Rejecting false "mail from" addresses: Difference between revisions
No edit summary |
No edit summary |
||
Line 3: | Line 3: | ||
<div class="col-md-12 ibox-content"> | <div class="col-md-12 ibox-content"> | ||
=Rejecting false "mail from" addresses= | =Rejecting false "mail from" addresses= | ||
{{KB|{{Unsupported}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}} | {{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}} | ||
{{WIP}} | {{WIP}} | ||
By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated. | By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated. | ||
Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected. | |||
==Zimbra Collaboration 8.x== | |||
For '''Zimbra Collaboration 8.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the enf of the file: | |||
Add this at the end of the file: | |||
check_sender_access lmdb:/opt/zimbra/conf/domainrestrict | |||
For ''' | |||
==Zimbra Collaboration 8.0.x== | |||
For '''Zimbra Collaboration 8.0.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines: | |||
Add this: | Add this: | ||
check_sender_access hash:/opt/zimbra/conf/domainrestrict | check_sender_access hash:/opt/zimbra/conf/domainrestrict | ||
Should looks like: | |||
... | ... | ||
check_sender_access hash:/opt/zimbra/conf/domainrestrict | check_sender_access hash:/opt/zimbra/conf/domainrestrict | ||
%%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%% | %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%% | ||
''' | ==Zimbra Collaboration 7.x== | ||
For '''Zimbra Collaboration 7.x''' you should follow the next steps: | |||
su - zimbra | |||
zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit" | |||
==Remaining steps are same for all versions== | |||
* Create the file "/opt/zimbra/conf/domainrestrict" and add your domain(s) to it. | |||
localdomain.com REJECT | localdomain.com REJECT | ||
anotherlocaldomain.com REJECT | anotherlocaldomain.com REJECT | ||
You can also put some friendly/non-friendly message. Something like this. | You can also put some friendly/non-friendly message. Something like this. | ||
localdomain.com REJECT You're not me! | localdomain.com REJECT You're not me! | ||
anotherlocaldomain.com REJECT You're not me! | anotherlocaldomain.com REJECT You're not me! | ||
* Create the hash database of "/opt/zimbra/conf/domainrestrict". Run as 'zimbra' user. | |||
postmap /opt/zimbra/conf/domainrestrict | postmap /opt/zimbra/conf/domainrestrict | ||
*Restart zmmtactl. | |||
zmmtactl stop | zmmtactl stop | ||
zmmtactl start | zmmtactl start | ||
==Testing== | |||
Make following connection from a non-local host which is not part of mynetworks. | Make following connection from a non-local host which is not part of mynetworks. | ||
telnet ZCS_server_address 25 | telnet ZCS_server_address 25 | ||
mail from: user@localdomain.com | mail from: user@localdomain.com | ||
Line 54: | Line 57: | ||
Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464: | Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464: | ||
: The From field of the message header of the DSN SHOULD contain the address of a human who | : The From field of the message header of the DSN SHOULD contain the address of a human who | ||
: is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that | : is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that |
Revision as of 14:52, 20 July 2015
Rejecting false "mail from" addresses
By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.
Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected.
Zimbra Collaboration 8.x
For Zimbra Collaboration 8.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the enf of the file: Add this at the end of the file:
check_sender_access lmdb:/opt/zimbra/conf/domainrestrict
Zimbra Collaboration 8.0.x
For Zimbra Collaboration 8.0.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines: Add this:
check_sender_access hash:/opt/zimbra/conf/domainrestrict
Should looks like:
... check_sender_access hash:/opt/zimbra/conf/domainrestrict %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%
Zimbra Collaboration 7.x
For Zimbra Collaboration 7.x you should follow the next steps:
su - zimbra zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit"
Remaining steps are same for all versions
- Create the file "/opt/zimbra/conf/domainrestrict" and add your domain(s) to it.
localdomain.com REJECT anotherlocaldomain.com REJECT
You can also put some friendly/non-friendly message. Something like this.
localdomain.com REJECT You're not me! anotherlocaldomain.com REJECT You're not me!
- Create the hash database of "/opt/zimbra/conf/domainrestrict". Run as 'zimbra' user.
postmap /opt/zimbra/conf/domainrestrict
- Restart zmmtactl.
zmmtactl stop zmmtactl start
Testing
Make following connection from a non-local host which is not part of mynetworks.
telnet ZCS_server_address 25 mail from: user@localdomain.com rcpt to: user2@localdomain.com
You should get following error at the rcpt command.
554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me!
Special case of empty 'mail from' address
Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464:
- The From field of the message header of the DSN SHOULD contain the address of a human who
- is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that
- a reply to the DSN will reach that person.
- ...
- Whenever an SMTP transaction is used to send a DSN, the MAIL FROM command MUST use a
- NULL return address, i.e., "MAIL FROM:<>".
If you want to Enforce a match between FROM addres and SASL username, use the next Wiki for Zimbra Collaboration 8.5 and above: https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5