same domain SMTP authentication

[g_kos]

Hi guys,

my first post.

The problem I am experiencing is that I received quite a lot of SPAM from the domain pretending to be my own.

so if the email is user@example.com, this account receives the email from administrator@example.com


is there any way to make sure that all the email coming from example.com domains would have to be authenticated.

In exim, the MTA I've moved to zimbra from, it was rather simple

# Deny from local domains if sender is not authenticated
deny sender_domains = example.com
!authenticated = *
message = Please authenticate in order to send mail from your domain

is there similar functionality in zimbra/postfix?

thanks

[phoenix]

If your Zimbra server has an internet facing port 25 then you can't enforce Authentication for other mail servers, it doesn't make sense and you never receive any email - think about it, how would other mail server know what the account/password is?

You need to improve you ant-spam system: Improving Anti-spam system - Zimbra :: Wiki Simply enforcing Discarding Emails Sent to Invalid Addresses will get rid of a lot of spam as will using a good RBL such as zen.spamhaus,org - search the forums for some tips on reducing the spam load.

[g_kos]

thanks for the promt reply. I guess I might have not expressed myself clear
enough, since what I want to achieve makes perfect sense.

let's assume that I control the @example.com domain. So I want to enforce that
every message that originates from @example.com domain has to be authenticated.

It doesn't matter whether the RCPT TO: would be someotherdomain.com or
example.com domain, if it has MAIL FROM: @example.com it has to be
authenticated, otherwise reject.
So I want to enforce authentication for all the MTA/MUA's that send mail from
example.com domain. as at the moment, the acl that says, if the RCPT TO has @example.com accept no matter whether the authentication is turned on or not.

Since at the moment, some spammers set their FROM address in @example.com to
send the messages to @example.com. This is annoying. I can enforce SPF policy,
but that's not the point. I have addedd extra RBLs, pyzor, razor2 etc.
in the SA.

I hope its clearer now

[adeelarifbhatti]

well, I have an very good under standing of this issue.You can achieve this very easily.
Only MUAs will be sending mails with mail from xyz@example.com, isn't???
No MTA will be sending mails from *@example.com. All you have to do is to make a rule for example.com in your SA i.e. any mail coming from example.com should be mark as SPAM, and all the SPAMMER's MTA will abusively send email on port 25. Now enable the SMTPS authentication on port 465, and ask the user to have the configuration i.e. authenticate before sending email on port 465.

NOTE>> (I am not using default SA comes with zimbra, so I am not sure but have a strong feeling that the SA will not mark any email as spam which comes after authentication i.e on port 465).

Regards
Adeel

[phoenix]

Quote:

Originally Posted by g_kos

thanks for the promt reply. I guess I might have not expressed myself clear
enough, since what I want to achieve makes perfect sense.

let's assume that I control the @example.com domain. So I want to enforce that
every message that originates from @example.com domain has to be authenticated.

It doesn't matter whether the RCPT TO: would be someotherdomain.com or
example.com domain, if it has MAIL FROM: @example.com it has to be
authenticated, otherwise reject.
So I want to enforce authentication for all the MTA/MUA's that send mail from
example.com domain. as at the moment, the acl that says, if the RCPT TO has @example.com accept no matter whether the authentication is turned on or not.

Since at the moment, some spammers set their FROM address in @example.com to
send the messages to @example.com. This is annoying. I can enforce SPF policy,
but that's not the point. I have addedd extra RBLs, pyzor, razor2 etc.
in the SA.

I hope its clearer now

It was clear the first time I read it.

What you're experiencing is know as NDR or Backscatter spam (and several other names), there are several threads in the forums that describe what you can do to alleviate the problem. Have you also implemented the option to Discard Email Sent to Invalid Addresses?

[adeelarifbhatti]

you can never get away from this problem, unless to make the *@example.com blacklist when coming from 25 port. No matter what you implement, stuff like RBLs etc but this issue will not be solved unless you do what I am telling you.



Regards
Adeel

[g_kos]

thanks guys, have set up reject_unknown_recipient_domain

let's see if that helps.

also, guess would have to go through the postfix mauals and do more RTFM

2adeelarifbhatti,

as i posted previously in exim it is very easy to solve, by using
deny sender_domains = example.com
!authenticated = *

i was hoping that something similar would be avilable in the postfix

[adeelarifbhatti]

thanks guys, have set up reject_unknown_recipient_domain >> will never solve the issue?

All u have to do is ask SA to blacklist mails from *@example.com and ask users to send email on 465 with authentication. This is the only, best and perfect solution.

Regards
Adeel

[g_kos]

the logic of the best and perfect solution would be a single ACL

1. if the sender_domain = example.com then the message has to come through authenticated session in order to be processed, otherwise reject message.


I miss the flexibility of exim, and wish zimbra team would have chosen it instead of postfix. ( sorry for moaning

TBH, opening tcp:465 for SMTP/S, and reconfiguring all the users is just too much effort.


I wonder if this cone be achieved with "reject_authenticated_sender_login_mismatch" and setting the "smtpd_sender_login_maps" ?

[hispa]

Is it possible to do?

Did you achieve what you were looking for?

I have the same problem