How-to-restrict-ssl-login

How to restrict SASL login for a user on postfix level.


   KB 24176        Last updated on 2020-10-5  




0.00
(0 votes)

Overview: We can restrict SASL login for a user on postfix level in Zimbra. Sometime a system administrator needs to block SASL authentication of a user due to various reasons like company policy where web-client is allowed only for some users, account was compromised and spammer is sending spam emails using SASL authentication etc.


Here are the steps to so.

1. Switch to Zimbra user and open smtpd_sender_restrictions.cf using vim editor.

su - zimbra
vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf

2. Add this line check_sasl_access lmdb:/opt/zimbra/conf/sasl_access between permit_mynetworks and permit_sasl_authenticated.

permit_mynetworks, reject_sender_login_mismatch
check_sasl_access lmdb:/opt/zimbra/conf/sasl_access_block
permit_sasl_authenticated

3. Create sasl_access_block file and add a user which has to be restricted using sasl authentication.

vim /opt/zimbra/conf/sasl_access_block
user1@labzimbra.com REJECT Sorry, you are not allowed to use SMTP SASL authentication.

Note: You may also use other condition like HOLD or DISCARD etc.

4. Save this file and run postmap command.

postmap /opt/zimbra/conf/sasl_access_block

5. Reload postfix service.

postfix reload 

The following logs entries in the zimbra.log and message should be appeared if a restricted user tries to send an email using SASL authentication.


Log lines from zimbra.log

Oct  5 14:00:33 proxy postfix/smtps/smtpd[32649]: NOQUEUE: reject: RCPT from unknown[172.16.7.222]: 554 5.7.1 <user1@labzimbra.com>: 
SASL login name rejected: Sorry, you are not allowed to use SMTP SASL authentication.; from=<user1@labzimbra.com> to=<user2@labzimbra.com> proto=ESMTP helo=<PNQWB7S2PRKUMA>Rejected 

The following sample email is received by restricted user.

Zimbra-ssl-restricted-01.png

Submitted by: Prabhat Kumar
Verified Against: ZCS 9.0, 8.8, 8.7, Date Created: 2017-08-23
Article ID: https://wiki.zimbra.com/index.php?title=How-to-restrict-ssl-login Date Modified: 2020-10-05



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search