Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: same domain SMTP authentication

Hybrid View

  1. #1
    Join Date
    Nov 2009
    Posts
    8
    Rep Power
    5

    Default same domain SMTP authentication

    Hi guys,

    my first post.

    The problem I am experiencing is that I received quite a lot of SPAM from the domain pretending to be my own.

    so if the email is user@example.com, this account receives the email from administrator@example.com


    is there any way to make sure that all the email coming from example.com domains would have to be authenticated.

    In exim, the MTA I've moved to zimbra from, it was rather simple

    # Deny from local domains if sender is not authenticated
    deny sender_domains = example.com
    !authenticated = *
    message = Please authenticate in order to send mail from your domain

    is there similar functionality in zimbra/postfix?

    thanks

  2. #2
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    If your Zimbra server has an internet facing port 25 then you can't enforce Authentication for other mail servers, it doesn't make sense and you never receive any email - think about it, how would other mail server know what the account/password is?

    You need to improve you ant-spam system: Improving Anti-spam system - Zimbra :: Wiki Simply enforcing Discarding Emails Sent to Invalid Addresses will get rid of a lot of spam as will using a good RBL such as zen.spamhaus,org - search the forums for some tips on reducing the spam load.
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  3. #3
    Join Date
    Nov 2009
    Posts
    8
    Rep Power
    5

    Default

    thanks for the promt reply. I guess I might have not expressed myself clear
    enough, since what I want to achieve makes perfect sense.

    let's assume that I control the @example.com domain. So I want to enforce that
    every message that originates from @example.com domain has to be authenticated.

    It doesn't matter whether the RCPT TO: would be someotherdomain.com or
    example.com domain, if it has MAIL FROM: @example.com it has to be
    authenticated, otherwise reject.
    So I want to enforce authentication for all the MTA/MUA's that send mail from
    example.com domain. as at the moment, the acl that says, if the RCPT TO has @example.com accept no matter whether the authentication is turned on or not.

    Since at the moment, some spammers set their FROM address in @example.com to
    send the messages to @example.com. This is annoying. I can enforce SPF policy,
    but that's not the point. I have addedd extra RBLs, pyzor, razor2 etc.
    in the SA.

    I hope its clearer now

  4. #4
    phoenix is offline Zimbra Consultant & Moderator
    Join Date
    Sep 2005
    Location
    Vannes, France
    Posts
    23,587
    Rep Power
    58

    Default

    Quote Originally Posted by g_kos View Post
    thanks for the promt reply. I guess I might have not expressed myself clear
    enough, since what I want to achieve makes perfect sense.

    let's assume that I control the @example.com domain. So I want to enforce that
    every message that originates from @example.com domain has to be authenticated.

    It doesn't matter whether the RCPT TO: would be someotherdomain.com or
    example.com domain, if it has MAIL FROM: @example.com it has to be
    authenticated, otherwise reject.
    So I want to enforce authentication for all the MTA/MUA's that send mail from
    example.com domain. as at the moment, the acl that says, if the RCPT TO has @example.com accept no matter whether the authentication is turned on or not.

    Since at the moment, some spammers set their FROM address in @example.com to
    send the messages to @example.com. This is annoying. I can enforce SPF policy,
    but that's not the point. I have addedd extra RBLs, pyzor, razor2 etc.
    in the SA.

    I hope its clearer now
    It was clear the first time I read it.

    What you're experiencing is know as NDR or Backscatter spam (and several other names), there are several threads in the forums that describe what you can do to alleviate the problem. Have you also implemented the option to Discard Email Sent to Invalid Addresses?
    Regards


    Bill


    Acompli: A new adventure for Co-Founder KevinH.

  5. #5
    Join Date
    Feb 2009
    Posts
    188
    Rep Power
    6

    Thumbs up

    well, I have an very good under standing of this issue.You can achieve this very easily.
    Only MUAs will be sending mails with mail from xyz@example.com, isn't???
    No MTA will be sending mails from *@example.com. All you have to do is to make a rule for example.com in your SA i.e. any mail coming from example.com should be mark as SPAM, and all the SPAMMER's MTA will abusively send email on port 25. Now enable the SMTPS authentication on port 465, and ask the user to have the configuration i.e. authenticate before sending email on port 465.

    NOTE>> (I am not using default SA comes with zimbra, so I am not sure but have a strong feeling that the SA will not mark any email as spam which comes after authentication i.e on port 465).

    Regards
    Adeel

  6. #6
    Join Date
    Feb 2009
    Posts
    188
    Rep Power
    6

    Lightbulb

    you can never get away from this problem, unless to make the *@example.com blacklist when coming from 25 port. No matter what you implement, stuff like RBLs etc but this issue will not be solved unless you do what I am telling you.



    Regards
    Adeel

  7. #7
    Join Date
    Nov 2009
    Posts
    8
    Rep Power
    5

    Default

    thanks guys, have set up reject_unknown_recipient_domain

    let's see if that helps.

    also, guess would have to go through the postfix mauals and do more RTFM

    2adeelarifbhatti,

    as i posted previously in exim it is very easy to solve, by using
    deny sender_domains = example.com
    !authenticated = *

    i was hoping that something similar would be avilable in the postfix

  8. #8
    Join Date
    Feb 2009
    Posts
    188
    Rep Power
    6

    Thumbs up

    thanks guys, have set up reject_unknown_recipient_domain >> will never solve the issue?

    All u have to do is ask SA to blacklist mails from *@example.com and ask users to send email on 465 with authentication. This is the only, best and perfect solution.

    Regards
    Adeel

  9. #9
    Join Date
    Nov 2009
    Posts
    8
    Rep Power
    5

    Default

    the logic of the best and perfect solution would be a single ACL

    1. if the sender_domain = example.com then the message has to come through authenticated session in order to be processed, otherwise reject message.


    I miss the flexibility of exim, and wish zimbra team would have chosen it instead of postfix. ( sorry for moaning

    TBH, opening tcp:465 for SMTP/S, and reconfiguring all the users is just too much effort.


    I wonder if this cone be achieved with "reject_authenticated_sender_login_mismatch" and setting the "smtpd_sender_login_maps" ?

  10. #10
    Join Date
    Oct 2008
    Posts
    35
    Rep Power
    7

    Default

    Is it possible to do?

    Did you achieve what you were looking for?

    I have the same problem

Similar Threads

  1. SMTP authentication failed, curl problem ?
    By iX in forum Installation
    Replies: 4
    Last Post: 10-23-2009, 02:24 AM
  2. Replies: 20
    Last Post: 03-18-2008, 05:37 AM
  3. SMTP authentication problems continue
    By EdMartin in forum Installation
    Replies: 2
    Last Post: 01-11-2008, 02:23 AM
  4. need advice on configuring zimbra to work with fax server
    By pheonix1t in forum Administrators
    Replies: 0
    Last Post: 07-11-2007, 07:46 PM
  5. SMTP SASL authentication failure
    By igeorg in forum Developers
    Replies: 5
    Last Post: 10-10-2005, 01:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •