Force SMTP Authentication when sender in domain

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
ldelana77
Posts: 3
Joined: Thu Sep 13, 2018 11:30 am

Force SMTP Authentication when sender in domain

Post by ldelana77 »

I need to block email that come from port 25 ( SMTP ) when they suppose a sender address that exists in my domain. I received spam email to my domain users requesting bitcon etc...

Surprisingly by default Zimbra doesn't require authentication for email incoming at SMTP when the sender is one of the configured zimbra domain.
For example if I know one email address of your domain I can send email to this account Inbox to itself or other users in the domain.

To test this is easy, suppose mail.example.com your domain and victim@example.com is the known email by attacker/spammer:

telnet example.com 25
HELO example.com
MAIL FROM:<victim@example.com>
RCPT TO:<victim@example.com>
DATA
Account hacked

.

Now you can send email to admin@example.com from victim@example.com as well.

I would to force authentication through 465 port and block incoming SMTP request when sender is one of domain @example.com.

How to do that ?
thanks
ldelana77
Posts: 3
Joined: Thu Sep 13, 2018 11:30 am

Re: Force SMTP Authentication when sender in domain

Post by ldelana77 »

Found from the following Zimbra wiki ( https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5 ) ; I would suggest to insert some words such as "force smtp auth" because I didn't find it at first from follow search ( https://wiki.zimbra.com/index.php?searc ... +smtp+auth )
Post Reply