Rejecting false "mail from" addresses: Difference between revisions
No edit summary |
No edit summary |
||
Line 7: | Line 7: | ||
zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit" | zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit" | ||
For '''ZCS 8.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line | For '''ZCS 8.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines: | ||
%%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access | Add this: | ||
check_sender_access hash:/opt/zimbra/conf/domainrestrict | |||
Here: | |||
... | |||
check_sender_access hash:/opt/zimbra/conf/domainrestrict | |||
%%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%% | |||
Note: the above method depends on the condition that the zimbraServiceEnabled service "antivirus" is in use. If not using antivirus, then modify the line to not use the conditional - just add the following: | Note: the above method depends on the condition that the zimbraServiceEnabled service "antivirus" is in use. If not using antivirus, then modify the line to not use the conditional - just add the following: |
Revision as of 19:30, 13 May 2014
By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.
1. Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected. [This steps is for ZCS 7.x and older version only].
su - zimbra zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit"
For ZCS 8.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines:
Add this:
check_sender_access hash:/opt/zimbra/conf/domainrestrict
Here:
... check_sender_access hash:/opt/zimbra/conf/domainrestrict %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%
Note: the above method depends on the condition that the zimbraServiceEnabled service "antivirus" is in use. If not using antivirus, then modify the line to not use the conditional - just add the following:
check_sender_access hash:/opt/zimbra/conf/domainrestrict
Remaining steps are same for all versions.
2. Create the file "/opt/zimbra/conf/domainrestrict" and add your domain(s) to it.
localdomain.com REJECT anotherlocaldomain.com REJECT
You can also put some friendly/non-friendly message. Something like this.
localdomain.com REJECT You're not me! anotherlocaldomain.com REJECT You're not me!
3. Create the hash database of "/opt/zimbra/conf/domainrestrict".
postmap /opt/zimbra/conf/domainrestrict
4. Restart zmmtactl.
zmmtactl stop zmmtactl start
Testing
Make following connection from a non-local host which is not part of mynetworks.
telnet ZCS_server_address 25 mail from: user@localdomain.com rcpt to: user2@localdomain.com
You should get following error at the rcpt command.
554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me!