Zimbra Improvement : Restricted Sender/Sender Must Login on Zimbra 8

February 18, 2014

emailAs a powerful mail server, Zimbra has some system security features applied by default. We can also applying some additional security policy to increase mail server protection, such as applying PolicyD and Fail2Ban

All the above security rule may be sufficient, but there are some additional security tips should be considered, especially in the case of SMTP authorization.

Look at the following mail flow delivery, sent from or into Zimbra :

From : External User   To : External User, Result : Relay Access Denied

telnet mail.mycompanydomain.co.id 25
Trying 103.XXX.XXX.XXX...
Connected to mail.mycompanydomain.co.id.
Escape character is '^]'.
220 mail.mycompanydomain.co.id ESMTP Postfix
ehlo mail
250-mail.mycompanydomain.co.id
250-PIPELINING
250-SIZE 51200000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:vivianchow@yahoo.com
250 2.1.0 Ok
rcpt to:zezevavai@gmail.com
554 5.7.1 <zezevavai@gmail.com>: Relay access denied

From : External User   To : Zimbra User, Result : Accepted with prior Scanning for Spam and Viruses

telnet mail.mycompanydomain.co.id 25
Trying 103.XXX.XXX.XXX...
Connected to mail.mycompanydomain.co.id.
Escape character is '^]'.
220 mail.mycompanydomain.co.id ESMTP Postfix
ehlo mail
250-mail.mycompanydomain.co.id
250-PIPELINING
250-SIZE 51200000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:vivianchow@yahoo.com
250 2.1.0 Ok
rcpt to:myemail@mycompanydomain.co.id
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Hello Vavai
.
250 2.0.0 Ok: queued as C78EDB6E001
quit
221 2.0.0 Bye

From : Zimbra User  To : External User, Result : Accepted with prior SMTP Authorization check

Zimbra should be respond our request  with “Relay Access Denied when trying to send emails without prior authorization

telnet mail.mycompanydomain.co.id 25
Trying 103.XXX.XXX.XXX...
Connected to mail.mycompanydomain.co.id.
Escape character is '^]'.
220 mail.mycompanydomain.co.id ESMTP Postfix
ehlo mail
250-mail.mycompanydomain.co.id
250-PIPELINING
250-SIZE 6144000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:vivianchow@mycompanydomain.co.id
250 2.1.0 Ok
rcpt to:myemail@gmail.com
554 5.7.1 <myemail@vavai.com>: Relay access denied

From : Zimbra User  To : Zimbra User, Result : Accepted WITHOUT prior SMTP Authorization check

telnet mail.mycompanydomain.co.id 25
Trying 103.XXX.XXX.XXX...
Connected to mail.mycompanydomain.co.id.
Escape character is '^]'.
220 mail.mycompanydomain.co.id ESMTP Postfix
ehlo mail
250-mail.mycompanydomain.co.id
250-PIPELINING
250-SIZE 6144000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:vivianchow@mycompanydomain.co.id
250 2.1.0 Ok
rcpt to:vivianchow@mycompanydomain.co.id
250 2.1.5 Ok

zimbra-logoLook at the last example. I’m trying to send email from vivianchow@mycompanydomain.co.id to vivianchow@mycompanydomain.co.id without prior authorization and Zimbra accepted this email whereas should not. How if I’m trying to send fake email, let’s say from my boss email into my colleagues?

To prevent the above security hole, below are some modification which are able to be applied on Zimbra 8. This modification will force the user to authenticate and login before sending an email to an internal users.

  1. Backup all configuration. Incorrect settings while applying “sender must login” policy would interfere Zimbra services and would stop your email communication
  2. Log in as Zimbra user and edit /opt/zimbra/conf/zmconfigd.cf
    Add the following lines right under POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cf

    POSTCONF proxy_read_maps FILE zmconfigd/proxy_read_maps.cf

    and add the following lines right under POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf

    POSTCONF smtpd_sender_login_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
  3. Save your changes and then navigate to /opt/zimbra/conf/zmconfigd/ folder and edit smtpd_sender_restriction.cf 
    cd /opt/zimbra/conf/zmconfigd/
vi smtpd_sender_restrictions.cf
  4. Put the following code on the top of the lines 
    permit_mynetworks, reject_sender_login_mismatch
  5. Save your change
  6. Check your read maps settings with the following command : 
    postconf | grep proxy_read_maps
  7. On my Zimbra 8, the result would shown as below

    $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps
  8. Create a proxy_read_maps.cf file

    vi proxy_read_maps.cf

    and add proxy:ldap:/opt/zimbra/conf/ldap-slm.cf on the last line of postconf result, so the result is supposedly like this:

    $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
  9. Navigate to /opt/zimbra/conf and create ldap-slm.cf file

    cd /opt/zimbra/conf
grep server_host /opt/zimbra/conf/ldap-vam.cf
grep bind_pw /opt/zimbra/conf/ldap-vam.cf
vi ldap-slm.cf
  10. Content of ldap-slm.cf file

    server_host = ldap://HOST:389
server_port = 389
search_base =
query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s)(mail=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,uid
version = 3
start_tls = yes
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = PASSWORD
timeout = 30
  11. Replace server_host  and bind_pw with the result of grep command
  12. Save all changes and then run the postfix reload to apply the changes

    chown zimbra:postfix ldap-slm.cf
postfix reload
  13. Test the policy by telnet to your Zimbra server and send an email from internal to internal users without prior authorization 
    telnet mail.mycompanydomain.co.id 25
Trying XXX.XXX.XXX.XXX...
Connected to mail.mycompanydomain.co.id.
Escape character is '^]'.
220 mail.mycompanydomain.co.id ESMTP Postfix
ehlo mail
250-mail.mycompanydomain.co.id
250-PIPELINING
250-SIZE 51200000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:vivianchow@mycompanydomain.co.id
250 2.1.0 Ok
rcpt to:vivianchow@mycompanydomain.co.id
553 5.7.1 vivianchow@mycompanydomain.co.id: Sender address rejected: not logged in

Notes : Please backup all configuration before trying to set the “Sender must login” policy to prevent  unexpected things 🙂


Share

Linux

Masim "Vavai" Sugianto
Traveller, Open Source Enthusiast & Book Lover. Works as Independent Worker & Self-Employer.

19 Comments


tuan
March 20, 2014 at 15:14
Reply

Hi,
I done step to step on above, but not denied. i am using zimbra 8.0.6.

thanks,


    Hai
    May 6, 2014 at 11:02
    Reply

    me too. I use 8.0.7

Carlos
April 9, 2014 at 10:12
Reply

Hi,

I also followed all the steps and continue with problem. not denied.

Any other tips?

Me too using zimbra 8.0.6.

tks


ManhCT
May 24, 2014 at 22:26
Reply

I’m have config successful.
Send mail using telnet port 25 from non trust network warning “Sender address rejected: not logged in”
thanks alot.


Arif
June 2, 2014 at 11:45
Reply

Hi, the above configuration not working for me, i am using Zimbra 8.0.3 and also Zimbra 8.0.6. But i need this very much. Pls if anyone has the steps which is working then share it.

@ManhCT, which version of Zimbra you are using please?


Arif
June 2, 2014 at 14:44
Reply

Finally, i made it worked. Ok, here is the steps,
After doing all the steps of this tutorial just apply below command

zmprov modifyServer zimbra.example.com zimbraMtaMyNetworks ‘127.0.0.0/8 10.10.200.25/32’

postfix reload

Note: replace zimbra.example.com, with your zimbra server hostname
and ip address with your zimbra server ip address.

If you use a range of ip address in zimbraMtaMyNetworks like 10.10.10.0/8 then the above solution not work.


ManhCT
June 11, 2014 at 09:24
Reply

@Arif: I’m using Zimbra 8.0.5
When I send mail from non zimbra user to zimbra user -> Successfully sent email
non zimbra user: abc123@zimbra.local
zimbra user: abc@zimbra.local
???


    Ahmad Imanudin
    September 1, 2014 at 14:28
    Reply

    Hi ManhCT,

    Are you have been modify Zimbra MTA Trusted Network to 127.0.0.0/8 IPZIMBRA/32?

    if you test with telnet or other and your IP to test trusted on MTA Zimbra, this guidance will not work

Riyoxti
August 29, 2014 at 00:32
Reply

thanks for mr vavai.


SAM
November 18, 2014 at 21:55
Reply

how to do the same for 7.2


whyme?
December 4, 2014 at 03:36
Reply

Just read this
http://wiki.zimbra.com/wiki/Rejecting_false_%22mail_from%22_addresses


KT
April 13, 2015 at 19:51
Reply

Hi,

its not working for zimbra 8.6.0

Any suggestions for 8.6.0 ?

Best Regards.


prabhat Kumar
December 22, 2015 at 18:08
Reply

Dear Sir,

Thank you, your artical is very nice. Can you tell me how i can set exceptions (hash:/opt/zimbra/conf/exceptions-db). to by pass some email. as it was shown on below link.
https://wiki.zimbra.com/wiki/Enforcing_a_match_between_the_FROM_address_and_the_sasl_username


Prasanth
March 19, 2016 at 12:49
Reply

I am using Zimbra 8.0.5 opensourse edition . I done all steps but its not working . we can able to telnet from outside.


Sebastian
April 13, 2016 at 03:01
Reply

I am using zimbra 8.6.
It work well, but it is necesary change one thing.
When you say:

and add the following lines right under POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf

POSTCONF smtpd_sender_login_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf

Right under POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf, it is neccesary replace the line POSTCONF smtpd_sender_login_maps FILE zmconfigd/smtpd_sender_login_maps.cf, by

POSTCONF smtpd_sender_login_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf


Egar
March 13, 2019 at 08:46
Reply

hii vavai,

sorry for using bahasa ya, okay :).
saya mau tanya dua hal :

step 1 : POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cf
pada konfigurasi di zimbra 8.6 saya, tidak ada tulisan ” POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cf “,
adanya :
“POSTCONF smtpd_recipient_restrictions FILE zmconfigd/smtpd_recipient_restrictions.cf”
apakah sama ?

step 8 : create file proxy_read_maps.cf
apakah di dalam folder /opt/zimbra/conf/zmconfigd/ atau dimana ?

itu saja pertanyaan saya.
anda hebat dan anda ahlinya ZIMBRA :).

Terimakasih banyak.,.


Masim "Vavai" Sugianto
March 13, 2019 at 08:51
Reply

Hi pak @Egar,

1. Benar pak
2. Benar

sebelum melakukan pengubahan konfigurasi, lakukan backup dulu pada file yang akan diubah. BTW Zimbra 8.6 sudah EOL pak, ada baiknya disiapkan untuk diupgrade ke versi 8.8.11.

Kalau install diatas VM, bisa backup VM atau cloning VM kemudian disiapkan untuk upgrade.


Egar
March 13, 2019 at 10:17
Reply

halo pak Vavai,

mantabss..

siap pak. sudah kejadian pak. untung sudah saya backup. hahaha.
saya running di Server Hyperconverged jadinya saya sudah buat snapshotnya dulu, jadi ketika error, snapshotnya saya restore.

baik pak terimakasih infonya.
yang jadi masalah saya punya yang Zimbra NE tapi tidak beli SNS-nya pak untuk tahun ke dua. jadinya kalau mau upgrade apa tetap bisa pak ke 8.8.11 ?

terimakasih banyak ya pak vavai…


Ngoug
September 5, 2019 at 23:51
Reply

HI,

I am not able to send email to gmail since i install zimbra 8.8.12 ZCS.

Any help??


Leave a Reply

Your email address will not be published. Required fields are marked *