Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: Zimbra 8 Restrict Posfix Senders?

  1. #1
    Join Date
    Jan 2011
    Posts
    6
    Rep Power
    4

    Default Zimbra 8 Restrict Posfix Senders?

    What is the best way to restrict postfix senders in Zimbra 8 so that users cannot send using a FROM address other than their own?

    I've tried modifying the instruction here:
    RestrictPostfixSenders - Zimbra :: Wiki

    By using zmlocalconfig -e postfix_<variable_name>=<value>

    To set the values (since main.cf) doesn't exist in Zimbra 8. When I look at the posfix configuration, it appears correct, but testing has proven that it is not blocking faked FROM addresses.

    Any help is appreciated.

  2. #2
    Join Date
    Feb 2012
    Posts
    10
    Rep Power
    3

    Default

    Did you find any solution for this ?

  3. #3
    Join Date
    Jan 2008
    Posts
    223
    Rep Power
    7

    Default

    There is a minor change in file locations . Check and you should be through .you can find the same in other post.

  4. #4
    Join Date
    Feb 2012
    Posts
    10
    Rep Power
    3

    Default What am i doing wrong here

    I have added This on zmconfigd.cf

    Code:
    POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
    POSTCONF smtpd_sender_login_maps FILE zmconfigd/postfix_sender_login_maps.cf
    I already had rest of file from previous installation(before upgrade)

    Code:
    zimbra@mail:~/conf$ cat zmconfigd/postfix_sender_login_maps.cf
    hash:/opt/zimbra/conf/exceptions-db
    ldap:/opt/zimbra/conf/ldap-restricrelay.cf
    Code:
    zimbra@mail:~/conf$ cat /opt/zimbra/conf/ldap-restricrelay.cf
    server_host = ldap://mail.mycompany.com:389 >----- Doman Hidden i have place the actual domain here
    server_port = 389
    search_base =
    query_filter = (&(|(uid=%s)(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s))(zimbraMailStatus=enabled))
    result_attribute = uid,zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress
    version = 3
    start_tls = yes
    tls_ca_cert_dir = /opt/zimbra/conf/ca
    bind = yes
    bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
    bind_pw = <password> >--- Password hidden, I have place the right one
    timeout = 30
    Used Swaks to sent mail and the authenticated user was able to sent email out with spoofed domain part..

    Now i am lost why isn't it working.. If you could explain what i did wrong it would be really helpfull. This small config has kept my server clean for 8 months. Upgraded yesterday already spam attack has happened...


    Main.cf entry

    Code:
    smtpd_sender_login_maps = hash:/opt/zimbra/conf/exceptions-db, ldap:/opt/zimbra/conf/ldap-restricrelay.cf

  5. #5
    Join Date
    Feb 2012
    Location
    USA
    Posts
    6
    Rep Power
    3

    Default

    Having the same exact issue, everything configured properly as far as I can tell, but will not restrict sending from unauthorized email/domain addresses.

    Has anyone been successful in restricting, can you offer any additional advice?

    Thank You.

  6. #6
    Join Date
    Feb 2012
    Posts
    10
    Rep Power
    3

    Default

    No one knows how to enable this ?

  7. #7
    Join Date
    Feb 2012
    Location
    USA
    Posts
    6
    Rep Power
    3

    Default A Solution

    Got it, for those trying to restrict please view this thread http://www.zimbra.com/forums/adminis...problem-8.html

    Here is a breakdown on whats need to be done to use with Ubuntu 12.04 and Zimbra 8.

    Here we go.

    First off :
    su - zimbra

    Next vi /opt/zimbra/conf/zmconfigd.cf file (will need to change permission in order to edit ... chmod 644 - dont forget to change back to 444 after)

    Add below -- POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cf
    Code:
    POSTCONF proxy_read_maps FILE zmconfigd/proxy_read_maps.cf
    Add below -- POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf
    Code:
    POSTCONF smtpd_sender_login_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
    Save exit.

    Next enter directory /opt/zimbra/conf/zmconfigd/

    vi smtpd_sender_restrictions.cf (again you will need to change permissions to 644, then change back after editing)

    Input --
    Code:
    permit_mynetworks, reject_sender_login_mismatch
    Above Lines --
    %%contains VAR:zimbraServiceEnabled antivirus, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re%%
    %%contains VAR:zimbraServiceEnabled antivirus, permit_mynetworks%%
    %%contains VAR:zimbraServiceEnabled antivirus, permit_sasl_authenticated%%
    %%contains VAR:zimbraServiceEnabled antivirus, permit_tls_clientcerts%%
    %%contains VAR:zimbraServiceEnabled antivirus, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re%%

    Save exit.

    Next we need to create a file in this same directory:

    In this file you will need to include your read maps. Issue the following command :
    Code:
    postconf | grep proxy_read_maps
    For me on zimbra 8, I got the following read maps:
    $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf

    Then with your read maps --
    Code:
    vi proxy_read_maps.cf
    and input your maps an include , proxy:ldap:/opt/zimbra/conf/ldap-slm.cf at the end (like my maps read out above^ ) -- then save exit.

    Next back to /opt/zimbra/conf directory to create the ldap-slm.cf

    issue the following commands and make note of results (host and password) --

    Code:
    grep server_host /opt/zimbra/conf/ldap-vam.cf
    
    grep bind_pw /opt/zimbra/conf/ldap-vam.cf
    vi ldap-slm.cf, and input the following for LDAP(S)

    Code:
    server_host = ldaps://HOST:636
    server_port = 636
    search_base =
    query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s)(mail=%s))(zimbraMailStatus=enabled))
    result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,uid
    version = 3
    start_tls = no
    tls_ca_cert_dir = /opt/zimbra/conf/ca
    bind = yes
    bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
    bind_pw =  PASSWORD
    timeout = 30
    or for LDAP

    Code:
    server_host = ldap://HOST:389
    server_port = 389
    search_base =
    query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s)(mail=%s))(zimbraMailStatus=enabled))
    result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,uid
    version = 3
    start_tls = yes
    tls_ca_cert_dir = /opt/zimbra/conf/ca
    bind = yes
    bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra
    bind_pw =  PASSWORD
    timeout = 30
    Save exit, then --
    Code:
    chown zimbra:postfix ldap-slm.cf
    Then a simple postfix reload and your viola your ready to go.


    A couple notes:
    I had an issue when trying to bind the ldap-slm.cf with LDAPS, the solution was to change start_tls = yes to start_tls = no, fixed my issue.
    Another note, if you are sending from within your trusted networks you will need to make changes, this is for external network users/clients who try to send from faked alias/personas/FROM addresses through zimbra.

    Hope this helps those who experienced this same issue.

    Lets hope this will be integrated into the web gui at some point or have "send from any email" checkbox control both the web clients and external clients the same.

    Happy Halloween and Happy Zimbraing!
    Last edited by c1nco; 11-01-2012 at 10:00 AM. Reason: added a bit

  8. #8
    Join Date
    Feb 2012
    Posts
    10
    Rep Power
    3

    Default

    Thank you, I will check on demo.

  9. #9
    Join Date
    Feb 2013
    Posts
    1
    Rep Power
    2

    Default

    Hi C1nco, i followed your steps but when i run "postconf | grep proxy_read_maps" i just get this :
    "proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps"

    Any tip?

    Zimbra - Release 8.0.2.GA.5569.UBUNTU12.64 UBUNTU12_64 FOSS edition.

    Thanks.

  10. #10
    Join Date
    Jun 2011
    Posts
    52
    Rep Power
    4

    Default

    made it work on 8.0.3.GA.5664.UBUNTU12.64 UBUNTU12_64 FOSS edition

    ZCS 8.0 - POSTCONF smtpd_recipient_restrictions FILE zmconfigd/postfix_recipient_restrictions.cf
    ZCS 8.0.3 - POSTCONF smtpd_recipient_restrictions FILE zmconfigd/smtpd_recipient_restrictions.cf


    e.g

    POSTCONF smtpd_recipient_restrictions FILE zmconfigd/smtpd_recipient_restrictions.cf
    POSTCONF proxy_read_maps FILE zmconfigd/proxy_read_maps.cf
    POSTCONF smtpd_relay_restrictions FILE zmconfigd/smtpd_relay_restrictions.cf
    POSTCONF smtpd_sender_restrictions FILE zmconfigd/smtpd_sender_restrictions.cf


    zmprov modifyServer zimbra.example.com zimbraMtaMyNetworks '127.0.0.0/8 10.10.200.25/32'

    postfix reload



    thanks

Similar Threads

  1. Restrict Postfix Senders
    By nwhit in forum Administrators
    Replies: 6
    Last Post: 08-22-2011, 07:47 PM
  2. how to restrict senders by COS
    By fmodola in forum Administrators
    Replies: 2
    Last Post: 10-11-2010, 03:22 PM
  3. [SOLVED] How to restrict senders at the &quot;mail from&quot; command?
    By Thiago Camargo Martins in forum Administrators
    Replies: 14
    Last Post: 07-12-2010, 11:43 PM
  4. Restrict senders on Local domain only
    By Samp in forum Administrators
    Replies: 0
    Last Post: 11-30-2009, 08:40 AM
  5. Replies: 4
    Last Post: 08-12-2008, 06:53 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •