Difference between revisions of "Rejecting false "mail from" addresses"

Line 5: Line 5:
  
 
   su - zimbra
 
   su - zimbra
   zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/postfix/conf/access_table, permit"
+
   zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/postfix/conf/domainrestrict, permit"
  
 
For '''ZCS 8.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line in the bottom and save the file.
 
For '''ZCS 8.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line in the bottom and save the file.
  
   %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access hash:/opt/zimbra/postfix/conf/access_table%%  
+
   %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access hash:/opt/zimbra/postfix/conf/domainrestrict%%  
 +
 
 +
Note: the above method depends on the condition that the zimbraServiceEnabled service "antivirus" is in use. If not using antivirus, then modify the line to not use the conditional - just add the following:
 +
 
 +
check_sender_access hash:/opt/zimbra/postfix/conf/domainrestrict
  
 
'''Remaining steps are same for all versions.'''
 
'''Remaining steps are same for all versions.'''
  
2. Create the file "/opt/zimbra/postfix/conf/access_table" and add your domain(s) to it.
+
2. Create the file "/opt/zimbra/postfix/conf/domainrestrict" and add your domain(s) to it.
 
   localdomain.com  REJECT
 
   localdomain.com  REJECT
 
   anotherlocaldomain.com  REJECT
 
   anotherlocaldomain.com  REJECT
Line 21: Line 25:
 
   anotherlocaldomain.com REJECT You're not me!
 
   anotherlocaldomain.com REJECT You're not me!
  
3. Create the hash of "/opt/zimbra/postfix/conf/access_table".
+
3. Create the hash database of "/opt/zimbra/postfix/conf/domainrestrict".
   postmap  /opt/zimbra/postfix/conf/access_table
+
   postmap  /opt/zimbra/postfix/conf/domainrestrict
  
 
4. Restart zmmtactl.
 
4. Restart zmmtactl.

Revision as of 15:01, 13 May 2014

By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.

1. Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected. [This steps is for ZCS 7.x and older version only].

 su - zimbra
 zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/postfix/conf/domainrestrict, permit"

For ZCS 8.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line in the bottom and save the file.

 %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access hash:/opt/zimbra/postfix/conf/domainrestrict%% 

Note: the above method depends on the condition that the zimbraServiceEnabled service "antivirus" is in use. If not using antivirus, then modify the line to not use the conditional - just add the following:

check_sender_access hash:/opt/zimbra/postfix/conf/domainrestrict

Remaining steps are same for all versions.

2. Create the file "/opt/zimbra/postfix/conf/domainrestrict" and add your domain(s) to it.

 localdomain.com   REJECT
 anotherlocaldomain.com   REJECT

You can also put some friendly/non-friendly message. Something like this.

 localdomain.com   REJECT You're not me!
 anotherlocaldomain.com REJECT You're not me!

3. Create the hash database of "/opt/zimbra/postfix/conf/domainrestrict".

 postmap  /opt/zimbra/postfix/conf/domainrestrict

4. Restart zmmtactl.

 zmmtactl restart

Testing

Make following connection from a non-local host which is not part of mynetworks.

 telnet ZCS_server_address 25
 mail from: user@localdomain.com
 rcpt to: user2@localdomain.com

You should get following error at the rcpt command.

 554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me!
Jump to: navigation, search