As a powerful mail server, Zimbra has some system security features applied by default. We can also applying some additional security policy to increase mail server protection, such as applying PolicyD and Fail2Ban
All the above security rule may be sufficient, but there are some additional security tips should be considered, especially in the case of SMTP authorization.
Look at the following mail flow delivery, sent from or into Zimbra :
From : External User To : External User, Result : Relay Access Denied
telnet mail.mycompanydomain.co.id 25 Trying 103.XXX.XXX.XXX... Connected to mail.mycompanydomain.co.id. Escape character is '^]'. 220 mail.mycompanydomain.co.id ESMTP Postfix ehlo mail 250-mail.mycompanydomain.co.id 250-PIPELINING 250-SIZE 51200000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:vivianchow@yahoo.com 250 2.1.0 Ok rcpt to:zezevavai@gmail.com 554 5.7.1 <zezevavai@gmail.com>: Relay access denied
From : External User To : Zimbra User, Result : Accepted with prior Scanning for Spam and Viruses
telnet mail.mycompanydomain.co.id 25 Trying 103.XXX.XXX.XXX... Connected to mail.mycompanydomain.co.id. Escape character is '^]'. 220 mail.mycompanydomain.co.id ESMTP Postfix ehlo mail 250-mail.mycompanydomain.co.id 250-PIPELINING 250-SIZE 51200000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:vivianchow@yahoo.com 250 2.1.0 Ok rcpt to:myemail@mycompanydomain.co.id 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> Hello Vavai . 250 2.0.0 Ok: queued as C78EDB6E001 quit 221 2.0.0 Bye
From : Zimbra User To : External User, Result : Accepted with prior SMTP Authorization check
Zimbra should be respond our request with “Relay Access Denied when trying to send emails without prior authorization
telnet mail.mycompanydomain.co.id 25 Trying 103.XXX.XXX.XXX... Connected to mail.mycompanydomain.co.id. Escape character is '^]'. 220 mail.mycompanydomain.co.id ESMTP Postfix ehlo mail 250-mail.mycompanydomain.co.id 250-PIPELINING 250-SIZE 6144000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:vivianchow@mycompanydomain.co.id 250 2.1.0 Ok rcpt to:myemail@gmail.com 554 5.7.1 <myemail@vavai.com>: Relay access denied
From : Zimbra User To : Zimbra User, Result : Accepted WITHOUT prior SMTP Authorization check
telnet mail.mycompanydomain.co.id 25 Trying 103.XXX.XXX.XXX... Connected to mail.mycompanydomain.co.id. Escape character is '^]'. 220 mail.mycompanydomain.co.id ESMTP Postfix ehlo mail 250-mail.mycompanydomain.co.id 250-PIPELINING 250-SIZE 6144000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:vivianchow@mycompanydomain.co.id 250 2.1.0 Ok rcpt to:vivianchow@mycompanydomain.co.id 250 2.1.5 Ok
Look at the last example. I’m trying to send email from vivianchow@mycompanydomain.co.id to vivianchow@mycompanydomain.co.id without prior authorization and Zimbra accepted this email whereas should not. How if I’m trying to send fake email, let’s say from my boss email into my colleagues?
To prevent the above security hole, below are some modification which are able to be applied on Zimbra 8. This modification will force the user to authenticate and login before sending an email to an internal users.
- Backup all configuration. Incorrect settings while applying “sender must login” policy would interfere Zimbra services and would stop your email communication
- Log in as Zimbra user and edit /opt/zimbra/conf/zmconfigd.cf
Add the following lines right under POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cfPOSTCONF proxy_read_maps FILE zmconfigd/proxy_read_maps.cf
and add the following lines right under POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
POSTCONF smtpd_sender_login_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
- Save your changes and then navigate to /opt/zimbra/conf/zmconfigd/ folder and edit smtpd_sender_restriction.cf
cd /opt/zimbra/conf/zmconfigd/ vi smtpd_sender_restrictions.cf
- Put the following code on the top of the lines
permit_mynetworks, reject_sender_login_mismatch
- Save your change
- Check your read maps settings with the following command :
postconf | grep proxy_read_maps
- On my Zimbra 8, the result would shown as below
$local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps
- Create a proxy_read_maps.cf file
vi proxy_read_maps.cf
and add proxy:ldap:/opt/zimbra/conf/ldap-slm.cf on the last line of postconf result, so the result is supposedly like this:
$local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
- Navigate to /opt/zimbra/conf and create ldap-slm.cf file
cd /opt/zimbra/conf grep server_host /opt/zimbra/conf/ldap-vam.cf grep bind_pw /opt/zimbra/conf/ldap-vam.cf vi ldap-slm.cf
- Content of ldap-slm.cf file
server_host = ldap://HOST:389 server_port = 389 search_base = query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s)(mail=%s))(zimbraMailStatus=enabled)) result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,uid version = 3 start_tls = yes tls_ca_cert_dir = /opt/zimbra/conf/ca bind = yes bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra bind_pw = PASSWORD timeout = 30
- Replace server_host and bind_pw with the result of grep command
- Save all changes and then run the postfix reload to apply the changes
chown zimbra:postfix ldap-slm.cf postfix reload
- Test the policy by telnet to your Zimbra server and send an email from internal to internal users without prior authorization
telnet mail.mycompanydomain.co.id 25 Trying XXX.XXX.XXX.XXX... Connected to mail.mycompanydomain.co.id. Escape character is '^]'. 220 mail.mycompanydomain.co.id ESMTP Postfix ehlo mail 250-mail.mycompanydomain.co.id 250-PIPELINING 250-SIZE 51200000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:vivianchow@mycompanydomain.co.id 250 2.1.0 Ok rcpt to:vivianchow@mycompanydomain.co.id 553 5.7.1 vivianchow@mycompanydomain.co.id: Sender address rejected: not logged in
Notes : Please backup all configuration before trying to set the “Sender must login” policy to prevent unexpected things 🙂