Page 1 of 1

sendAs, sendAsDistList and enforcing match between from address and sasl username

Posted: Sat Oct 06, 2018 4:00 pm
by seblu
Hello,

I'm running a fresh zimbra 8.8.10 server with enforcement between from address and sasl username configured as explained here : https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5.

I understand that the recommended way to add extra allowed addresses is:
  • zimbraAllowFromAddress for external addresses ;
  • grant to sendAs for local account ;
  • grant to sendAsDistList for local distribution list.
It works as expected from the web interface, but when using an external mailer, the MTA deny with "Sender address rejected: not owned by user".
That's make sense when you read at the code in /opt/zimbra/conf/ldap-slm.cf, nothing match permission granted in user or list accounts.
If I understand correctly, it works in the web interface, because the MTA trust the network via permit_mynetworks, so the checks are bypassed.

Currently, I worked that around with a slm-exceptions-db. But, I need to keep this file sync with granted permission to user and list accounts. Not to mention, that slm-exceptions-db overrides values defined in ldap config, so the merge is not trivial.

Is it an expected behavior? Did I miss a better way to configure this?