Hello guys,
I found the issue that I believe to be a security issue on version 8.7.0_GA_1659.FOSS.
all people that have this version working do the following test;
telnet zimbraserver 25
ehlo mail
mail from:test@yourdomain.com
rcpt to:test@yourdomain.com
data
subject: teste
teste
.
quit
See that you able to do it, to fix it I tryed run below unsuccessful tasks.
https://imanudin.net/2014/09/07/how-to- ... ment-15475
https://wiki.zimbra.com/wiki/Rejecting_ ... _and_above
I tryed to remove 127.0.0.1 of my zimbramtamynetworks but when I do it, fix this issue, but admin stop to receive any system e-mail e and zimbra web cliente doesn`t able to sent e-mails.
This failure can be exploited easily if a spammer wants to send fake e-mails.
somebody else here have similar issue?
thanks all,
Luiz
Security issue on version 8.7.0_GA_1659.FOSS
Re: Security issue on version 8.7.0_GA_1659.FOSS
Congratulations. You made the first step towards understanding how email in general and SMTP in particular work.
Re: Security issue on version 8.7.0_GA_1659.FOSS
Thanks sensor, I think that work together we will have zimbra always improving, it`s good for all!
I will try to exploit doing loopback spoofing, and I will post the results here!
if somebody have ideias let me know please!!
Thanks!
Luiz
I will try to exploit doing loopback spoofing, and I will post the results here!
if somebody have ideias let me know please!!
Thanks!
Luiz
- tonster
- Zimbra Employee
- Posts: 313
- Joined: Fri Feb 21, 2014 10:14 am
- Location: Ypsilanti, MI
- ZCS/ZD Version: Release 8.7.0_GA_1659.RHEL6_64_2016
Re: Security issue on version 8.7.0_GA_1659.FOSS
I think you missed sensor's sarcasm. You've identified how email works. This is not a security issue.
Sent from my SM-G925T using Tapatalk
Sent from my SM-G925T using Tapatalk
Re: Security issue on version 8.7.0_GA_1659.FOSS
Hello luizfb
if you were able to solve this problem?
Is also described on page https://imanudin.net/2014/09/07/how-to- ... ment-15475
just like you
if you were able to solve this problem?
Is also described on page https://imanudin.net/2014/09/07/how-to- ... ment-15475
just like you
Re: Security issue on version 8.7.0_GA_1659.FOSS
Hello
I today checked the setting to version 8.7.0 on another production Zimbra and it is the same problem. A user who does not exist in domain can send mail.
The setting is OK if the user that sends exist in domain
Best Regards
I today checked the setting to version 8.7.0 on another production Zimbra and it is the same problem. A user who does not exist in domain can send mail.
The setting is OK if the user that sends exist in domain
Best Regards
Re: Security issue on version 8.7.0_GA_1659.FOSS
C'mon. There is nothing strange. You just have to configure your server correctly.
Read this.
https://wiki.zimbra.com/wiki/Rejecting_ ... _addresses
OR
Here is my file
[zimbra@mail ~]$ cat /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks
permit_sasl_authenticated
reject_unlisted_sender
reject_sender_login_mismatch
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%
No chance to send from nonexistent email sender on this domain (550 5.1.0 : Sender address rejected) right after rcpt to command.
No chance to send from existent email sender without authorization (553 5.7.1 Sender address rejected: not logged in) right after rcpt to command.
Tested for Zimbra 8.7.1
Read this.
https://wiki.zimbra.com/wiki/Rejecting_ ... _addresses
OR
Here is my file
[zimbra@mail ~]$ cat /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks
permit_sasl_authenticated
reject_unlisted_sender
reject_sender_login_mismatch
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%
No chance to send from nonexistent email sender on this domain (550 5.1.0 : Sender address rejected) right after rcpt to command.
No chance to send from existent email sender without authorization (553 5.7.1 Sender address rejected: not logged in) right after rcpt to command.
Tested for Zimbra 8.7.1