postmap  /opt/zimbra/postfix/conf/access_table
  
* Restart zmmtactl.
+
4. Restart zmmtactl.
 
   zmmtactl restart
 
   zmmtactl restart
  

Revision as of 14:27, 5 November 2013

By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.

1. Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected. [This steps is for ZCS 7.x and older version only].

 su - zimbra
 zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/postfix/conf/access_table, permit"

For ZCS 8.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line in the bottom and save the file.

 %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access hash:/opt/zimbra/postfix/conf/access_table%% 

Remaining steps are same for all versions.

2. Create the file "/opt/zimbra/postfix/conf/access_table" and add your domain(s) to it.

 localdomain.com   REJECT
 anotherlocaldomain.com   REJECT

You can also put some friendly/non-friendly message. Something like this.

 localdomain.com   REJECT You're not me!
 anotherlocaldomain.com REJECT You're not me!

3. Create the hash of "/opt/zimbra/postfix/conf/access_table".

 postmap  /opt/zimbra/postfix/conf/access_table

4. Restart zmmtactl.

 zmmtactl restart

Testing

Make following connection from a non-local host which is not part of mynetworks.

 telnet ZCS_server_address 25
 mail from: user@localdomain.com
 rcpt to: user2@localdomain.com

You should get following error at the rcpt command.

 554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me!
Jump to: navigation, search