SASL domain and From header different domains

[6ames]

Hello,
We are using Zimbra 8.8.15 for our clients.
We notice that if an account is hacked (getting passwords in any Outlook), hackers can send email through sasl account hacked, but with their own "from" in the email, trying to make phissing for third accounts:

sasl_method=LOGIN, sasl_username=user@domain1.com
postfix/qmgr: 5B0944CD70: from=<info@phissingdomain>, size=23046, nrcpt=2 (queue active)
postfix/smtp: 5B0944CD70: to=<info@targetdomain> status=sent (250 OK id=)

We have checked this issue with a simple SMTP software to make smtp connections and show log. You can login by smtp through correct user and pass, and after, "MAIL FROM" the domain you want.

Any one knows a way to avoid this?
The main problem is that if FROM domain is not an internal domain, then cbpolicy doesn´t work and we can´t stop the attack (thousend of emails) with ratelimit.

Thank you for your help

[zimbra900]

You can try without exception db from here:

https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5

[L. Mark Stone]

Easiest way to change the behavior is to execute:

Code: Select all

zmprov mcf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch && zmcontrol restart

This does NOT block separately configured "SendAs" permissions that you have configured.

Hope that helps,
Mark