Preventing spoofed email
-
- Posts: 23
- Joined: Fri Sep 12, 2014 11:51 pm
Preventing spoofed email
Hello,
I'm looking at preventing local email addresses from being spoofed to send to local recipients. I've been following the article at the following link. The article seems to be missing a step for 8.6. The article shows how to create the hash database, but doesn't show how it's applied to the Zimbra/Postfix config. Is there a zmprov command for adding this?
https://wiki.zimbra.com/wiki/Rejecting_ ... _addresses
Thanks for any help,
Rod
I'm looking at preventing local email addresses from being spoofed to send to local recipients. I've been following the article at the following link. The article seems to be missing a step for 8.6. The article shows how to create the hash database, but doesn't show how it's applied to the Zimbra/Postfix config. Is there a zmprov command for adding this?
https://wiki.zimbra.com/wiki/Rejecting_ ... _addresses
Thanks for any help,
Rod
Re: Preventing spoofed email
Best thing to do is set up DKIM signing and an SPF record, so that you are DMARC compliant. Then anyone spoofing your domain will get marked as such (and it'll end up in the spam folder)
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
-
- Posts: 23
- Joined: Fri Sep 12, 2014 11:51 pm
Re: Preventing spoofed email
I just wanted to know how to prevent someone from sending mail into our system from ceo@domain.com to bob@domain.com, and having bob click something bad. I want to know how to add sender restrictions in Zimbra the correct way, without it being overwritten with a restart or an update.
- ccelis5215
- Outstanding Member
- Posts: 632
- Joined: Sat Sep 13, 2014 2:04 am
- Location: Caracas - Venezuela
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12
Re: Preventing spoofed email
Hi, guessing you are in 8.5 or later.
ccelis
look at this https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5reason2008 wrote:I just wanted to know how to prevent someone from sending mail into our system from ceo@domain.com to bob@domain.com,
You can't do this, any user can click anywhere, you just can prevent from someone to receive some messages...reason2008 wrote:and having bob click something bad. I want to know how to add sender restrictions in Zimbra the correct way, without it being overwritten with a restart or an update.
Again, if you are in 8.5 or later, restart won't be neccesaryreason2008 wrote:without it being overwritten with a restart or an update.
ccelis
Re: Preventing spoofed email
and again, if you want to prevent people spoofing from MTAs that are not under your control, you need to implement DKIM and SPF.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
- ccelis5215
- Outstanding Member
- Posts: 632
- Joined: Sat Sep 13, 2014 2:04 am
- Location: Caracas - Venezuela
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12
Re: Preventing spoofed email
That's correct, having DKIM and SPF just add DMARC and you can add an additional layer of security.quanah wrote:and again, if you want to prevent people spoofing from MTAs that are not under your control, you need to implement DKIM and SPF.
Re: Preventing spoofed email
Zimbra 8.6 and later ship with DMARC A/S rules, so there's nothing further to do past setting up SPF and DKIM.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
- dbayer
- Advanced member
- Posts: 84
- Joined: Thu Oct 09, 2014 9:10 am
- Location: Maine
- ZCS/ZD Version: Zimbra 10.0.5
- Contact:
Re: Preventing spoofed email
Quick Question on this.
I have Zimbra setup to block certain attachment types. Lately spammers have been trying to send blocked attachments by setting the From and To address the same. For example
To: Daniel@mail.com
From: Daniel@mail.com
Zimbra is sending a notification to Daniel@mail.com for every blocked attachment.
So my question, Does Zimbra attachment blocking happen before AV/AS checking DKIM/SPF/DMARC?
Because I have all of those setup, and yet we are having the above issue.
Thanks,
Daniel
I have Zimbra setup to block certain attachment types. Lately spammers have been trying to send blocked attachments by setting the From and To address the same. For example
To: Daniel@mail.com
From: Daniel@mail.com
Zimbra is sending a notification to Daniel@mail.com for every blocked attachment.
So my question, Does Zimbra attachment blocking happen before AV/AS checking DKIM/SPF/DMARC?
Because I have all of those setup, and yet we are having the above issue.
Thanks,
Daniel
-
- Posts: 23
- Joined: Fri Sep 12, 2014 11:51 pm
Re: Preventing spoofed email
Thanks. Definitely looking into it. I do have SPF set up. Haven't done anything with DKIM.quanah wrote:and again, if you want to prevent people spoofing from MTAs that are not under your control, you need to implement DKIM and SPF.
Re: Preventing spoofed email
First, I'd generally suggest not hijacking threads, as your answer can easily get lost. Second, the problem here is that both DMARC verification and attachment rejection are done in the same process, and the behavior is different for each. For DMARC failure, the email is assigned a high spam score, but not necessarily discarded. This is because many email lists, for example, have footers that break DMARC, so it's still worthwhile to go through and validate that messages flagged as failing DMARC are actually invalid. When you block attachments, the email is rejected outright. So daniel@mail.com is going to get a notice about that, which is unfortunate. I'm not sure what the best way to handle this scenario is. You could modify the amavis AS to reject or drop rather than deliver for high spam scores, but I don't know if that'll overrule the attachment blocking. It's an interesting question I'll have to bring up to the Amavis author.dbayer wrote:Quick Question on this.
I have Zimbra setup to block certain attachment types. Lately spammers have been trying to send blocked attachments by setting the From and To address the same. For example
To: Daniel@mail.com
From: Daniel@mail.com
Zimbra is sending a notification to Daniel@mail.com for every blocked attachment.
So my question, Does Zimbra attachment blocking happen before AV/AS checking DKIM/SPF/DMARC?
Because I have all of those setup, and yet we are having the above issue.
--
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/
Quanah Gibson-Mount
Product Architect, Symas http://www.symas.com/
OpenLDAP Core team http://www.openldap.org/project/