Rejecting false "mail from" addresses: Difference between revisions
No edit summary |
No edit summary |
||
(12 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{BC|Community Sandbox}} | |||
__FORCETOC__ | |||
<div class="col-md-12 ibox-content"> | |||
=Rejecting false "mail from" addresses= | |||
{{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.0}}|{{ZCS 7.0}}|}} | |||
{{WIP}} | |||
'''Note:''' To increase the Security, please combine this Article with the next one about [[Enforcing_a_match_between_FROM_address_and_sasl_username_8.5|'''Enforcing a match between FROM address and sasl username''']], for Zimbra Collaboration 8.5 and above. | |||
By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated. | By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated. | ||
Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected. | |||
==Zimbra Collaboration 8.5 and above== | |||
For '''Zimbra Collaboration 8.5''' and above, please use the next commands to increase the security and reject the logins for users that doesn't exist in the LDAP: | |||
zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes | |||
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes | |||
For ''' | zmmtactl restart | ||
zmconfigdctl restart | |||
==For Zimbra Collaboration 8.0.x and previous == | |||
===Zimbra Collaboration 8.0.x=== | |||
For '''Zimbra Collaboration 8.0.x''', open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines: | |||
Add this: | Add this: | ||
check_sender_access hash:/opt/zimbra/conf/domainrestrict | check_sender_access hash:/opt/zimbra/conf/domainrestrict | ||
Should looks like: | |||
... | ... | ||
check_sender_access hash:/opt/zimbra/conf/domainrestrict | check_sender_access hash:/opt/zimbra/conf/domainrestrict | ||
%%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%% | %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%% | ||
''' | ===Zimbra Collaboration 7.x=== | ||
For '''Zimbra Collaboration 7.x''' you should follow the next steps: | |||
su - zimbra | |||
zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit" | |||
===Remaining steps are same for ZCS 8.0.x and previous versions=== | |||
* Create the file "/opt/zimbra/conf/domainrestrict" and add your domain(s) to it. | |||
localdomain.com REJECT | localdomain.com REJECT | ||
anotherlocaldomain.com REJECT | anotherlocaldomain.com REJECT | ||
You can also put some friendly/non-friendly message. Something like this. | You can also put some friendly/non-friendly message. Something like this. | ||
localdomain.com REJECT You're not me! | localdomain.com REJECT You're not me! | ||
anotherlocaldomain.com REJECT You're not me! | anotherlocaldomain.com REJECT You're not me! | ||
* Create the hash database of "/opt/zimbra/conf/domainrestrict". Run as 'zimbra' user. | |||
postmap /opt/zimbra/conf/domainrestrict | postmap /opt/zimbra/conf/domainrestrict | ||
*Restart zmmtactl. | |||
zmmtactl stop | zmmtactl stop | ||
zmmtactl start | zmmtactl start | ||
==Testing== | |||
Make following connection from a non-local host which is not part of mynetworks. | Make following connection from a non-local host which is not part of mynetworks. | ||
telnet ZCS_server_address 25 | telnet ZCS_server_address 25 | ||
mail from: user@localdomain.com | mail from: user@localdomain.com | ||
rcpt to: user2@localdomain.com | rcpt to: user2@localdomain.com | ||
You should get following error at the rcpt command. | You should get following error at the rcpt command if you used the Zimbra Collaboration 8.6 steps: | ||
550 5.1.0 <hi@example.com>: Sender address rejected: example.com | |||
You should get following error at the rcpt command | |||
554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me! | 554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me! | ||
Line 49: | Line 64: | ||
Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464: | Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464: | ||
: The From field of the message header of the DSN SHOULD contain the address of a human who | : The From field of the message header of the DSN SHOULD contain the address of a human who | ||
: is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that | : is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that | ||
Line 56: | Line 70: | ||
: Whenever an SMTP transaction is used to send a DSN, the MAIL FROM command MUST use a | : Whenever an SMTP transaction is used to send a DSN, the MAIL FROM command MUST use a | ||
: NULL return address, i.e., "MAIL FROM:<>". | : NULL return address, i.e., "MAIL FROM:<>". | ||
'''If you want to Enforce a match between FROM addres and SASL username, use the next Wiki for Zimbra Collaboration 8.5 and above: https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5''' | |||
{{Article Footer|Zimbra Collaboration 8.0, 7.0|04/16/2014}} |
Latest revision as of 14:02, 4 April 2016
Rejecting false "mail from" addresses
Note: To increase the Security, please combine this Article with the next one about Enforcing a match between FROM address and sasl username, for Zimbra Collaboration 8.5 and above.
By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.
Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected.
Zimbra Collaboration 8.5 and above
For Zimbra Collaboration 8.5 and above, please use the next commands to increase the security and reject the logins for users that doesn't exist in the LDAP:
zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes zmmtactl restart zmconfigdctl restart
For Zimbra Collaboration 8.0.x and previous
Zimbra Collaboration 8.0.x
For Zimbra Collaboration 8.0.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines: Add this:
check_sender_access hash:/opt/zimbra/conf/domainrestrict
Should looks like:
... check_sender_access hash:/opt/zimbra/conf/domainrestrict %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%
Zimbra Collaboration 7.x
For Zimbra Collaboration 7.x you should follow the next steps:
su - zimbra zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit"
Remaining steps are same for ZCS 8.0.x and previous versions
- Create the file "/opt/zimbra/conf/domainrestrict" and add your domain(s) to it.
localdomain.com REJECT anotherlocaldomain.com REJECT
You can also put some friendly/non-friendly message. Something like this.
localdomain.com REJECT You're not me! anotherlocaldomain.com REJECT You're not me!
- Create the hash database of "/opt/zimbra/conf/domainrestrict". Run as 'zimbra' user.
postmap /opt/zimbra/conf/domainrestrict
- Restart zmmtactl.
zmmtactl stop zmmtactl start
Testing
Make following connection from a non-local host which is not part of mynetworks.
telnet ZCS_server_address 25 mail from: user@localdomain.com rcpt to: user2@localdomain.com
You should get following error at the rcpt command if you used the Zimbra Collaboration 8.6 steps:
550 5.1.0 <hi@example.com>: Sender address rejected: example.com
You should get following error at the rcpt command
554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me!
Special case of empty 'mail from' address
Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464:
- The From field of the message header of the DSN SHOULD contain the address of a human who
- is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that
- a reply to the DSN will reach that person.
- ...
- Whenever an SMTP transaction is used to send a DSN, the MAIL FROM command MUST use a
- NULL return address, i.e., "MAIL FROM:<>".
If you want to Enforce a match between FROM addres and SASL username, use the next Wiki for Zimbra Collaboration 8.5 and above: https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5