Relay domain allowed

[saresca]

I recently install Zimbra server on a lab server. I'm testing the security and the spamassin and clamav. The first security hole that i found was:

The smtp ssl authenticated user are allowed to send mail from any domain.

If there any way to stop it, please let me know.

postconf -d | grep smtp

smtp_always_send_ehlo = yes
smtp_bind_address =
smtp_bind_address6 =
smtp_cname_overrides_servername = yes
smtp_connect_timeout = 30s
smtp_connection_cache_destinations =
smtp_connection_cache_on_demand = yes
smtp_connection_cache_reuse_limit = 10
smtp_connection_cache_time_limit = 2s
smtp_data_done_timeout = 600s
smtp_data_init_timeout = 120s
smtp_data_xfer_timeout = 180s
smtp_defer_if_no_mx_address_found = no
smtp_destination_concurrency_limit = $default_destination_concurrency_limit
smtp_destination_recipient_limit = $default_destination_recipient_limit
smtp_discard_ehlo_keyword_address_maps =
smtp_discard_ehlo_keywords =
smtp_enforce_tls = no
smtp_generic_maps =
smtp_helo_name = $myhostname
smtp_helo_timeout = 300s
smtp_host_lookup = dns
smtp_line_length_limit = 990
smtp_mail_timeout = 300s
smtp_mx_address_limit = 0
smtp_mx_session_limit = 2
smtp_never_send_ehlo = no
smtp_pix_workaround_delay_time = 10s
smtp_pix_workaround_threshold_time = 500s
smtp_quit_timeout = 300s
smtp_quote_rfc821_envelope = yes
smtp_randomize_addresses = yes
smtp_rcpt_timeout = 300s
smtp_rset_timeout = 20s
smtp_sasl_auth_enable = no
smtp_sasl_mechanism_filter =
smtp_sasl_password_maps =
smtp_sasl_security_options = noplaintext, noanonymous
smtp_sasl_tls_security_options = $var_smtp_sasl_opts
smtp_send_xforward_command = no
smtp_skip_5xx_greeting = yes
smtp_skip_quit_response = yes
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_cipherlist =
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_scert_verifydepth = 5
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = no
smtp_xforward_timeout = 300s
smtpd_authorized_verp_clients = $authorized_verp_clients
smtpd_authorized_xclient_hosts =
smtpd_authorized_xforward_hosts =
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_connection_count_limit = 50
smtpd_client_connection_rate_limit = 0
smtpd_client_event_limit_exceptions = ${smtpd_client_connection_limit_exceptions:$mynetw orks}
smtpd_client_message_rate_limit = 0
smtpd_client_recipient_rate_limit = 0
smtpd_client_restrictions =
smtpd_data_restrictions =
smtpd_delay_reject = yes
smtpd_discard_ehlo_keyword_address_maps =
smtpd_discard_ehlo_keywords =
smtpd_end_of_data_restrictions =
smtpd_enforce_tls = no
smtpd_error_sleep_time = 1s
smtpd_etrn_restrictions =
smtpd_expansion_filter =
smtpd_forbidden_commands = CONNECT GET POST
smtpd_hard_error_limit = 20
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_history_flush_threshold = 100
smtpd_junk_command_limit = 100
smtpd_noop_commands =
smtpd_null_access_lookup_key = <>
smtpd_policy_service_max_idle = 300s
smtpd_policy_service_max_ttl = 1000s
smtpd_policy_service_timeout = 100s
smtpd_proxy_ehlo = $myhostname
smtpd_proxy_filter =
smtpd_proxy_timeout = 100s
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 1000
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = no
smtpd_restriction_classes =
smtpd_sasl_application_name = smtpd
smtpd_sasl_auth_enable = no
smtpd_sasl_exceptions_networks =
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sender_login_maps =
smtpd_sender_restrictions =
smtpd_soft_error_limit = 10
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 5
smtpd_tls_cert_file =
smtpd_tls_cipherlist =
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 0
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no

[jholder]

Hi and welcome to the Zimbra Forums!

I've forwarded this issue on to one of the developers for review. You should here from someone shortly.

Thanks
john

[saresca]

Thanks John.

I found how to block unknown users, but still didn't find how to block no-local domains.

To block unknown users, just add reject_unlisted_sender, before permit_sasl_authenticated:

/opt/zimbra/conf/postfix_recipient_restrictions.cf

reject_non_fqdn_recipient
reject_unlisted_recipient
reject_unlisted_sender
permit_mynetworks
permit_sasl_authenticated
%%contains VAR:zimbraMtaRestriction reject_invalid_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_hostname%%
%%contains VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
%%contains VAR:zimbraMtaRestriction reject_unknown_client%%
%%contains VAR:zimbraMtaRestriction reject_unknown_hostname%%
%%contains VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
%%contains VAR:zimbraMtaRestriction reject_rbl_client dnsbl.njabl.org%%
%%contains VAR:zimbraMtaRestriction reject_rbl_client relays.ordb.org%%
%%contains VAR:zimbraMtaRestriction reject_rbl_client cbl.abuseat.org%%
%%contains VAR:zimbraMtaRestriction reject_rbl_client bl.spamcop.net%%
%%contains VAR:zimbraMtaRestriction reject_rbl_client dnsbl.sorbs.net%%
%%contains VAR:zimbraMtaRestriction reject_rbl_client sbl.spamhaus.org%%
%%contains VAR:zimbraMtaRestriction reject_rbl_client xbl.spamhaus.org%%
%%contains VAR:zimbraMtaRestriction reject_rbl_client sbl-xbl.spamhaus.org%%
%%contains VAR:zimbraMtaRestriction reject_rbl_client relays.mail-abuse.org%%
reject_unauth_destination
permit

[anand]

http://bugzilla.zimbra.com/show_bug.cgi?id=11258

[jholder]

Hi,
As anand pointed out, there is a bugzilla bug for this as an enhancement.

The reason we are calling this an enhancement now, is because you should be able to send what ever you want, since you're authed.

We're looking to add support for smtpd_sender_login_maps. Please go there and VOTE for it!

[cmargena]

This post is an old one but I wanted to know if there have been any news regarding this issue, the bugzilla is in assigned status but there is no answer.

[phoenix]

This post is an old one but I wanted to know if there have been any news regarding this issue, the bugzilla is in assigned status but there is no answer.

Any specific answer would be in the bug report and, as you can see, it's still open. If you're interested in seeing it implemented then you should vote on it.

[cmargena]

I understand what you say but I have been researching after posting and please let me say that there is another thread that is related How to enforce sasl_username=FROM ADDRESS and bugzilla 15808 and really, perhaps it's just me, but is not clear if it has been solved or not.

[phoenix]

I understand what you say but I have been researching after posting and please let me say that there is another thread that is related How to enforce sasl_username=FROM ADDRESS and bugzilla 15808 and really, perhaps it's just me, but is not clear if it has been solved or not.

They are two different RFEs, one has been 'fixed' i.e. it has been fixed in is in a version of Zimbra but has not been through QA and the other is still unresolved. It should be self explanatory in the bug report but..... the status of the bugs is mentioned in their bug report and the version that the are targeted for is in the Product Portal when it's been set for release. If you don't know what any of the 'status' fields means the click on them for an explanation.