Page 1 of 1

Force SMTP Authentication when sender in domain

Posted: Thu Sep 13, 2018 12:26 pm
by ldelana77
I need to block email that come from port 25 ( SMTP ) when they suppose a sender address that exists in my domain. I received spam email to my domain users requesting bitcon etc...

Surprisingly by default Zimbra doesn't require authentication for email incoming at SMTP when the sender is one of the configured zimbra domain.
For example if I know one email address of your domain I can send email to this account Inbox to itself or other users in the domain.

To test this is easy, suppose mail.example.com your domain and victim@example.com is the known email by attacker/spammer:

telnet example.com 25
HELO example.com
MAIL FROM:<victim@example.com>
RCPT TO:<victim@example.com>
DATA
Account hacked

.

Now you can send email to admin@example.com from victim@example.com as well.

I would to force authentication through 465 port and block incoming SMTP request when sender is one of domain @example.com.

How to do that ?
thanks

Re: Force SMTP Authentication when sender in domain

Posted: Sat Sep 15, 2018 10:45 pm
by ldelana77
Found from the following Zimbra wiki ( https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5 ) ; I would suggest to insert some words such as "force smtp auth" because I didn't find it at first from follow search ( https://wiki.zimbra.com/index.php?searc ... +smtp+auth )