How to enforce sasl_username=FROM ADDRESS

[raj]

Hi..i need help

Quote:

Apr 20 11:42:55 zimbra1 postfix/smtpd[29431]: B28914D5978: client=209-159-58-74.static.networktel.net[209.159.58.74], sasl_method=LOGIN, sasl_username=jobs
Apr 20 11:42:56 zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com>
Apr 20 11:42:56 zimbra1 postfix/qmgr[20690]: B28914D5978: from=<alerts@citibank.com>, size=6026, nrcpt=10 (queue active)
Apr 20 11:42:57 zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>

in above case the PASSWORD for user jobs was compromised and SPAMMER was able to relay emails using from=<alerts@citibank.com>.

Is there a way to ENFROCE that from=<user@domain.com> should be SAME as of sasl_username=user

* i know SPAMMER can still relay but then FROM Address will not be "alerts@citibank.com" for example. and just by looking at the abuse report we can tell what actual address was compromised.

Any ideas

Raj

[mmorse]

I seem to remember that being handled by:

Code:

postconf -e smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
postfix reload

Might have to set smtpd_sender_login_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf or something.

There's also reject_sender_login_mismatch & reject_unauthenticated_sender_login_mismatch. (Check if you have any current values for sender restrictions first / add it to them rather than wiping out.)

[mmorse]

Bug 11258 - support smtpd_sender_login_maps for smtp auth
Bug 15808 - Implement smtpd_sender_restrictions

[raj]

i searched all over the internet and i see the following info
one person mentioned to use these 3, i dont know the correct order or if i need all 3..i will test and post the results

Quote:

- reject_sender_login_mismatch
- reject_authenticated_sender_login_mismatch
- reject_unauthenticated_sender_login_mismatch

other guys posted that the following worked

Quote:

/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
reject_authenticated_sender_login_mismatch
permit_sasl_authenticated
reject_unauth_destination
(etc)

smtpd_sender_login_maps = mysql:/etc/postfix/mysql_sender_login_maps.cf

/etc/postfix/mysql_sender_login_maps.cf:
user = <mysqluser>
password = <mysqlpass>
hosts = 127.0.0.1
dbname = postfix
table = mailbox
select_field = username
where_field = username

so looks like smtpd_sender_login_maps needs to be fixed too..

i will make a new server and test these settings i dont want to stop the live servers or create any issue.

Thanks
Raj

[Nic]

Hello all,

I have the same issue on my zimbra server, so I'm testing this

Quote:

/opt/zimbra/conf/ldap-slm.cf:

server_host = ldap://server.domain.com:389
server_port = 389
search_base =
query_filter = (|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=% s))
result_attribute = zimbraAllowFromAddress,zimbraMailAlias,zimbraMailD eliveryAddress
version = 3
bind = no
timeout = 30

- Make zimbraAllowFromAddress readable by anonymous

- smtpd_sender_login_maps = /opt/zimbra/conf/ldap-slm.cf

- smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch

But how could I modify zimbraAllowFromAddress to be readable by anonymous ?

Thanks in adance for your help.

[vavai]

Hi Raj,

Quote:

Originally Posted by raj

i searched all over the internet and i see the following info
one person mentioned to use these 3, i dont know the correct order or if i need all 3..i will test and post the results


other guys posted that the following worked


so looks like smtpd_sender_login_maps needs to be fixed too..

i will make a new server and test these settings i dont want to stop the live servers or create any issue.

Thanks
Raj

I know it's an old thread but I'm thinking to applying same rule on my Zimbra server. Could you please tell me whether you have successfully implementing this rule or not ?

[raj]

nope not by the settings mentioned in the post, but by POLICYD..i had to edit the code to make it behave it like we needed.

Raj

[ivan78]

Instead of querying LDAP in smtpd_sender_login_maps, you can make a simple one-to-one map:

Code:

/opt/zimbra/postfix/conf/sender_map:

/^(.*)$/	$1

Code:

/opt/zimbra/postfix/conf/main.cf:

smtpd_sender_login_maps = regexp:/opt/zimbra/postfix/conf/sender_map
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch

It enforces strict relationship between MAIL FROM and sasl_username and does not allow sending on behalf of your aliases, like LDAP map do.
That may not be appropriate for everybody, but works fine for me.