Rejecting false "mail from" addresses: Difference between revisions
No edit summary |
No edit summary |
||
Line 5: | Line 5: | ||
su - zimbra | su - zimbra | ||
zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/postfix/conf/ | zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/postfix/conf/domainrestrict, permit" | ||
For '''ZCS 8.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line in the bottom and save the file. | For '''ZCS 8.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line in the bottom and save the file. | ||
%%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access hash:/opt/zimbra/postfix/conf/ | %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access hash:/opt/zimbra/postfix/conf/domainrestrict%% | ||
Note: the above method depends on the condition that the zimbraServiceEnabled service "antivirus" is in use. If not using antivirus, then modify the line to not use the conditional - just add the following: | |||
check_sender_access hash:/opt/zimbra/postfix/conf/domainrestrict | |||
'''Remaining steps are same for all versions.''' | '''Remaining steps are same for all versions.''' | ||
2. Create the file "/opt/zimbra/postfix/conf/ | 2. Create the file "/opt/zimbra/postfix/conf/domainrestrict" and add your domain(s) to it. | ||
localdomain.com REJECT | localdomain.com REJECT | ||
anotherlocaldomain.com REJECT | anotherlocaldomain.com REJECT | ||
Line 21: | Line 25: | ||
anotherlocaldomain.com REJECT You're not me! | anotherlocaldomain.com REJECT You're not me! | ||
3. Create the hash of "/opt/zimbra/postfix/conf/ | 3. Create the hash database of "/opt/zimbra/postfix/conf/domainrestrict". | ||
postmap /opt/zimbra/postfix/conf/ | postmap /opt/zimbra/postfix/conf/domainrestrict | ||
4. Restart zmmtactl. | 4. Restart zmmtactl. |
Revision as of 15:01, 13 May 2014
By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.
1. Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected. [This steps is for ZCS 7.x and older version only].
su - zimbra zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/postfix/conf/domainrestrict, permit"
For ZCS 8.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line in the bottom and save the file.
%%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access hash:/opt/zimbra/postfix/conf/domainrestrict%%
Note: the above method depends on the condition that the zimbraServiceEnabled service "antivirus" is in use. If not using antivirus, then modify the line to not use the conditional - just add the following:
check_sender_access hash:/opt/zimbra/postfix/conf/domainrestrict
Remaining steps are same for all versions.
2. Create the file "/opt/zimbra/postfix/conf/domainrestrict" and add your domain(s) to it.
localdomain.com REJECT anotherlocaldomain.com REJECT
You can also put some friendly/non-friendly message. Something like this.
localdomain.com REJECT You're not me! anotherlocaldomain.com REJECT You're not me!
3. Create the hash database of "/opt/zimbra/postfix/conf/domainrestrict".
postmap /opt/zimbra/postfix/conf/domainrestrict
4. Restart zmmtactl.
zmmtactl restart
Testing
Make following connection from a non-local host which is not part of mynetworks.
telnet ZCS_server_address 25 mail from: user@localdomain.com rcpt to: user2@localdomain.com
You should get following error at the rcpt command.
554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me!