[SOLVED] How force user auth to sending mail

[mablux]

I have checked several thread with issues similar to the following, but i don´t find a clear answer.

My server has auth TLS enable but also permit to send mail to my domain users without any auth. That condition could permit to any user from my domain send mail supplanting any another user of my domain (eg. using SMTP commands).

That is, for example, userA send a mail to userB as come from userC.
To avoid this situation i want to force auth before a user send mail.

It is possible??

(I know about a pop before smtp, but i don´t want install a additional tool to do that)

[Labsy]

If I understand corectly, you might have been confused about mail relay and mail receiving. If you have TLS auth enabled, then also authentication must be forced, so noone can send (relay) mail using your server without authenticating first.
Then, regarding user1 send mail on behalf of user2, I don't think it would work if authentication is enebled. Except in situation if user1 has an ALIAS named user2.
But it might be that I am also wrong - haven't test it.

[beli.sk]

Hi,
yes, it is indeed possible that ANYONE can hand an e-mail message over to your server if it is addressed to one of your users and can fill in the "From" field with anything including other of your e-mail addresses. The sender field of an e-mail should by no means be trusted. If your users require some certainty as to who the mail is really from, they should use S/MIME or other cryptograhpical solution. Support for S/MIME in Zimbra is on the way (for some time now), you can see progress and vote for it here:

https://bugzilla.zimbra.com/show_bug.cgi?id=9046

Best regards.

Edit: And this is not a problem of Zimbra but e-mail in general.

[mablux]

Thanks for reply.
I found a solution for my issue.

I checked my main.cf and under smtpd_recipient_restrictions was the parameters "permit_mynetwork", "permit_sasl_authenticated" and others checks and rejects. In fact in my server users could send mail with (permited by "permit_sasl_authenticated") and without (permited by "permit_mynetwork") SMTP authentication. I removed the users's network from mynetwork and added the parameter "reject" at the end of smtpd_recipient_restrictions.

Now the users must enable SMTP authentication in their mail clients (outlook, thunderbird, etc.) in order to they can send mail. If users don´t use SMTP authentication (or try to send mail using directly SMTP commands) the server reject the message with error "Recipient address rejected: Access denied".

Maybe it is not the most elegant solution but it works. I think smtpd_client_restrictions may be used to do that in a better manner.

[dalmate]

It's a good idea. But did you check if outgoing and ingoing mails are good.

[dalmate]

I can't add the "reject" parameter to the smptd_recipient_restrictions, zimbra always resets that value.

[mablux]

dalmate:

The ingoing and outgoing mails are good, already tested.

You must add "reject" (or change the last "permit" to "reject") in /opt/zimbra/conf/postfix_recipient_restrictions.cf

good luck!!

[shoneo]

Hello Mablux,
In this situations I have a problem to send mail via webmail. Do you have solution for this?

Best Regards

[shoneo]

My question is how to make mail server as open relay (zmprov modifyServer mail.example.com zimbraMtaMyNetworks '0.0.0.0/0' ) and force everybody to use smtp authentification and also use webmail?

Best Regards

[phoenix]

Quote:

Originally Posted by shoneo

In this situations I have a problem to send mail via webmail. Do you have solution for this?

What exactly is the problem and what errors do you see in the log files?

Quote:

Originally Posted by shoneo

My question is how to make mail server as open relay (zmprov modifyServer mail.example.com zimbraMtaMyNetworks '0.0.0.0/0' ) and force everybody to use smtp authentification and also use webmail?

You do not, under and circumstances, want to make your server an open relay. If you want your suers to authenticate then they should use port 587 as the submission port.

What are you trying to achieve by making these changes?