Zimbra Improvement : Restricted Sender/Sender Must Login on Zimbra 8

emailAs a powerful mail server, Zimbra has some system security features applied by default. We can also applying some additional security policy to increase mail server protection, such as applying PolicyD and Fail2Ban
All the above security rule may be sufficient, but there are some additional security tips should be considered, especially in the case of SMTP authorization.
Look at the following mail flow delivery, sent from or into Zimbra :
From : External User   To : External User, Result : Relay Access Denied

telnet mail.mycompanydomain.co.id 25
Trying 103.XXX.XXX.XXX...
Connected to mail.mycompanydomain.co.id.
Escape character is '^]'.
220 mail.mycompanydomain.co.id ESMTP Postfix
ehlo mail
250-mail.mycompanydomain.co.id
250-PIPELINING
250-SIZE 51200000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:vivianchow@yahoo.com
250 2.1.0 Ok
rcpt to:zezevavai@gmail.com
554 5.7.1 <zezevavai@gmail.com>: Relay access denied

From : External User   To : Zimbra User, Result : Accepted with prior Scanning for Spam and Viruses

telnet mail.mycompanydomain.co.id 25
Trying 103.XXX.XXX.XXX...
Connected to mail.mycompanydomain.co.id.
Escape character is '^]'.
220 mail.mycompanydomain.co.id ESMTP Postfix
ehlo mail
250-mail.mycompanydomain.co.id
250-PIPELINING
250-SIZE 51200000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:vivianchow@yahoo.com
250 2.1.0 Ok
rcpt to:myemail@mycompanydomain.co.id
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Hello Vavai
.
250 2.0.0 Ok: queued as C78EDB6E001
quit
221 2.0.0 Bye

From : Zimbra User  To : External User, Result : Accepted with prior SMTP Authorization check
Zimbra should be respond our request  with “Relay Access Denied when trying to send emails without prior authorization

telnet mail.mycompanydomain.co.id 25
Trying 103.XXX.XXX.XXX...
Connected to mail.mycompanydomain.co.id.
Escape character is '^]'.
220 mail.mycompanydomain.co.id ESMTP Postfix
ehlo mail
250-mail.mycompanydomain.co.id
250-PIPELINING
250-SIZE 6144000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:vivianchow@mycompanydomain.co.id
250 2.1.0 Ok
rcpt to:myemail@gmail.com
554 5.7.1 <myemail@vavai.com>: Relay access denied

From : Zimbra User  To : Zimbra User, Result : Accepted WITHOUT prior SMTP Authorization check

telnet mail.mycompanydomain.co.id 25
Trying 103.XXX.XXX.XXX...
Connected to mail.mycompanydomain.co.id.
Escape character is '^]'.
220 mail.mycompanydomain.co.id ESMTP Postfix
ehlo mail
250-mail.mycompanydomain.co.id
250-PIPELINING
250-SIZE 6144000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:vivianchow@mycompanydomain.co.id
250 2.1.0 Ok
rcpt to:vivianchow@mycompanydomain.co.id
250 2.1.5 Ok

zimbra-logoLook at the last example. I’m trying to send email from vivianchow@mycompanydomain.co.id to vivianchow@mycompanydomain.co.id without prior authorization and Zimbra accepted this email whereas should not. How if I’m trying to send fake email, let’s say from my boss email into my colleagues?
To prevent the above security hole, below are some modification which are able to be applied on Zimbra 8. This modification will force the user to authenticate and login before sending an email to an internal users.

  1. Backup all configuration. Incorrect settings while applying “sender must login” policy would interfere Zimbra services and would stop your email communication
  2. Log in as Zimbra user and edit /opt/zimbra/conf/zmconfigd.cf
    Add the following lines right under POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cf

    POSTCONF proxy_read_maps FILE zmconfigd/proxy_read_maps.cf

    and add the following lines right under POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf

    POSTCONF smtpd_sender_login_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
  3. Save your changes and then navigate to /opt/zimbra/conf/zmconfigd/ folder and edit smtpd_sender_restriction.cf
    cd /opt/zimbra/conf/zmconfigd/
    vi smtpd_sender_restrictions.cf
  4. Put the following code on the top of the lines
    permit_mynetworks, reject_sender_login_mismatch
  5. Save your change
  6. Check your read maps settings with the following command :
    postconf | grep proxy_read_maps
  7. On my Zimbra 8, the result would shown as below

    $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps
  8. Create a proxy_read_maps.cf file

    vi proxy_read_maps.cf

    and add proxy:ldap:/opt/zimbra/conf/ldap-slm.cf on the last line of postconf result, so the result is supposedly like this:

    $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
  9. Navigate to /opt/zimbra/conf and create ldap-slm.cf file

    cd /opt/zimbra/conf
    grep server_host /opt/zimbra/conf/ldap-vam.cf
    grep bind_pw /opt/zimbra/conf/ldap-vam.cf
    vi ldap-slm.cf
  10. Content of ldap-slm.cf file

    server_host = ldap://HOST:389
    server_port = 389
    search_base =
    query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s)(mail=%s))(zimbraMailStatus=enabled))
    result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,uid
    version = 3
    start_tls = yes
    tls_ca_cert_dir = /opt/zimbra/conf/ca
    bind = yes
    bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
    bind_pw = PASSWORD
    timeout = 30
  11. Replace server_host  and bind_pw with the result of grep command
  12. Save all changes and then run the postfix reload to apply the changes

    chown zimbra:postfix ldap-slm.cf
    postfix reload
  13. Test the policy by telnet to your Zimbra server and send an email from internal to internal users without prior authorization
    telnet mail.mycompanydomain.co.id 25
    Trying XXX.XXX.XXX.XXX...
    Connected to mail.mycompanydomain.co.id.
    Escape character is '^]'.
    220 mail.mycompanydomain.co.id ESMTP Postfix
    ehlo mail
    250-mail.mycompanydomain.co.id
    250-PIPELINING
    250-SIZE 51200000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    mail from:vivianchow@mycompanydomain.co.id
    250 2.1.0 Ok
    rcpt to:vivianchow@mycompanydomain.co.id
    553 5.7.1 vivianchow@mycompanydomain.co.id: Sender address rejected: not logged in

Notes : Please backup all configuration before trying to set the “Sender must login” policy to prevent  unexpected things 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *