Enforcing a match between FROM address and sasl username

By admin at 2020-01-04 • 0 collector • 2174 pageviews

- This article is a Work in Progress, and may be unfinished or missing sections.


Note: To increase the Security, please combine this Article with the next one about Reject false mail from addresses

Issue

If a user's password is compromised, the Server default setup allows the user to relay emails using a different email address than the one uses to authenticate with smtp.

A message header from that user looks like this:

zimbra1 postfix/smtpd[29431]: B28914D5978: client=xxxxx.server.com[w.x.y.z], sasl_method=LOGIN, sasl_username=userzimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com>
zimbra1 postfix/qmgr[20690]: B28914D5978: from=<spam@spam.com>, size=6026, nrcpt=10 (queue active)
zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>

Where the sender's user name and the from address are indicated in bold. This article explains how to ensure that the from address matches the sender's username.

How-to

Zimbra Collaboration 8.8.x, 8.7.x, 8.6

Note: It is not required to add account aliases created via zmprov aaa to the exception database, as these are handled by Zimbra automatically (8.6 and later). Note: It is not required to add addresses stored in the zimbraAllowFromAddress attribute for an account, as these are handled by Zimbra automatically (8.6 and later)

Optional, use an exception DB

If you want an exceptions DB to allow people to send as alternate addresses

 cd /opt/zimbra/conf
 edit slm-exceptions-db

Add the alternate ID addresses and the real userid, for example for the user joe who has joe@gmail.com

 joe@gmail.com joe

Then run postmap slm-exceptions-db to generate the database

postmap slm-exceptions-db

Update zimbraMtaSmtpdRejectUnlistedRecipient & zimbraMtaSmtpdRejectUnlistedSender

zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zmmtactl restart
zmconfigdctl restart

Set the zimbraMtaSmtpdSenderLoginMaps portion

If the exception db is used
zmprov mcf zimbraMtaSmtpdSenderLoginMaps 'lmdb:/opt/zimbra/conf/slm-exceptions-db, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf' +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
If the exception db is not used
zmprov mcf zimbraMtaSmtpdSenderLoginMaps  proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
Edit the file smtpd_sender_restrictions

You need to edit the file opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add after the permit_mynetworks the line reject_sender_login_mismatch

vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf

Should look like this:

permit_mynetworks, reject_sender_login_mismatch

After a minute, zmconfigd will update the postfix configuration automatically and apply the new rules. Now if an account is hacked, and this is in place, they will not be able to send out emails with different "from" addresses.

Test using SMTP

If you want to test it using Telnet and SMTP, follow the next steps:

Macbook:~ user$ telnet mail.example.com 25
Trying mail.example.com...
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
ehlo mail.example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: admin@example.com
250 2.1.0 Ok
rcpt to: admin@example.com
553 5.7.1 <admin@example.com>: Sender address rejected: not logged in


Requires Login

Loading...