Difference between revisions of "Rejecting false "mail from" addresses"

Line 3: Line 3:
 
<div class="col-md-12 ibox-content">
 
<div class="col-md-12 ibox-content">
 
=Rejecting false "mail from" addresses=
 
=Rejecting false "mail from" addresses=
{{KB|{{Unsupported}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}
+
{{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}}
 
{{WIP}}
 
{{WIP}}
 
By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.
 
By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.
  
1. Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected. '''[This steps is for ZCS 7.x and older version only]'''.
+
Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected.  
 
+
==Zimbra Collaboration 8.x==
  su - zimbra
+
For '''Zimbra Collaboration 8.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the enf of the file:
  zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit"
+
Add this at the end of the file:
 
+
  check_sender_access lmdb:/opt/zimbra/conf/domainrestrict
For '''ZCS 8.0.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines:
 
  
 +
==Zimbra Collaboration 8.0.x==
 +
For '''Zimbra Collaboration 8.0.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines:
 
Add this:
 
Add this:
 
   check_sender_access hash:/opt/zimbra/conf/domainrestrict
 
   check_sender_access hash:/opt/zimbra/conf/domainrestrict
 
+
Should looks like:
Here:
 
 
  ...
 
  ...
 
  check_sender_access hash:/opt/zimbra/conf/domainrestrict
 
  check_sender_access hash:/opt/zimbra/conf/domainrestrict
 
  %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%
 
  %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%
  
'''Remaining steps are same for all versions prior to ZCS 8.5.'''
+
==Zimbra Collaboration 7.x==
 +
For '''Zimbra Collaboration 7.x''' you should follow the next steps:
 +
  su - zimbra
 +
  zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit"
  
2. Create the file "/opt/zimbra/conf/domainrestrict" and add your domain(s) to it.
+
==Remaining steps are same for all versions==
 +
* Create the file "/opt/zimbra/conf/domainrestrict" and add your domain(s) to it.
 
   localdomain.com  REJECT
 
   localdomain.com  REJECT
 
   anotherlocaldomain.com  REJECT
 
   anotherlocaldomain.com  REJECT
  
 
You can also put some friendly/non-friendly message. Something like this.
 
You can also put some friendly/non-friendly message. Something like this.
   localdomain.com  REJECT You're not me!
+
   localdomain.com  REJECT   You're not me!
   anotherlocaldomain.com REJECT You're not me!
+
   anotherlocaldomain.com REJECT   You're not me!
  
3. Create the hash database of "/opt/zimbra/conf/domainrestrict". Run as 'zimbra' user.
+
* Create the hash database of "/opt/zimbra/conf/domainrestrict". Run as 'zimbra' user.
 
   postmap  /opt/zimbra/conf/domainrestrict
 
   postmap  /opt/zimbra/conf/domainrestrict
  
4. Restart zmmtactl.
+
*Restart zmmtactl.
 
   zmmtactl stop
 
   zmmtactl stop
 
   zmmtactl start
 
   zmmtactl start
  
'''Testing'''
+
==Testing==
  
 
Make following connection from a non-local host which is not part of mynetworks.
 
Make following connection from a non-local host which is not part of mynetworks.
 
 
   telnet ZCS_server_address 25
 
   telnet ZCS_server_address 25
 
   mail from: user@localdomain.com
 
   mail from: user@localdomain.com
Line 54: Line 57:
  
 
Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464:
 
Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464:
 
 
: The From field of the message header of the DSN SHOULD contain the address of a human who
 
: The From field of the message header of the DSN SHOULD contain the address of a human who
 
: is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that  
 
: is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that  

Revision as of 14:52, 20 July 2015

Rejecting false "mail from" addresses

   KB 20383        Last updated on 2015-07-20  




5.00
(2 votes)

By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.

Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected.

Zimbra Collaboration 8.x

For Zimbra Collaboration 8.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the enf of the file: Add this at the end of the file:

 check_sender_access lmdb:/opt/zimbra/conf/domainrestrict

Zimbra Collaboration 8.0.x

For Zimbra Collaboration 8.0.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines: Add this:

 check_sender_access hash:/opt/zimbra/conf/domainrestrict

Should looks like:

...
check_sender_access hash:/opt/zimbra/conf/domainrestrict
%%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%

Zimbra Collaboration 7.x

For Zimbra Collaboration 7.x you should follow the next steps:

 su - zimbra
 zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit"

Remaining steps are same for all versions

  • Create the file "/opt/zimbra/conf/domainrestrict" and add your domain(s) to it.
 localdomain.com   REJECT
 anotherlocaldomain.com   REJECT

You can also put some friendly/non-friendly message. Something like this.

 localdomain.com   REJECT   You're not me!
 anotherlocaldomain.com REJECT   You're not me!
  • Create the hash database of "/opt/zimbra/conf/domainrestrict". Run as 'zimbra' user.
 postmap  /opt/zimbra/conf/domainrestrict
  • Restart zmmtactl.
 zmmtactl stop
 zmmtactl start

Testing

Make following connection from a non-local host which is not part of mynetworks.

 telnet ZCS_server_address 25
 mail from: user@localdomain.com
 rcpt to: user2@localdomain.com

You should get following error at the rcpt command.

 554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me!

Special case of empty 'mail from' address

Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464:

The From field of the message header of the DSN SHOULD contain the address of a human who
is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that
a reply to the DSN will reach that person.
...
Whenever an SMTP transaction is used to send a DSN, the MAIL FROM command MUST use a
NULL return address, i.e., "MAIL FROM:<>".

If you want to Enforce a match between FROM addres and SASL username, use the next Wiki for Zimbra Collaboration 8.5 and above: https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5

Verified Against: Zimbra Collaboration 8.0, 7.0 Date Created: 04/16/2014
Article ID: https://wiki.zimbra.com/index.php?title=Rejecting_false_%22mail_from%22_addresses Date Modified: 2015-07-20



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search