Difference between revisions of "RestrictPostfixSenders"

(Creating the "Restrict Postfix Senders" wiki page.)
 
 
(15 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{Unsupported}}
+
{{BC|Community Sandbox}}
 
+
__FORCETOC__
 +
<div class="col-md-12 ibox-content">
 
=Restrict Postfix Senders=
 
=Restrict Postfix Senders=
 +
{{KB|{{Unsupported}}|{{ZCS 7.0}}|{{ZCS 6.0}}|}}
 +
{{Archive}}{{WIP}}
 
* This setup procedure will set up your server to allow outgoing mails from only the domains configured on the server itself.
 
* This setup procedure will set up your server to allow outgoing mails from only the domains configured on the server itself.
  
* For example, if your mail domains are @company.com and @company.co.uk, with the configuration presented here, no user registered into the system will be allowed to send mails as if belonging in other domains, as @gmail.com, @microsoft.com, @sapo.pt, etc....
+
* For example, if your mail domains are @testezimbra.com.br and/or for example, @testezimbra.com, with the configuration presented here, no user registered into the system will be allowed to send mails as if belonging in other domains, as @gmail.com, @microsoft.com, @sapo.pt, etc....
 +
 
 +
* Basically, these modifications "extend" the option "Allow sending email from any address" of the Zimbra, which only works for users in Webmail, to the entire system, <s>including the open RELAY networks</s> and authenticated users.
 +
 
 +
* WARNING: The effects of this setting affect the entire system, whether registered users <s>or IP networks declared in zimbraMtaMyNetwork</s>...
 +
 
 +
* This setup was tested with Zimbra 5.0.24, 6.0.8 on both Open Source and Network Editions.
  
* Basically, these modifications "extend" the option "Allow sending email from any address" of the Zimbra, which only works for users in Webmail, to the entire system, including the open RELAY networks and authenticated users.
+
* To make sure that this procedure works, install a fresh Zimbra server using the domain "testezimbra.com.br" and the "admin" user password "123456".
  
* WARNING: The effects of this setting affect the entire system, whether registered users or IP networks declared in zimbraMtaMyNetwork...
+
* To facilitate testing, enable the clear text login option at the Zimbra admin panel.
  
 
===Complete procedure===
 
===Complete procedure===
 
  
 
* Become root:
 
* Become root:
  
 
  sudo -i
 
  sudo -i
 
  
 
* Enter into the directory settings:
 
* Enter into the directory settings:
Line 28: Line 35:
 
* ...and, right below the line:
 
* ...and, right below the line:
  
  POSTCONF local_header_rewrite_clients permit_mynetworks,permit_sasl_authenticated
+
  POSTCONF smtpd_sender_restrictions LOCAL postfix_smtpd_sender_restrictions
 
 
  
* Add the following two lines, do not forget the tab at the beginning of each line:
+
* Add the following line, do not forget the tab at the beginning of each line:
  
POSTCONF smtpd_sender_restrictions FILE postfix_sender_restrictions.cf
 
 
  POSTCONF smtpd_sender_login_maps FILE postfix_sender_login_maps.cf
 
  POSTCONF smtpd_sender_login_maps FILE postfix_sender_login_maps.cf
  
 +
* Save the zmmta.cf file.
  
* Save the zmmta.cf file.
+
* Set the sender_restriction using :
  
 +
zmlocalconfig -e postfix_smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
  
 
* Now make the files declared in the file zmmta.cf.
 
* Now make the files declared in the file zmmta.cf.
  
 +
* The postfix_sender_login_maps.cf file:
  
* The postfix_sender_restrictions.cf file:
+
vim postfix_sender_login_maps.cf
  
echo reject_authenticated_sender_login_mismatch > postfix_sender_restrictions.cf
+
* Write:
  
 +
hash:/opt/zimbra/conf/exceptions-db
 +
ldap:/opt/zimbra/conf/ldap-restricrelay.cf
  
* The postfix_sender_login_maps.cf file:
+
* Now make the exceptions file, which you can declare a random e-mail sender address that a user can have, something like a bypass.
  
  echo hash:/opt/zimbra/conf/exceptions-db > postfix_sender_login_maps.cf
+
  vim exceptions-db
echo ldap:/opt/zimbra/conf/ldap-restricrelay.cf >> postfix_sender_login_maps.cf
 
  
* Now make the exceptions file, which you can declare a random e-mail sender address that a user can have, something like a bypass.
+
* Examples of exceptions (you can leave the file empty):
  
  touch exceptions-db
+
  johndoe@otherdomain.com admin
/opt/zimbra/postfix/sbin/postmap exceptions-db
 
  
* Examples of exceptions:
+
* Run:
 
 
johndoe@otherdomain.com zimbra_login
 
  
 +
/opt/zimbra/postfix/sbin/postmap exceptions-db
  
 
* Now you need to get two pieces of information, its server_host (referring to LDAP) and the bind_pw of the user "uid=zmpostfix,cn=appaccts,cn=zimbra". For that, seek and record the data from the file "/opt/zimbra/conf/ldap-vam.cf", and make the file "/opt/zimbra/conf/ldap-restricrelay.cf" as follows:
 
* Now you need to get two pieces of information, its server_host (referring to LDAP) and the bind_pw of the user "uid=zmpostfix,cn=appaccts,cn=zimbra". For that, seek and record the data from the file "/opt/zimbra/conf/ldap-vam.cf", and make the file "/opt/zimbra/conf/ldap-restricrelay.cf" as follows:
  
 
  grep server_host /opt/zimbra/conf/ldap-vam.cf
 
  grep server_host /opt/zimbra/conf/ldap-vam.cf
 +
 +
* And:
 +
 
  grep bind_pw /opt/zimbra/conf/ldap-vam.cf
 
  grep bind_pw /opt/zimbra/conf/ldap-vam.cf
  
* Edit the ldap-restricrelay.cf file:
+
* Make the file ldap-restricrelay.cf:
  
 
  vim /opt/zimbra/conf/ldap-restricrelay.cf
 
  vim /opt/zimbra/conf/ldap-restricrelay.cf
  
  server_host = ldap://srvXX.company.com.br:389
+
* With (Adjust the '''server_host''' and '''bind_pw''' according to the output of the "grep" command above):
 +
 
 +
  '''server_host = ldap://srvXX.company.com.br:389'''
 
  server_port = 389
 
  server_port = 389
 
  search_base =
 
  search_base =
Line 82: Line 94:
 
  bind = yes
 
  bind = yes
 
  bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
 
  bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
  bind_pw = XXXXXXXXXX
+
  '''bind_pw = XXXXXXXXXX'''
 
  timeout = 30
 
  timeout = 30
  
Line 93: Line 105:
 
  su - zimbra
 
  su - zimbra
 
  zmmtactl restart
 
  zmmtactl restart
 +
 +
* Test your changes:
 +
 +
Encode the "admin" e-mail address and password with the base64:
 +
 +
perl -MMIME::Base64 -e 'print encode_base64("\000admin\@testezimbra.com.br\000123456")'
 +
AGFkbWluQHRlc3RlemltYnJhLmNvbS5icgAxMjM0NTY=
 +
 +
Test the smtp via telnet
 +
 +
$ telnet <s>vdwuad19.worldweb.com.br</s> 25
 +
Trying <s>200.155.14.45</s>...
 +
Connected to <s>vdwuad19.worldweb.com.br</s>.
 +
Escape character is '^]'.
 +
220 vdwuad19.worldweb.com.br ESMTP Postfix
 +
ehlo testezimbra.com.br
 +
250-vdwuad19.worldweb.com.br
 +
250-PIPELINING
 +
250-SIZE 10240000
 +
250-VRFY
 +
250-ETRN
 +
250-STARTTLS
 +
250-AUTH PLAIN LOGIN
 +
250-AUTH=PLAIN LOGIN
 +
250-ENHANCEDSTATUSCODES
 +
250-8BITMIME
 +
250 DSN
 +
AUTH PLAIN AGFkbWluQHRlc3RlemltYnJhLmNvbS5icgAxMjM0NTY=
 +
235 2.7.0 Authentication successful
 +
mail from: ultra@gmail.com
 +
250 2.1.0 Ok
 +
rcpt to: teste@hotmail.com
 +
553 5.7.1 <ultra@gmail.com>: Sender address rejected: not owned by user admin@testezimbra.com.br
  
 
* Well done!
 
* Well done!
 +
{{Article Footer|Zimbra Collaboration 7.0, 6.0|04/16/2014}}

Latest revision as of 21:03, 12 July 2015

Restrict Postfix Senders

   KB 3659        Last updated on 2015-07-12  




0.00
(0 votes)
  • This setup procedure will set up your server to allow outgoing mails from only the domains configured on the server itself.
  • For example, if your mail domains are @testezimbra.com.br and/or for example, @testezimbra.com, with the configuration presented here, no user registered into the system will be allowed to send mails as if belonging in other domains, as @gmail.com, @microsoft.com, @sapo.pt, etc....
  • Basically, these modifications "extend" the option "Allow sending email from any address" of the Zimbra, which only works for users in Webmail, to the entire system, including the open RELAY networks and authenticated users.
  • WARNING: The effects of this setting affect the entire system, whether registered users or IP networks declared in zimbraMtaMyNetwork...
  • This setup was tested with Zimbra 5.0.24, 6.0.8 on both Open Source and Network Editions.
  • To make sure that this procedure works, install a fresh Zimbra server using the domain "testezimbra.com.br" and the "admin" user password "123456".
  • To facilitate testing, enable the clear text login option at the Zimbra admin panel.

Complete procedure

  • Become root:
sudo -i
  • Enter into the directory settings:
cd /opt/zimbra/conf
  • Edit the zmmta.cf file:
vim zmmta.cf
  • ...and, right below the line:
POSTCONF smtpd_sender_restrictions LOCAL postfix_smtpd_sender_restrictions
  • Add the following line, do not forget the tab at the beginning of each line:
POSTCONF smtpd_sender_login_maps FILE postfix_sender_login_maps.cf
  • Save the zmmta.cf file.
  • Set the sender_restriction using :
zmlocalconfig -e postfix_smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
  • Now make the files declared in the file zmmta.cf.
  • The postfix_sender_login_maps.cf file:
vim postfix_sender_login_maps.cf
  • Write:
hash:/opt/zimbra/conf/exceptions-db
ldap:/opt/zimbra/conf/ldap-restricrelay.cf
  • Now make the exceptions file, which you can declare a random e-mail sender address that a user can have, something like a bypass.
vim exceptions-db
  • Examples of exceptions (you can leave the file empty):
johndoe@otherdomain.com admin
  • Run:
/opt/zimbra/postfix/sbin/postmap exceptions-db
  • Now you need to get two pieces of information, its server_host (referring to LDAP) and the bind_pw of the user "uid=zmpostfix,cn=appaccts,cn=zimbra". For that, seek and record the data from the file "/opt/zimbra/conf/ldap-vam.cf", and make the file "/opt/zimbra/conf/ldap-restricrelay.cf" as follows:
grep server_host /opt/zimbra/conf/ldap-vam.cf
  • And:
grep bind_pw /opt/zimbra/conf/ldap-vam.cf
  • Make the file ldap-restricrelay.cf:
vim /opt/zimbra/conf/ldap-restricrelay.cf
  • With (Adjust the server_host and bind_pw according to the output of the "grep" command above):
server_host = ldap://srvXX.company.com.br:389
server_port = 389
search_base =
query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
result_attribute = uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
version = 3
start_tls = yes
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = XXXXXXXXXX
timeout = 30
  • Make some final adjustments:
chown zimbra: postfix_sender_* exceptions-db* ldap-restricrelay.cf
  • Activate the changes:
su - zimbra
zmmtactl restart
  • Test your changes:

Encode the "admin" e-mail address and password with the base64:

perl -MMIME::Base64 -e 'print encode_base64("\000admin\@testezimbra.com.br\000123456")'
AGFkbWluQHRlc3RlemltYnJhLmNvbS5icgAxMjM0NTY=

Test the smtp via telnet

$ telnet vdwuad19.worldweb.com.br 25
Trying 200.155.14.45...
Connected to vdwuad19.worldweb.com.br.
Escape character is '^]'.
220 vdwuad19.worldweb.com.br ESMTP Postfix
ehlo testezimbra.com.br
250-vdwuad19.worldweb.com.br
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
AUTH PLAIN AGFkbWluQHRlc3RlemltYnJhLmNvbS5icgAxMjM0NTY=
235 2.7.0 Authentication successful
mail from: ultra@gmail.com
250 2.1.0 Ok
rcpt to: teste@hotmail.com
553 5.7.1 <ultra@gmail.com>: Sender address rejected: not owned by user admin@testezimbra.com.br
  • Well done!
Verified Against: Zimbra Collaboration 7.0, 6.0 Date Created: 04/16/2014
Article ID: https://wiki.zimbra.com/index.php?title=RestrictPostfixSenders Date Modified: 2015-07-12



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search