Hello,
We are using Zimbra 8.8.15 for our clients.
We notice that if an account is hacked (getting passwords in any Outlook), hackers can send email through sasl account hacked, but with their own "from" in the email, trying to make phissing for third accounts:
sasl_method=LOGIN, sasl_username=user@domain1.com
postfix/qmgr: 5B0944CD70: from=<info@phissingdomain>, size=23046, nrcpt=2 (queue active)
postfix/smtp: 5B0944CD70: to=<info@targetdomain> status=sent (250 OK id=)
We have checked this issue with a simple SMTP software to make smtp connections and show log. You can login by smtp through correct user and pass, and after, "MAIL FROM" the domain you want.
Any one knows a way to avoid this?
The main problem is that if FROM domain is not an internal domain, then cbpolicy doesn´t work and we can´t stop the attack (thousend of emails) with ratelimit.
Thank you for your help
SASL domain and From header different domains
- L. Mark Stone
- Ambassador
- Posts: 2799
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: SASL domain and From header different domains
Easiest way to change the behavior is to execute:
This does NOT block separately configured "SendAs" permissions that you have configured.
Hope that helps,
Mark
Code: Select all
zmprov mcf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch && zmcontrol restart
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate