Results 1 to 7 of 7

Thread: How to enforce sasl_username=FROM ADDRESS

  1. #1
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default How to enforce sasl_username=FROM ADDRESS

    Hi..i need help

    Apr 20 11:42:55 zimbra1 postfix/smtpd[29431]: B28914D5978: client=209-159-58-74.static.networktel.net[209.159.58.74], sasl_method=LOGIN, sasl_username=jobs
    Apr 20 11:42:56 zimbra1 postfix/cleanup[5522]: B28914D5978: message-id=<20090420154255.B28914D5978@zimbraserver.com>
    Apr 20 11:42:56 zimbra1 postfix/qmgr[20690]: B28914D5978: from=<alerts@citibank.com>, size=6026, nrcpt=10 (queue active)
    Apr 20 11:42:57 zimbra1 postfix/cleanup[3983]: 2BA56465D28: message-id=<20090420154255.B28914D5978@zimbraserver.com>
    in above case the PASSWORD for user jobs was compromised and SPAMMER was able to relay emails using from=<alerts@citibank.com>.

    Is there a way to ENFROCE that from=<user@domain.com> should be SAME as of sasl_username=user

    * i know SPAMMER can still relay but then FROM Address will not be "alerts@citibank.com" for example. and just by looking at the abuse report we can tell what actual address was compromised.

    Any ideas

    Raj

  2. #2
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    I seem to remember that being handled by:
    Code:
    postconf -e smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch
    postfix reload
    Might have to set smtpd_sender_login_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf or something.

    There's also reject_sender_login_mismatch & reject_unauthenticated_sender_login_mismatch. (Check if you have any current values for sender restrictions first / add it to them rather than wiping out.)

  3. #3
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

  4. #4
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    i searched all over the internet and i see the following info
    one person mentioned to use these 3, i dont know the correct order or if i need all 3..i will test and post the results
    - reject_sender_login_mismatch
    - reject_authenticated_sender_login_mismatch
    - reject_unauthenticated_sender_login_mismatch
    other guys posted that the following worked

    /etc/postfix/main.cf:
    smtpd_recipient_restrictions =
    permit_mynetworks
    reject_authenticated_sender_login_mismatch
    permit_sasl_authenticated
    reject_unauth_destination
    (etc)

    smtpd_sender_login_maps = mysql:/etc/postfix/mysql_sender_login_maps.cf

    /etc/postfix/mysql_sender_login_maps.cf:
    user = <mysqluser>
    password = <mysqlpass>
    hosts = 127.0.0.1
    dbname = postfix
    table = mailbox
    select_field = username
    where_field = username
    so looks like smtpd_sender_login_maps needs to be fixed too..

    i will make a new server and test these settings i dont want to stop the live servers or create any issue.

    Thanks
    Raj

  5. #5
    Join Date
    Mar 2008
    Location
    France
    Posts
    17
    Rep Power
    7

    Default

    Hello all,

    I have the same issue on my zimbra server, so I'm testing this

    /opt/zimbra/conf/ldap-slm.cf:

    server_host = ldap://server.domain.com:389
    server_port = 389
    search_base =
    query_filter = (|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=% s))
    result_attribute = zimbraAllowFromAddress,zimbraMailAlias,zimbraMailD eliveryAddress
    version = 3
    bind = no
    timeout = 30

    - Make zimbraAllowFromAddress readable by anonymous

    - smtpd_sender_login_maps = /opt/zimbra/conf/ldap-slm.cf

    - smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
    But how could I modify zimbraAllowFromAddress to be readable by anonymous ?

    Thanks in adance for your help.

  6. #6
    Join Date
    Oct 2005
    Location
    USA, Canada and India
    Posts
    777
    Rep Power
    11

    Default

    nope not by the settings mentioned in the post, but by POLICYD..i had to edit the code to make it behave it like we needed.

    Raj
    i2k2 Networks
    Dedicated & Shared Zimbra Hosting Provider

  7. #7
    Join Date
    Feb 2010
    Posts
    7
    Rep Power
    5

    Default

    Instead of querying LDAP in smtpd_sender_login_maps, you can make a simple one-to-one map:
    Code:
    /opt/zimbra/postfix/conf/sender_map:
    
    /^(.*)$/	$1
    Code:
    /opt/zimbra/postfix/conf/main.cf:
    
    smtpd_sender_login_maps = regexp:/opt/zimbra/postfix/conf/sender_map
    smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
    It enforces strict relationship between MAIL FROM and sasl_username and does not allow sending on behalf of your aliases, like LDAP map do.
    That may not be appropriate for everybody, but works fine for me.

Similar Threads

  1. Replies: 3
    Last Post: 05-19-2010, 12:40 AM
  2. Canonical address for the From: address from Blackberry?
    By bthom73 in forum Zimbra Connector for BlackBerry
    Replies: 4
    Last Post: 05-05-2009, 10:37 AM
  3. I got Ubuntu and Zimbra working
    By pacsteel in forum Installation
    Replies: 73
    Last Post: 06-23-2008, 12:41 PM
  4. [SOLVED] Zimbra not syncing properly with Address Book and iCal
    By Colin Day in forum CalDAV / CardDAV / iSync
    Replies: 4
    Last Post: 07-13-2007, 09:52 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •