As a powerful mail server, Zimbra has some system security features applied by default. We can also applying some additional security policy to increase mail server protection, such as applying PolicyD and Fail2Ban
All the above security rule may be sufficient, but there are some additional security tips should be considered, especially in the case of SMTP authorization.
Look at the following mail flow delivery, sent from or into Zimbra :
From : External User To : External User, Result : Relay Access Denied
telnet mail.mycompanydomain.co.id 25 Trying 103.XXX.XXX.XXX... Connected to mail.mycompanydomain.co.id. Escape character is '^]'. 220 mail.mycompanydomain.co.id ESMTP Postfix ehlo mail 250-mail.mycompanydomain.co.id 250-PIPELINING 250-SIZE 51200000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:vivianchow@yahoo.com 250 2.1.0 Ok rcpt to:zezevavai@gmail.com 554 5.7.1 <zezevavai@gmail.com>: Relay access denied
From : External User To : Zimbra User, Result : Accepted with prior Scanning for Spam and Viruses
telnet mail.mycompanydomain.co.id 25 Trying 103.XXX.XXX.XXX... Connected to mail.mycompanydomain.co.id. Escape character is '^]'. 220 mail.mycompanydomain.co.id ESMTP Postfix ehlo mail 250-mail.mycompanydomain.co.id 250-PIPELINING 250-SIZE 51200000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:vivianchow@yahoo.com 250 2.1.0 Ok rcpt to:myemail@mycompanydomain.co.id 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> Hello Vavai . 250 2.0.0 Ok: queued as C78EDB6E001 quit 221 2.0.0 Bye
From : Zimbra User To : External User, Result : Accepted with prior SMTP Authorization check
Zimbra should be respond our request with “Relay Access Denied when trying to send emails without prior authorization
telnet mail.mycompanydomain.co.id 25 Trying 103.XXX.XXX.XXX... Connected to mail.mycompanydomain.co.id. Escape character is '^]'. 220 mail.mycompanydomain.co.id ESMTP Postfix ehlo mail 250-mail.mycompanydomain.co.id 250-PIPELINING 250-SIZE 6144000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:vivianchow@mycompanydomain.co.id 250 2.1.0 Ok rcpt to:myemail@gmail.com 554 5.7.1 <myemail@vavai.com>: Relay access denied
From : Zimbra User To : Zimbra User, Result : Accepted WITHOUT prior SMTP Authorization check
telnet mail.mycompanydomain.co.id 25 Trying 103.XXX.XXX.XXX... Connected to mail.mycompanydomain.co.id. Escape character is '^]'. 220 mail.mycompanydomain.co.id ESMTP Postfix ehlo mail 250-mail.mycompanydomain.co.id 250-PIPELINING 250-SIZE 6144000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:vivianchow@mycompanydomain.co.id 250 2.1.0 Ok rcpt to:vivianchow@mycompanydomain.co.id 250 2.1.5 Ok
Look at the last example. I’m trying to send email from vivianchow@mycompanydomain.co.id to vivianchow@mycompanydomain.co.id without prior authorization and Zimbra accepted this email whereas should not. How if I’m trying to send fake email, let’s say from my boss email into my colleagues?
To prevent the above security hole, below are some modification which are able to be applied on Zimbra 8. This modification will force the user to authenticate and login before sending an email to an internal users.
- Backup all configuration. Incorrect settings while applying “sender must login” policy would interfere Zimbra services and would stop your email communication
- Log in as Zimbra user and edit /opt/zimbra/conf/zmconfigd.cf
Add the following lines right under POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cfPOSTCONF proxy_read_maps FILE zmconfigd/proxy_read_maps.cf
and add the following lines right under POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
POSTCONF smtpd_sender_login_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
- Save your changes and then navigate to /opt/zimbra/conf/zmconfigd/ folder and edit smtpd_sender_restriction.cf
cd /opt/zimbra/conf/zmconfigd/ vi smtpd_sender_restrictions.cf
- Put the following code on the top of the lines
permit_mynetworks, reject_sender_login_mismatch
- Save your change
- Check your read maps settings with the following command :
postconf | grep proxy_read_maps
- On my Zimbra 8, the result would shown as below
$local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps
- Create a proxy_read_maps.cf file
vi proxy_read_maps.cf
and add proxy:ldap:/opt/zimbra/conf/ldap-slm.cf on the last line of postconf result, so the result is supposedly like this:
$local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
- Navigate to /opt/zimbra/conf and create ldap-slm.cf file
cd /opt/zimbra/conf grep server_host /opt/zimbra/conf/ldap-vam.cf grep bind_pw /opt/zimbra/conf/ldap-vam.cf vi ldap-slm.cf
- Content of ldap-slm.cf file
server_host = ldap://HOST:389 server_port = 389 search_base = query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s)(mail=%s))(zimbraMailStatus=enabled)) result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,uid version = 3 start_tls = yes tls_ca_cert_dir = /opt/zimbra/conf/ca bind = yes bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra bind_pw = PASSWORD timeout = 30
- Replace server_host and bind_pw with the result of grep command
- Save all changes and then run the postfix reload to apply the changes
chown zimbra:postfix ldap-slm.cf postfix reload
- Test the policy by telnet to your Zimbra server and send an email from internal to internal users without prior authorization
telnet mail.mycompanydomain.co.id 25 Trying XXX.XXX.XXX.XXX... Connected to mail.mycompanydomain.co.id. Escape character is '^]'. 220 mail.mycompanydomain.co.id ESMTP Postfix ehlo mail 250-mail.mycompanydomain.co.id 250-PIPELINING 250-SIZE 51200000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:vivianchow@mycompanydomain.co.id 250 2.1.0 Ok rcpt to:vivianchow@mycompanydomain.co.id 553 5.7.1 vivianchow@mycompanydomain.co.id: Sender address rejected: not logged in
Notes : Please backup all configuration before trying to set the “Sender must login” policy to prevent unexpected things 🙂
15 Comments
Hi,
I done step to step on above, but not denied. i am using zimbra 8.0.6.
thanks,
me too. I use 8.0.7
Hi,
I also followed all the steps and continue with problem. not denied.
Any other tips?
Me too using zimbra 8.0.6.
tks
I’m have config successful.
Send mail using telnet port 25 from non trust network warning “Sender address rejected: not logged in”
thanks alot.
Hi, the above configuration not working for me, i am using Zimbra 8.0.3 and also Zimbra 8.0.6. But i need this very much. Pls if anyone has the steps which is working then share it.
@ManhCT, which version of Zimbra you are using please?
Finally, i made it worked. Ok, here is the steps,
After doing all the steps of this tutorial just apply below command
zmprov modifyServer zimbra.example.com zimbraMtaMyNetworks ‘127.0.0.0/8 10.10.200.25/32’
postfix reload
Note: replace zimbra.example.com, with your zimbra server hostname
and ip address with your zimbra server ip address.
If you use a range of ip address in zimbraMtaMyNetworks like 10.10.10.0/8 then the above solution not work.
@Arif: I’m using Zimbra 8.0.5
When I send mail from non zimbra user to zimbra user -> Successfully sent email
non zimbra user: abc123@zimbra.local
zimbra user: abc@zimbra.local
???
Hi ManhCT,
Are you have been modify Zimbra MTA Trusted Network to 127.0.0.0/8 IPZIMBRA/32?
if you test with telnet or other and your IP to test trusted on MTA Zimbra, this guidance will not work
thanks for mr vavai.
how to do the same for 7.2
Just read this
http://wiki.zimbra.com/wiki/Rejecting_false_%22mail_from%22_addresses
Hi,
its not working for zimbra 8.6.0
Any suggestions for 8.6.0 ?
Best Regards.
Dear Sir,
Thank you, your artical is very nice. Can you tell me how i can set exceptions (hash:/opt/zimbra/conf/exceptions-db). to by pass some email. as it was shown on below link.
https://wiki.zimbra.com/wiki/Enforcing_a_match_between_the_FROM_address_and_the_sasl_username
I am using Zimbra 8.0.5 opensourse edition . I done all steps but its not working . we can able to telnet from outside.
I am using zimbra 8.6.
It work well, but it is necesary change one thing.
When you say:
and add the following lines right under POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
POSTCONF smtpd_sender_login_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
Right under POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf, it is neccesary replace the line POSTCONF smtpd_sender_login_maps FILE zmconfigd/smtpd_sender_login_maps.cf, by
POSTCONF smtpd_sender_login_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf