Rejecting false "mail from" addresses

By admin at 2020-01-04 • 0 collector • 2997 pageviews

- This article is a Work in Progress, and may be unfinished or missing sections.


Note: To increase the Security, please combine this Article with the next one about Enforcing a match between FROM address and sasl username, for Zimbra Collaboration 8.5 and above.

By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.

Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected.

Zimbra Collaboration 8.5 and above

For Zimbra Collaboration 8.5 and above, please use the next commands to increase the security and reject the logins for users that doesn't exist in the LDAP:

zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zmmtactl restart
zmconfigdctl restart

For Zimbra Collaboration 8.0.x and previous

Zimbra Collaboration 8.0.x

For Zimbra Collaboration 8.0.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines: Add this:

 check_sender_access hash:/opt/zimbra/conf/domainrestrict

Should looks like:

...
check_sender_access hash:/opt/zimbra/conf/domainrestrict
%%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%

Zimbra Collaboration 7.x

For Zimbra Collaboration 7.x you should follow the next steps:

 su - zimbra
 zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit"

Remaining steps are same for ZCS 8.0.x and previous versions

  • Create the file "/opt/zimbra/conf/domainrestrict" and add your domain(s) to it.

 localdomain.com   REJECT
 anotherlocaldomain.com   REJECT

You can also put some friendly/non-friendly message. Something like this.

 localdomain.com   REJECT   You're not me!
 anotherlocaldomain.com REJECT   You're not me!
  • Create the hash database of "/opt/zimbra/conf/domainrestrict". Run as 'zimbra' user.

 postmap  /opt/zimbra/conf/domainrestrict
  • Restart zmmtactl.

 zmmtactl stop
 zmmtactl start

Testing

Make following connection from a non-local host which is not part of mynetworks.

 telnet ZCS_server_address 25
 mail from: user@localdomain.com
 rcpt to: user2@localdomain.com

You should get following error at the rcpt command if you used the Zimbra Collaboration 8.6 steps:

550 5.1.0 <hi@example.com>: Sender address rejected: example.com

You should get following error at the rcpt command

 554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me!

Special case of empty 'mail from' address

Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464:

  • The From field of the message header of the DSN SHOULD contain the address of a human who

  • is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that

  • a reply to the DSN will reach that person.

  • ...

  • Whenever an SMTP transaction is used to send a DSN, the MAIL FROM command MUST use a

  • NULL return address, i.e., "MAIL FROM:<>".

If you want to Enforce a match between FROM addres and SASL username, use the next Wiki for Zimbra Collaboration 8.5 and above: https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5


Requires Login

Loading...