{"id":3628,"date":"2014-10-09T10:12:13","date_gmt":"2014-10-09T02:12:13","guid":{"rendered":"http:\/\/rmohan.com\/?p=3628"},"modified":"2014-10-09T10:12:13","modified_gmt":"2014-10-09T02:12:13","slug":"zimbra-improvement-restricted-sendersender-must-login-on-zimbra-8","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=3628","title":{"rendered":"ZIMBRA IMPROVEMENT : RESTRICTED SENDER\/SENDER MUST LOGIN ON ZIMBRA 8"},"content":{"rendered":"

powerful mail server, Zimbra has some system security features applied by default. We can also applying some additional security policy to increase mail server protection, such as applying PolicyD and Fail2Ban<\/p>\n

All the above security rule may be sufficient, but there are some additional security tips should be considered, especially in the case of SMTP authorization.<\/p>\n

Look at the following mail flow delivery, sent from or into Zimbra :<\/p>\n

From : External User\u00a0\u00a0 To : External User, Result : Relay Access Denied
\ntelnet mail.rmohan.com 25
\nTrying 103.XXX.XXX.XXX…
\nConnected to mail.rmohan.com.
\nEscape character is ‘^]’.
\n220 mail.rmohan.com ESMTP Postfix
\nehlo mail
\n250-mail.rmohan.com
\n250-PIPELINING
\n250-SIZE 51200000
\n250-VRFY
\n250-ETRN
\n250-STARTTLS
\n250-ENHANCEDSTATUSCODES
\n250-8BITMIME
\n250 DSN
\nmail from:rmohan@yahoo.com
\n250 2.1.0 Ok
\nrcpt to:zezevavai@gmail.com
\n554 5.7.1 <zezevavai@gmail.com>: Relay access denied<\/p>\n

From : External User\u00a0\u00a0 To : Zimbra User, Result : Accepted with prior Scanning for Spam and Viruses
\ntelnet mail.rmohan.com 25
\nTrying 103.XXX.XXX.XXX…
\nConnected to mail.rmohan.com.
\nEscape character is ‘^]’.
\n220 mail.rmohan.com ESMTP Postfix
\nehlo mail
\n250-mail.rmohan.com
\n250-PIPELINING
\n250-SIZE 51200000
\n250-VRFY
\n250-ETRN
\n250-STARTTLS
\n250-ENHANCEDSTATUSCODES
\n250-8BITMIME
\n250 DSN
\nmail from:rmohan@yahoo.com
\n250 2.1.0 Ok
\nrcpt to:myemail@rmohan.com
\n250 2.1.5 Ok
\ndata
\n354 End data with <CR><LF>.<CR><LF>
\nHello Vavai
\n.
\n250 2.0.0 Ok: queued as C78EDB6E001
\nquit
\n221 2.0.0 Bye<\/p>\n

From : Zimbra User\u00a0 To : External User, Result : Accepted with prior SMTP Authorization check<\/p>\n

Zimbra should be respond our request\u00a0 with \u201cRelay Access Denied when trying to send emails without prior authorization
\ntelnet mail.rmohan.com 25
\nTrying 103.XXX.XXX.XXX…
\nConnected to mail.rmohan.com.
\nEscape character is ‘^]’.
\n220 mail.rmohan.com ESMTP Postfix
\nehlo mail
\n250-mail.rmohan.com
\n250-PIPELINING
\n250-SIZE 6144000
\n250-VRFY
\n250-ETRN
\n250-ENHANCEDSTATUSCODES
\n250-8BITMIME
\n250 DSN
\nmail from:rmohan@rmohan.com
\n250 2.1.0 Ok
\nrcpt to:myemail@gmail.com
\n554 5.7.1 <myemail@vavai.com>: Relay access denied<\/p>\n

From : Zimbra User\u00a0 To : Zimbra User, Result : Accepted WITHOUT prior SMTP Authorization check
\ntelnet mail.rmohan.com 25
\nTrying 103.XXX.XXX.XXX…
\nConnected to mail.rmohan.com.
\nEscape character is ‘^]’.
\n220 mail.rmohan.com ESMTP Postfix
\nehlo mail
\n250-mail.rmohan.com
\n250-PIPELINING
\n250-SIZE 6144000
\n250-VRFY
\n250-ETRN
\n250-ENHANCEDSTATUSCODES
\n250-8BITMIME
\n250 DSN
\nmail from:rmohan@rmohan.com
\n250 2.1.0 Ok
\nrcpt to:rmohan@rmohan.com
\n250 2.1.5 Ok<\/p>\n

zimbra-logoLook at the last example. I\u2019m trying to send email from rmohan@rmohan.com to rmohan@rmohan.com without prior authorization and Zimbra accepted this email whereas should not. How if I\u2019m trying to send fake email, let\u2019s say from my boss email into my colleagues?<\/p>\n

To prevent the above security hole, below are some modification which are able to be applied on Zimbra 8. This modification will force the user to authenticate and login before sending an email to an internal users.
\n1.Backup all configuration. Incorrect settings while applying \u201csender must login\u201d policy would interfere Zimbra services and would stop your email communication
\n2.Log in as Zimbra user and edit \/opt\/zimbra\/conf\/zmconfigd.cf
\nAdd the following lines right under POSTCONF smtpd_recipient_restrictions FILE zmconfigd\/postfix_recipient_restrictions.cfPOSTCONF proxy_read_maps FILE zmconfigd\/proxy_read_maps.cf<\/p>\n

and add the following lines right under POSTCONF smtpd_sender_restrictions FILE zmconfigd\/smtpd_sender_restrictions.cf
\nPOSTCONF smtpd_sender_login_maps proxy:ldap:\/opt\/zimbra\/conf\/ldap-slm.cf<\/p>\n

3.Save your changes and then navigate to \/opt\/zimbra\/conf\/zmconfigd\/ folder and edit smtpd_sender_restriction.cfcd \/opt\/zimbra\/conf\/zmconfigd\/
\nvi smtpd_sender_restrictions.cf<\/p>\n

4.Put the following code on the top of the linespermit_mynetworks, reject_sender_login_mismatch<\/p>\n

5.Save your change
\n6.Check your read maps settings with the following command :postconf | grep proxy_read_maps<\/p>\n

7.On my Zimbra 8, the result would shown as below
\n$local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps<\/p>\n

8.Create a proxy_read_maps.cf file
\nvi proxy_read_maps.cf<\/p>\n

and add proxy:ldap:\/opt\/zimbra\/conf\/ldap-slm.cf on the last line of postconf result, so the result is supposedly like this:<\/p>\n

$local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps, proxy:ldap:\/opt\/zimbra\/conf\/ldap-slm.cf<\/p>\n

9.Navigate to \/opt\/zimbra\/conf and create ldap-slm.cf file
\ncd \/opt\/zimbra\/conf
\ngrep server_host \/opt\/zimbra\/conf\/ldap-vam.cf
\ngrep bind_pw \/opt\/zimbra\/conf\/ldap-vam.cf
\nvi ldap-slm.cf<\/p>\n

10.Content of ldap-slm.cf file
\nserver_host = ldap:\/\/HOST:389
\nserver_port = 389
\nsearch_base =
\nquery_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s)(mail=%s))(zimbraMailStatus=enabled))
\nresult_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,uid
\nversion = 3
\nstart_tls = yes
\ntls_ca_cert_dir = \/opt\/zimbra\/conf\/ca
\nbind = yes
\nbind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
\nbind_pw = PASSWORD
\ntimeout = 30<\/p>\n

11.Replace server_host\u00a0 and bind_pw with the result of grep command
\n12.Save all changes and then run the postfix reload to apply the changes
\nchown zimbra:postfix ldap-slm.cf
\npostfix reload<\/p>\n

13.Test the policy by telnet to your Zimbra server and send an email from internal to internal users without prior authorizationtelnet mail.rmohan.com 25
\nTrying XXX.XXX.XXX.XXX…
\nConnected to mail.rmohan.com.
\nEscape character is ‘^]’.
\n220 mail.rmohan.com ESMTP Postfix
\nehlo mail
\n250-mail.rmohan.com
\n250-PIPELINING
\n250-SIZE 51200000
\n250-VRFY
\n250-ETRN
\n250-STARTTLS
\n250-ENHANCEDSTATUSCODES
\n250-8BITMIME
\n250 DSN
\nmail from:rmohan@rmohan.com
\n250 2.1.0 Ok
\nrcpt to:rmohan@rmohan.com
\n553 5.7.1 rmohan@rmohan.com: Sender address rejected: not logged in
\nNotes : Please backup all configuration before trying to set the \u201cSender must login\u201d policy to prevent\u00a0 unexpected things \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"

powerful mail server, Zimbra has some system security features applied by default. We can also applying some additional security policy to increase mail server protection, such as applying PolicyD and Fail2Ban<\/p>\n

All the above security rule may be sufficient, but there are some additional security tips should be considered, especially in the case of SMTP […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,45],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3628"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3628"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3628\/revisions"}],"predecessor-version":[{"id":3629,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3628\/revisions\/3629"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3628"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3628"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3628"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}