Rejecting false "mail from" addresses

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Rejecting false "mail from" addresses

   KB 20383        Last updated on 2015-07-15  




5.00
(2 votes)

By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.

1. Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected. [This steps is for ZCS 7.x and older version only].

 su - zimbra
 zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit"

For ZCS 8.0.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines:

Add this:

 check_sender_access hash:/opt/zimbra/conf/domainrestrict

Here:

...
check_sender_access hash:/opt/zimbra/conf/domainrestrict
%%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%

Remaining steps are same for all versions prior to ZCS 8.5.

2. Create the file "/opt/zimbra/conf/domainrestrict" and add your domain(s) to it.

 localdomain.com   REJECT
 anotherlocaldomain.com   REJECT

You can also put some friendly/non-friendly message. Something like this.

 localdomain.com   REJECT You're not me!
 anotherlocaldomain.com REJECT You're not me!

3. Create the hash database of "/opt/zimbra/conf/domainrestrict". Run as 'zimbra' user.

 postmap  /opt/zimbra/conf/domainrestrict

4. Restart zmmtactl.

 zmmtactl stop
 zmmtactl start

Testing

Make following connection from a non-local host which is not part of mynetworks.

 telnet ZCS_server_address 25
 mail from: user@localdomain.com
 rcpt to: user2@localdomain.com

You should get following error at the rcpt command.

 554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me!

Special case of empty 'mail from' address

Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464:

The From field of the message header of the DSN SHOULD contain the address of a human who
is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that
a reply to the DSN will reach that person.
...
Whenever an SMTP transaction is used to send a DSN, the MAIL FROM command MUST use a
NULL return address, i.e., "MAIL FROM:<>".

If you want to Enforce a match between FROM addres and SASL username, use the next Wiki for Zimbra Collaboration 8.5 and above: https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5

Verified Against: Zimbra Collaboration 8.0, 7.0 Date Created: 04/16/2014
Article ID: https://wiki.zimbra.com/index.php?title=Rejecting_false_%22mail_from%22_addresses Date Modified: 2015-07-15



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search