ZIMBRA SMTP AUTH problem

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
siomon.liu
Advanced member
Advanced member
Posts: 68
Joined: Sat Sep 13, 2014 12:22 am
ZCS/ZD Version: Release 8.7.3_GA_1750.RHEL7_64_2017

ZIMBRA SMTP AUTH problem

Postby siomon.liu » Mon Aug 17, 2009 8:30 pm

[solved]
1、modify zimbraMtaMyNetworks (local interface and loopback interface)
2、add reject_authenticated_sender_login_mismatch to smtpd_recipient_restrictions(after permit mynetworks,reject last)
3、add smtpd_sender_login_maps = ldap:/opt/zimbra/conf/hms-user-map.cf
(hms-user-map.cf from ldap-vmd.cf by custom.)


now send mail only auth.


thks all!:D:D:D


oranggil
Posts: 4
Joined: Sat Sep 13, 2014 12:42 am

ZIMBRA SMTP AUTH problem

Postby oranggil » Sun Dec 06, 2009 1:38 am

Hi siomon,
I'm having the same problem too, and followed your direction,

but still didn't auth..

could you please explain your steps more detail..

and what is hm-user-map.cf looks like?
Thx very much!
User avatar
siomon.liu
Advanced member
Advanced member
Posts: 68
Joined: Sat Sep 13, 2014 12:22 am
ZCS/ZD Version: Release 8.7.3_GA_1750.RHEL7_64_2017

ZIMBRA SMTP AUTH problem

Postby siomon.liu » Sun Dec 06, 2009 7:23 pm

[quote user="siomon.liu"][solved]
1、modify zimbraMtaMyNetworks (local interface and loopback interface)
2、add reject_authenticated_sender_login_mismatch to smtpd_recipient_restrictions(after permit mynetworks,reject last)
3、add smtpd_sender_login_maps = ldap:/opt/zimbra/conf/hms-user-map.cf
(hms-user-map.cf from ldap-vmd.cf by custom.)


now send mail only auth.


thks all!:D:D:D[/QUOTE]

hi oranggil
you may add this file for auth
/opt/zimbra/postfix/conf/
create local_domain for auth domain(your domain)

#Content

test.com local_domain
as zimbra run(create db file)

postmap local_domain


modify main.cf at last
smtpd_restriction_classes = local_domain

local_domain=permit_mynetworks,reject_authenticated_sender_login_mismatch, permit_sasl_authenticated,reject

modify postfix_recipient_restrictions.cf

###first line

check_sender_access hash:/opt/zimbra/postfix/conf/local_domain


zmmtactl restart


pls try ag
j.eason
Posts: 8
Joined: Sat Sep 13, 2014 12:31 am

ZIMBRA SMTP AUTH problem

Postby j.eason » Mon Dec 07, 2009 4:43 pm

We have an external spam appliance as the listed mx, and external mail should go to that, not directly to the mail server. Therefore we'd like anything not in mynetworks to have to authenticate.
On my test server, I got SMTP AUTH working when I test it by telnetting to port 25, but now plaintext imap logins are broken. I get an error from the mail client about how I may need to connect via SSL or TLS.
These are the postfix settings I changed:

smtp_sasl_security_options=

smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

smtpd_sasl_auth_enable=yes

smtpd_tls_auth_only=no
I also changed this zimbra setting: zimbraMtaTlsAuthOnly FALSE
This zimbra setting looks ok: zimbraImapCleartextLoginEnabled TRUE
Any suggestions?
feris
Posts: 3
Joined: Sat Sep 13, 2014 12:54 am

ZIMBRA SMTP AUTH problem

Postby feris » Tue Dec 08, 2009 6:08 am

Hello
Basicly we can protect addresses in our domain with use of "smtpd_recipient_restrictions = reject_sender_login_mismatch".

This will force need of auth for emails sended from our domain to other adresses in our domain and on to external domains. Also prevent auth users from spoofing mail because with "smtpd_sender_login_maps" we can define proper address owners so joedoe can only send from mail address joedoe@example.com not from janedoe@example.com.
Now the question is how to integrate this with zimbra. Best way is to use ldap query but i dont have idea how to write a proper one. Any ideas ?
oranggil
Posts: 4
Joined: Sat Sep 13, 2014 12:42 am

ZIMBRA SMTP AUTH problem

Postby oranggil » Fri Dec 11, 2009 9:33 am

Hi all,
I actually followed siomon's previous steps, basically by adding these line in

/opt/zimbra/postfix-2.6.5.2z/conf/main.cf

proxy_read_maps = [all_maps], proxy:ldap:/opt/zimbra/conf/ldap-slm.cf

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch

smtpd_sender_login_maps = proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
and create /opt/zimbra/conf/ldap-slm.cf, which contains

server_host = ldap://[your_ldap_host]:389

server_port = 389

search_base =

query_filter = (mail=%s)

result_attribute = uid

version = 3

start_tls = yes

tls_ca_cert_dir = /opt/zimbra/conf/ca

bind = yes

bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra

bind_pw = zimbra

timeout = 30
and it worked! smtp will auth first, which met our requirement..

actual use may vary depends on your version..
Thx all!
sh444man
Posts: 3
Joined: Sat Sep 13, 2014 1:11 am

ZIMBRA SMTP AUTH problem

Postby sh444man » Tue May 04, 2010 3:36 pm

First you need to check what you have in proxy_read_maps ( for example postconf | grep proxy_read_maps ) then mod it like this:
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
I also change ldap-slm.cf to :
server_host = ldap://[your_ldap_host]:389

server_port = 389

search_base =

query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s)(mail=%s))(zimbraMailStatus=enabled))

result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,uid

version = 3

start_tls = yes

tls_ca_cert_dir = /opt/zimbra/conf/ca

bind = yes

bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra

bind_pw = zimbra

timeout = 30
It becouse it didn't work with multiple domains served by zimbra ( in previous version only main domain worked for me). I think (and hope ) it should be ok now.
thiagocpv
Posts: 4
Joined: Sat Sep 13, 2014 2:26 am

ZIMBRA SMTP AUTH problem

Postby thiagocpv » Thu Feb 02, 2012 7:30 pm

[quote user="siomon.liu"]hi oranggil
you may add this file for auth
/opt/zimbra/postfix/conf/
create local_domain for auth domain(your domain)

#Content

test.com local_domain
as zimbra run(create db file)

postmap local_domain


modify main.cf at last
smtpd_restriction_classes = local_domain

local_domain=permit_mynetworks,reject_authenticated_sender_login_mismatch, permit_sasl_authenticated,reject

modify postfix_recipient_restrictions.cf

###first line

check_sender_access hash:/opt/zimbra/postfix/conf/local_domain


zmmtactl restart


pls try ag[/QUOTE]

Hi Guys - Hi Siomon.liu
I was the procedure and it's working fine.

At this moment I do not receive for example e-mail such me@domain.com to myself@domain.com by another host without smtp auth. However I receive the error bellow when me@domain.com try sent email to myself@domain.com without smtp auth:
Transcript of session follows.
Out: 220 Mavex Email Secure Server

In: EHLO mx.systemcred.com.br

Out: 250-smtp.mavex.com.br

Out: 250-PIPELINING

Out: 250-SIZE 10240000

Out: 250-VRFY

Out: 250-ETRN

Out: 250-STARTTLS

Out: 250-ENHANCEDSTATUSCODES

Out: 250-8BITMIME

Out: 250 DSN

In: STARTTLS

Out: 220 2.0.0 Ready to start TLS

In: EHLO mx.systemcred.com.br

Out: 250-smtp.mavex.com.br

Out: 250-PIPELINING

Out: 250-SIZE 10240000

Out: 250-VRFY

Out: 250-ETRN

Out: 250-AUTH LOGIN PLAIN

Out: 250-AUTH=LOGIN PLAIN

Out: 250-ENHANCEDSTATUSCODES

Out: 250-8BITMIME

Out: 250 DSN

In: MAIL FROM:

Out: 250 2.1.0 Ok

In: RCPT TO:

Out: 451 4.3.5 Server configuration error

In: QUIT

Out: 221 2.0.0 Bye
For other details, see the local mail logfile
Someone can help me?
Thanks!
c1nco
Posts: 4
Joined: Sat Sep 13, 2014 2:26 am

ZIMBRA SMTP AUTH problem

Postby c1nco » Sat Feb 04, 2012 9:10 pm

The below --
[quote user="oranggil"]

I actually followed siomon's previous steps, basically by adding these line in

/opt/zimbra/postfix-2.6.5.2z/conf/main.cf

proxy_read_maps = [all_maps], proxy:ldap:/opt/zimbra/conf/ldap-slm.cf

smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch

smtpd_sender_login_maps = proxy:ldap:/opt/zimbra/conf/ldap-slm.cf

[/QUOTE]
In combination with the below --
[quote user="sh444man"]First you need to check what you have in proxy_read_maps ( for example postconf | grep proxy_read_maps ) then mod it like this:
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
I also change ldap-slm.cf to :
server_host = ldap://[your_ldap_host]:389

server_port = 389

search_base =

query_filter = (&(|(zimbraMailDeliveryAddress=%s)(zimbraMailAlias=%s)(zimbraMailCatchAllAddress=%s)(mail=%s))(zimbraMailStatus=enabled))

result_attribute = zimbraMailDeliveryAddress,zimbraMailForwardingAddress,zimbraPrefMailForwardingAddress,zimbraMailCatchAllForwardingAddress,uid

version = 3

start_tls = yes

tls_ca_cert_dir = /opt/zimbra/conf/ca

bind = yes

bind_dn = uid=zmpostfix,cn=appaccts,cn=zimbra

bind_pw = zimbra

timeout = 30

[/QUOTE]
I can confirm WORKS!
I have been trying different solutions for a couple days to try and limit users from sending from any domain/persona/identity using external client (in my case thunderbird 10) -- this solution is working great!
Only minor change I made was to comment out the following line in /opt/zimbra/conf/zmmta.cf --
#POSTCONF smtpd_sender_restrictions LOCAL postfix_smtpd_sender_restrictions
(it was overwriting smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch in main.cf)


Thank you!
First post woo!
thiagocpv
Posts: 4
Joined: Sat Sep 13, 2014 2:26 am

ZIMBRA SMTP AUTH problem

Postby thiagocpv » Mon Feb 06, 2012 11:07 am

[quote user="c1nco"]The below --

In combination with the below --

I can confirm WORKS!
I have been trying different solutions for a couple days to try and limit users from sending from any domain/persona/identity using external client (in my case thunderbird 10) -- this solution is working great!
Only minor change I made was to comment out the following line in /opt/zimbra/conf/zmmta.cf --
#POSTCONF smtpd_sender_restrictions LOCAL postfix_smtpd_sender_restrictions
(it was overwriting smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch in main.cf)


Thank you!
First post woo![/QUOTE]

Hi c1nco,
I will try again with your tips and I will report here.
Thanks Man!

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 15 guests