powerful mail server, Zimbra has some system security features applied by default. We can also applying some additional security policy to increase mail server protection, such as applying PolicyD and Fail2Ban
All the above security rule may be sufficient, but there are some additional security tips should be considered, especially in the case of SMTP authorization.
Look at the following mail flow delivery, sent from or into Zimbra :
From : External User To : External User, Result : Relay Access Denied
telnet mail.rmohan.com 25
Trying 103.XXX.XXX.XXX…
Connected to mail.rmohan.com.
Escape character is ‘^]’.
220 mail.rmohan.com ESMTP Postfix
ehlo mail
250-mail.rmohan.com
250-PIPELINING
250-SIZE 51200000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:rmohan@yahoo.com
250 2.1.0 Ok
rcpt to:zezevavai@gmail.com
554 5.7.1 <zezevavai@gmail.com>: Relay access denied
From : External User To : Zimbra User, Result : Accepted with prior Scanning for Spam and Viruses
telnet mail.rmohan.com 25
Trying 103.XXX.XXX.XXX…
Connected to mail.rmohan.com.
Escape character is ‘^]’.
220 mail.rmohan.com ESMTP Postfix
ehlo mail
250-mail.rmohan.com
250-PIPELINING
250-SIZE 51200000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:rmohan@yahoo.com
250 2.1.0 Ok
rcpt to:myemail@rmohan.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Hello Vavai
.
250 2.0.0 Ok: queued as C78EDB6E001
quit
221 2.0.0 Bye
From : Zimbra User To : External User, Result : Accepted with prior SMTP Authorization check
Zimbra should be respond our request with “Relay Access Denied when trying to send emails without prior authorization
telnet mail.rmohan.com 25
Trying 103.XXX.XXX.XXX…
Connected to mail.rmohan.com.
Escape character is ‘^]’.
220 mail.rmohan.com ESMTP Postfix
ehlo mail
250-mail.rmohan.com
250-PIPELINING
250-SIZE 6144000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:rmohan@rmohan.com
250 2.1.0 Ok
rcpt to:myemail@gmail.com
554 5.7.1 <myemail@vavai.com>: Relay access denied
From : Zimbra User To : Zimbra User, Result : Accepted WITHOUT prior SMTP Authorization check
telnet mail.rmohan.com 25
Trying 103.XXX.XXX.XXX…
Connected to mail.rmohan.com.
Escape character is ‘^]’.
220 mail.rmohan.com ESMTP Postfix
ehlo mail
250-mail.rmohan.com
250-PIPELINING
250-SIZE 6144000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:rmohan@rmohan.com
250 2.1.0 Ok
rcpt to:rmohan@rmohan.com
250 2.1.5 Ok
zimbra-logoLook at the last example. I’m trying to send email from rmohan@rmohan.com to rmohan@rmohan.com without prior authorization and Zimbra accepted this email whereas should not. How if I’m trying to send fake email, let’s say from my boss email into my colleagues?
To prevent the above security hole, below are some modification which are able to be applied on Zimbra 8. This modification will force the user to authenticate and login before sending an email to an internal users.
1.Backup all configuration. Incorrect settings while applying “sender must login” policy would interfere Zimbra services and would stop your email communication
2.Log in as Zimbra user and edit /opt/zimbra/conf/zmconfigd.cf
Add the following lines right under POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cfPOSTCONF proxy_read_maps FILE zmconfigd/proxy_read_maps.cf
and add the following lines right under POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
POSTCONF smtpd_sender_login_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
3.Save your changes and then navigate to /opt/zimbra/conf/zmconfigd/ folder and edit smtpd_sender_restriction.cfcd /opt/zimbra/conf/zmconfigd/
vi smtpd_sender_restrictions.cf
4.Put the following code on the top of the linespermit_mynetworks, reject_sender_login_mismatch
5.Save your change
6.Check your read maps settings with the following command :postconf | grep proxy_read_maps
7.On my Zimbra 8, the result would shown as below
$local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps
8.Create a proxy_read_maps.cf file
vi proxy_read_maps.cf
and add proxy:ldap:/opt/zimbra/conf/ldap-slm.cf on the last line of postconf result, so the result is supposedly like this:
$local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
9.Navigate to /opt/zimbra/conf and create ldap-slm.cf file
cd /opt/zimbra/conf
grep server_host /opt/zimbra/conf/ldap-vam.cf
grep bind_pw /opt/zimbra/conf/ldap-vam.cf
vi ldap-slm.cf
10.Content of ldap-slm.cf file
server_host = ldap://HOST:389
server_port = 389
search_base =
query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s)(mail=%s))(zimbraMailStatus=enabled))
result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,uid
version = 3
start_tls = yes
tls_ca_cert_dir = /opt/zimbra/conf/ca
bind = yes
bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
bind_pw = PASSWORD
timeout = 30
11.Replace server_host and bind_pw with the result of grep command
12.Save all changes and then run the postfix reload to apply the changes
chown zimbra:postfix ldap-slm.cf
postfix reload
13.Test the policy by telnet to your Zimbra server and send an email from internal to internal users without prior authorizationtelnet mail.rmohan.com 25
Trying XXX.XXX.XXX.XXX…
Connected to mail.rmohan.com.
Escape character is ‘^]’.
220 mail.rmohan.com ESMTP Postfix
ehlo mail
250-mail.rmohan.com
250-PIPELINING
250-SIZE 51200000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:rmohan@rmohan.com
250 2.1.0 Ok
rcpt to:rmohan@rmohan.com
553 5.7.1 rmohan@rmohan.com: Sender address rejected: not logged in
Notes : Please backup all configuration before trying to set the “Sender must login” policy to prevent unexpected things 🙂
Recent Comments