Zimbra 8 Restrict Posfix Senders?

[davidah]

What is the best way to restrict postfix senders in Zimbra 8 so that users cannot send using a FROM address other than their own?

I've tried modifying the instruction here:
RestrictPostfixSenders - Zimbra :: Wiki

By using zmlocalconfig -e postfix_<variable_name>=<value>

To set the values (since main.cf) doesn't exist in Zimbra 8. When I look at the posfix configuration, it appears correct, but testing has proven that it is not blocking faked FROM addresses.

Any help is appreciated.

[gibz85]

Did you find any solution for this ?

[Himanshu]

There is a minor change in file locations . Check and you should be through .you can find the same in other post.

[gibz85]

I have added This on zmconfigd.cf

Code:

POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
POSTCONF smtpd_sender_login_maps FILE zmconfigd/postfix_sender_login_maps.cf

I already had rest of file from previous installation(before upgrade)

Code:

zimbra@mail:~/conf$ cat zmconfigd/postfix_sender_login_maps.cf
hash:/opt/zimbra/conf/exceptions-db
ldap:/opt/zimbra/conf/ldap-restricrelay.cf

Code:

zimbra@mail:~/conf$ cat /opt/zimbra/conf/ldap-restricrelay.cf
server_host = ldap://mail.mycompany.com:389 >----- Doman Hidden i have place the actual domain here
server_port = 389
search_base =
query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
result_attribute = uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
version = 3
start_tls = yes
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = <password> >--- Password hidden, I have place the right one
timeout = 30

Used Swaks to sent mail and the authenticated user was able to sent email out with spoofed domain part..

Now i am lost why isn't it working.. If you could explain what i did wrong it would be really helpfull. This small config has kept my server clean for 8 months. Upgraded yesterday already spam attack has happened...


Main.cf entry

Code:

smtpd_sender_login_maps = hash:/opt/zimbra/conf/exceptions-db, ldap:/opt/zimbra/conf/ldap-restricrelay.cf

[c1nco]

Having the same exact issue, everything configured properly as far as I can tell, but will not restrict sending from unauthorized email/domain addresses.

Has anyone been successful in restricting, can you offer any additional advice?

Thank You.

[gibz85]

No one knows how to enable this ?

[c1nco]

Got it, for those trying to restrict please view this thread ZIMBRA SMTP AUTH problem

Here is a breakdown on whats need to be done to use with Ubuntu 12.04 and Zimbra 8.

Here we go.

First off :
su - zimbra

Next vi /opt/zimbra/conf/zmconfigd.cf file (will need to change permission in order to edit ... chmod 644 - dont forget to change back to 444 after)

Add below -- POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cf

Code:

POSTCONF proxy_read_maps FILE zmconfigd/proxy_read_maps.cf

Add below -- POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf

Code:

POSTCONF smtpd_sender_login_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf

Save exit.

Next enter directory /opt/zimbra/conf/zmconfigd/

vi smtpd_sender_restrictions.cf (again you will need to change permissions to 644, then change back after editing)

Input --

Code:

permit_mynetworks, reject_sender_login_mismatch

Above Lines --
%%contains VAR:zimbraServiceEnabled antivirus, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re%%
%%contains VAR:zimbraServiceEnabled antivirus, permit_mynetworks%%
%%contains VAR:zimbraServiceEnabled antivirus, permit_sasl_authenticated%%
%%contains VAR:zimbraServiceEnabled antivirus, permit_tls_clientcerts%%
%%contains VAR:zimbraServiceEnabled antivirus, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%

Save exit.

Next we need to create a file in this same directory:

In this file you will need to include your read maps. Issue the following command :

Code:

postconf | grep proxy_read_maps

For me on zimbra 8, I got the following read maps:
$local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf

Then with your read maps --

Code:

vi proxy_read_maps.cf

and input your maps an include , proxy:ldap:/opt/zimbra/conf/ldap-slm.cf at the end (like my maps read out above^ ) -- then save exit.

Next back to /opt/zimbra/conf directory to create the ldap-slm.cf

issue the following commands and make note of results (host and password) --

Code:

grep server_host /opt/zimbra/conf/ldap-vam.cf

grep bind_pw /opt/zimbra/conf/ldap-vam.cf

vi ldap-slm.cf, and input the following for LDAP(S)

Code:

server_host = ldaps://HOST:636
server_port = 636
search_base =
query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s)(mail=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,uid
version = 3
start_tls = no
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw =  PASSWORD
timeout = 30

or for LDAP

Code:

server_host = ldap://HOST:389
server_port = 389
search_base =
query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s)(mail=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,uid
version = 3
start_tls = yes
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw =  PASSWORD
timeout = 30

Save exit, then --

Code:

chown zimbra:postfix ldap-slm.cf

Then a simple postfix reload and your viola your ready to go.


A couple notes:
I had an issue when trying to bind the ldap-slm.cf with LDAPS, the solution was to change start_tls = yes to start_tls = no, fixed my issue.
Another note, if you are sending from within your trusted networks you will need to make changes, this is for external network users/clients who try to send from faked alias/personas/FROM addresses through zimbra.

Hope this helps those who experienced this same issue.

Lets hope this will be integrated into the web gui at some point or have "send from any email" checkbox control both the web clients and external clients the same.

Happy Halloween and Happy Zimbraing!

[gibz85]

Thank you, I will check on demo.

[qu4tro]

Hi C1nco, i followed your steps but when i run "postconf | grep proxy_read_maps" i just get this :
"proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps"

Any tip?

Zimbra - Release 8.0.2.GA.5569.UBUNTU12.64 UBUNTU12_64 FOSS edition.

Thanks.

[Yves Pires]

made it work on 8.0.3.GA.5664.UBUNTU12.64 UBUNTU12_64 FOSS edition

ZCS 8.0 - POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cf
ZCS 8.0.3 - POSTCONF smtpd_recipient_restrictions FILE zmconfigd/smtpd_recipient_restrictions.cf


e.g

POSTCONF smtpd_recipient_restrictions FILE zmconfigd/smtpd_recipient_restrictions.cf
POSTCONF proxy_read_maps FILE zmconfigd/proxy_read_maps.cf
POSTCONF smtpd_relay_restrictions FILE zmconfigd/smtpd_relay_restrictions.cf
POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf


zmprov modifyServer zimbra.example.com zimbraMtaMyNetworks '127.0.0.0/8 10.10.200.25/32'

postfix reload



thanks