Rejecting false mail from addresses

[alex.k]

Hi
could you please help me i’m using Zimbra
Release 8.8.9.GA.3019.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.9_P4.

using telnet the smtp server allows me to use a fake “from” to send mails to the domain configured in zimbra.

Maybe someone have an idea how to fix this behavior?

Thanks

telnet mail.example.com 25
Trying XX.XX.XX.XX...
Connected to mail.example.com.
Escape character is '^]'.
220 ******************************
helo mail
250 mail.example.com
mail from:test@exampleNO.com
250 2.1.0 Ok
rcpt to:test@example.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
.
250 2.0.0 Ok: queued as BE7816695E2



mynetworks = 127.0.0.0/8 10.200.4.4/32 for nat

zmprov gacf zimbraMtaSmtpdSenderRestrictions
zimbraMtaSmtpdSenderRestrictions: reject_authenticated_sender_login_mismatch

zmprov gacf zimbraMtaSmtpdRejectUnlistedRecipient
zimbraMtaSmtpdRejectUnlistedRecipient: yes

zmprov gacf zimbraMtaSmtpdRejectUnlistedSender
zimbraMtaSmtpdRejectUnlistedSender: yes

zmprov gcf zimbraMtaSmtpdSenderLoginMaps
zimbraMtaSmtpdSenderLoginMaps: proxy:ldap:/opt/zimbra/conf/ldap-slm.cf


smtp_sender_restrictions.cf
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks
reject_sender_login_mismatch
permit_sasl_authenticated
reject_unlisted_sender
reject_authenticated_sender_login_mismatch
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%

[fferraro87]

maybe you can use cpolicyd please see https://wiki.zimbra.com/wiki/How-to_for_cbpolicyd
and configure accesscontrol in order to send email only from selected domain

[pup_seba]

It is curious to see how a question and an answer referring to this subject, do not reference this wiki https://wiki.zimbra.com/wiki/Rejecting_ ... _addresses

edit:
Just got in front of the computer and now I see what the question was and why my previous link is not the thing you need. I think that what you are looking for is a pretty basic postfix verification named "reject_unknown_sender_domain" I don't remember how it is called in zimbra but I do remember that is a configuration you could change directly from the webUI under MTA configuration.

[alex.k]

Settings for these articles from the wiki were carried out, but unfortunately it did not help.
https://wiki.zimbra.com/wiki/Rejecting_ ... _addresses
https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5

Does anyone have the opportunity to check the connection on your telnet server as in my example?

[pup_seba]

The reason why those seetings don't work, is the reason of my "edit" in my previous comment.

I'll say it clear here, you need to enable under "global config > mta", the configuration named reject_unknown_sender_domain. Save the changes and give it a minute for changes to take effect.

[alex.k]

The reason why those seetings don't work, is the reason of my "edit" in my previous comment.

I'll say it clear here, you need to enable under "global config > mta", the configuration named reject_unknown_sender_domain. Save the changes and give it a minute for changes to take effect.

All perfectly. thank you, you helped a lot