Results 1 to 6 of 6

Thread: Rejecting false "mail from" addresses

  1. #1
    exomic is offline New Member
    Join Date
    Sep 2013
    Posts
    3
    Rep Power
    1

    Default Rejecting false "mail from" addresses

    Hi,

    I'm currently testing vulnerabilities in my new Zimbra installation and found that anybody can ask my smtp server to send email from my localdomain to my localdomain without using authentication.

    I followed the Rejecting false "mail from" addresses tutorial in Zimbra's Wiki to only allow local network or authenticated user to send in behalf of my localdomain but with Zimbra 8.0.5 i'm unable to get it working. I'm not sure of to figure out what my localnetwork is set to in my zimbra config so I would prefer to always require authentification when sending on behalf of my localdomain.

    Any ideas?

  2. #2
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,479
    Rep Power
    56

    Default

    Quote Originally Posted by exomic View Post
    I'm currently testing vulnerabilities in my new Zimbra installation and found that anybody can ask my smtp server to send email from my localdomain to my localdomain without using authentication.
    That's not 'anybody' it's just the users in your Trusted Networks and it's by design and not a vulnerability. This has been discussed many times in the forums and if you want to restrict it then modify the Trusted Networks to only allow the loopback IP & your ZCS server IP - search the forums or wiki for details.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    exomic is offline New Member
    Join Date
    Sep 2013
    Posts
    3
    Rep Power
    1

    Default

    Quote Originally Posted by phoenix View Post
    That's not 'anybody' it's just the users in your Trusted Networks and it's by design and not a vulnerability. This has been discussed many times in the forums and if you want to restrict it then modify the Trusted Networks to only allow the loopback IP & your ZCS server IP - search the forums or wiki for details.
    Ok I have done what you said, in my trusted network I only have my loopback IP. I also followed the wiki as I said previously and still I'm able to send message without auth with a from email of my domain. I just want to deny all mail from my domain that is not using a valid user auth

    Any help!

  4. #4
    phoenix is online now Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,479
    Rep Power
    56

    Default

    Quote Originally Posted by exomic View Post
    Ok I have done what you said, in my trusted network I only have my loopback IP.
    That wasn't what I said and it's not what the wiki article says, you need to put the correct entries in there.

    Quote Originally Posted by exomic View Post
    OI also followed the wiki as I said previously and still I'm able to send message without auth with a from email of my domain. I just want to deny all mail from my domain that is not using a valid user auth
    This isn't a vulnerability, this is what mail server do - they send mail to your domain. Of course you can send mail from your domain to your domain, it wouldn't make sense to require authentication otherwise nobody would be able to send you email.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    exomic is offline New Member
    Join Date
    Sep 2013
    Posts
    3
    Rep Power
    1

    Default

    Quote Originally Posted by phoenix View Post
    That wasn't what I said and it's not what the wiki article says, you need to put the correct entries in there.

    This isn't a vulnerability, this is what mail server do - they send mail to your domain. Of course you can send mail from your domain to your domain, it wouldn't make sense to require authentication otherwise nobody would be able to send you email.
    But anybody can send mail from a false email from my domain to my domain is there a way to block that? That's the issue and dont say it's normal because you did a Wiki tutorial on how to block that but for my case that dosen't seem to work.

  6. #6
    Raunaq's Avatar
    Raunaq is offline Zimbra Employee
    Join Date
    Nov 2012
    Location
    Bangalore
    Posts
    171
    Rep Power
    2

    Default

    When you say its not working for you, it would be great if you can give us some error or something so that people can help you here.About the wiki are you referring to
    Enforcing a match between the FROM address and the sasl username - Zimbra :: Wiki
    Cheers,
    Raun
    Always ready to help.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 3
    Last Post: 04-02-2012, 09:06 AM
  2. Replies: 30
    Last Post: 12-09-2010, 05:25 AM
  3. "False" Logger Admin Email Alerts After 5.0.15 Upgrade?
    By LMStone in forum Administrators
    Replies: 1
    Last Post: 04-01-2009, 09:15 AM
  4. Mail Queues counts display "Red" vs "Black" (or vice-versa)
    By richardteachout in forum Administrators
    Replies: 0
    Last Post: 04-08-2008, 02:19 PM
  5. Replies: 0
    Last Post: 01-20-2008, 01:42 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •