Rejecting false "mail from" addresses
- This article is a Work in Progress, and may be unfinished or missing sections.
Note: To increase the Security, please combine this Article with the next one about Enforcing a match between FROM address and sasl username, for Zimbra Collaboration 8.5 and above.
By default any connection made to ZCS postfix and declares "mail from: local sender" (even if it is not) - the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept "mail from: local sender" only if the connection made from a hosts in "mynetworks" OR the sender is sasl authenticated.
Modify "smtpd_sender_restrictions". We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true - the connection will be rejected.
Zimbra Collaboration 8.5 and above
For Zimbra Collaboration 8.5 and above, please use the next commands to increase the security and reject the logins for users that doesn't exist in the LDAP:
zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes zmmtactl restart zmconfigdctl restart
For Zimbra Collaboration 8.0.x and previous
Zimbra Collaboration 8.0.x
For Zimbra Collaboration 8.0.x, open the file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add this line into the middle of the file, prior to the tag_as_foreign.re lines: Add this:
check_sender_access hash:/opt/zimbra/conf/domainrestrict
Should looks like:
... check_sender_access hash:/opt/zimbra/conf/domainrestrict %%contains VAR:zimbraServiceEnabled antivirus^ check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%
Zimbra Collaboration 7.x
For Zimbra Collaboration 7.x you should follow the next steps:
su - zimbra zmlocalconfig -e postfix_smtpd_sender_restrictions="reject_unknown_sender_domain, permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/opt/zimbra/conf/domainrestrict, permit"
Remaining steps are same for ZCS 8.0.x and previous versions
Create the file "/opt/zimbra/conf/domainrestrict" and add your domain(s) to it.
localdomain.com REJECT anotherlocaldomain.com REJECT
You can also put some friendly/non-friendly message. Something like this.
localdomain.com REJECT You're not me! anotherlocaldomain.com REJECT You're not me!
Create the hash database of "/opt/zimbra/conf/domainrestrict". Run as 'zimbra' user.
postmap /opt/zimbra/conf/domainrestrict
Restart zmmtactl.
zmmtactl stop zmmtactl start
Testing
Make following connection from a non-local host which is not part of mynetworks.
telnet ZCS_server_address 25 mail from: user@localdomain.com rcpt to: user2@localdomain.com
You should get following error at the rcpt command if you used the Zimbra Collaboration 8.6 steps:
550 5.1.0 <hi@example.com>: Sender address rejected: example.com
You should get following error at the rcpt command
554 5.7.1 <user@localdomain.com>: Sender address rejected: You're not me!
Special case of empty 'mail from' address
Emails can still be sent if the 'mail from:' address is blank, but the 'from' address is specified in the body of the email. This is expected behaviour, and is required by RFC 3464:
The From field of the message header of the DSN SHOULD contain the address of a human who
is responsible for maintaining the mail system at the Reporting MTA site (e.g., Postmaster), so that
a reply to the DSN will reach that person.
...
Whenever an SMTP transaction is used to send a DSN, the MAIL FROM command MUST use a
NULL return address, i.e., "MAIL FROM:<>".
If you want to Enforce a match between FROM addres and SASL username, use the next Wiki for Zimbra Collaboration 8.5 and above: https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5
Requires Login