Enforcing a match between FROM address and sasl username

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
ahrockz1
Posts: 4
Joined: Mon Mar 11, 2019 8:38 am

Enforcing a match between FROM address and sasl username

Postby ahrockz1 » Sun Mar 29, 2020 1:34 pm

Hi

Zimbra opensource 8.8.11
I used this wiki to enforce smtp.
But it still failed.
I try time and time but this telnet still OK.

My server mail got attack and send spam like crazy from port 25 outside of the internet and i hopeless with zimbra.
I checked /var/log/zimbra.log and those spam mails from everywhere.

I tried Policyd with this guide: https://imanudin.net/2014/09/29/how-to- ... h-policyd/
But from /var/log/zimbra.log, my server is still sending mail outside.

Please, please help me!
Attachments
Capture.PNG
Capture.PNG (17.29 KiB) Viewed 830 times


imanudin11
Outstanding Member
Outstanding Member
Posts: 297
Joined: Sat Sep 13, 2014 2:23 am
ZCS/ZD Version: Release 8.8.15.GA.3829.UBUNTU16.64
Contact:

Re: Enforcing a match between FROM address and sasl username

Postby imanudin11 » Fri Apr 03, 2020 4:56 am

Hello,
1. Please use this guidance for enforce SASL : https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5
2. Please make sure MTA trusted only listed localhost IP and your Zimbra IP. For example : 127.0.0.0/8 192.168.10.11/32
3. Please try this improvement to prevent another domain sending email from your server : https://imanudin.net/2014/09/11/improvi ... imbra-8-5/

BR,
https://imanudin.net
Lewis-H
Posts: 49
Joined: Wed Jan 01, 2020 11:28 am
Contact:

Re: Enforcing a match between FROM address and sasl username

Postby Lewis-H » Fri Apr 10, 2020 2:10 pm

To require that the from address of an email match the sender's username:

Edit the zmmta.cf file, by running this command:
vim /opt/zimbra/conf/zmmta.cf
Find this line:
POSTCONF smtpd_sender_restrictions LOCAL postfix_smtpd_sender_restrictions
Below that line add :
Note: Do not forget to include the tab at the beginning of each line:
POSTCONF smtpd_sender_login_maps FILE postfix_sender_login_maps.cf
In ZCS 8
vim /opt/zimbra/conf/zmconfigd.cf
Find this line:
POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
Below that line add :
Note: Do not forget to include the tab at the beginning of each line:
POSTCONF smtpd_sender_login_maps FILE postfix_sender_login_maps.cf
Set sender_restriction : (For ZCS 7 and below)
zmlocalconfig -e postfix_smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch

Set sender_restriction : (For ZCS 8 and above)
Edit - /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
At the very top add - reject_authenticated_sender_login_mismatch
Create file - postfix_sender_login_maps.cf
vim /opt/zimbra/conf/postfix_sender_login_maps.cf
Add :
hash:/opt/zimbra/conf/exceptions-db ldap:/opt/zimbra/conf/ldap-restricrelay.cf

An exceptions file, allows you to declare a different email sender address that a user can have, as a way of bypassing the restriction. Create the exceptions file, by running this command:
vim /opt/zimbra/conf/exceptions-db
(Optional) Add text to the file, one line per address, where the first word is the email sender address and the second word is the username.
Example: johndoe@otherdomain.com admin
Note: You can leave the file empty.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 26 guests