Preventing spoofed email

[reason2008]

Hello,

I'm looking at preventing local email addresses from being spoofed to send to local recipients. I've been following the article at the following link. The article seems to be missing a step for 8.6. The article shows how to create the hash database, but doesn't show how it's applied to the Zimbra/Postfix config. Is there a zmprov command for adding this?

https://wiki.zimbra.com/wiki/Rejecting_ ... _addresses

Thanks for any help,
Rod

[quanah]

Best thing to do is set up DKIM signing and an SPF record, so that you are DMARC compliant. Then anyone spoofing your domain will get marked as such (and it'll end up in the spam folder)

[reason2008]

I just wanted to know how to prevent someone from sending mail into our system from ceo@domain.com to bob@domain.com, and having bob click something bad. I want to know how to add sender restrictions in Zimbra the correct way, without it being overwritten with a restart or an update.

[ccelis5215]

Hi, guessing you are in 8.5 or later.

I just wanted to know how to prevent someone from sending mail into our system from ceo@domain.com to bob@domain.com,

look at this https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5

and having bob click something bad. I want to know how to add sender restrictions in Zimbra the correct way, without it being overwritten with a restart or an update.

You can't do this, any user can click anywhere, you just can prevent from someone to receive some messages...

without it being overwritten with a restart or an update.

Again, if you are in 8.5 or later, restart won't be neccesary

ccelis

[quanah]

and again, if you want to prevent people spoofing from MTAs that are not under your control, you need to implement DKIM and SPF.

[ccelis5215]

and again, if you want to prevent people spoofing from MTAs that are not under your control, you need to implement DKIM and SPF.

That's correct, having DKIM and SPF just add DMARC and you can add an additional layer of security.

[quanah]

Zimbra 8.6 and later ship with DMARC A/S rules, so there's nothing further to do past setting up SPF and DKIM.

[dbayer]

Quick Question on this.

I have Zimbra setup to block certain attachment types. Lately spammers have been trying to send blocked attachments by setting the From and To address the same. For example

To: Daniel@mail.com
From: Daniel@mail.com

Zimbra is sending a notification to Daniel@mail.com for every blocked attachment.

So my question, Does Zimbra attachment blocking happen before AV/AS checking DKIM/SPF/DMARC?

Because I have all of those setup, and yet we are having the above issue.

Thanks,
Daniel

[reason2008]

and again, if you want to prevent people spoofing from MTAs that are not under your control, you need to implement DKIM and SPF.

Thanks. Definitely looking into it. I do have SPF set up. Haven't done anything with DKIM.

[quanah]

Quick Question on this.

I have Zimbra setup to block certain attachment types. Lately spammers have been trying to send blocked attachments by setting the From and To address the same. For example

To: Daniel@mail.com
From: Daniel@mail.com

Zimbra is sending a notification to Daniel@mail.com for every blocked attachment.

So my question, Does Zimbra attachment blocking happen before AV/AS checking DKIM/SPF/DMARC?

Because I have all of those setup, and yet we are having the above issue.

First, I'd generally suggest not hijacking threads, as your answer can easily get lost. Second, the problem here is that both DMARC verification and attachment rejection are done in the same process, and the behavior is different for each. For DMARC failure, the email is assigned a high spam score, but not necessarily discarded. This is because many email lists, for example, have footers that break DMARC, so it's still worthwhile to go through and validate that messages flagged as failing DMARC are actually invalid. When you block attachments, the email is rejected outright. So daniel@mail.com is going to get a notice about that, which is unfortunate. I'm not sure what the best way to handle this scenario is. You could modify the amavis AS to reject or drop rather than deliver for high spam scores, but I don't know if that'll overrule the attachment blocking. It's an interesting question I'll have to bring up to the Amavis author.