Page 1 of 1

[SOLVED] Fake "From" Header by Authenticated User

Posted: Wed Sep 06, 2017 12:56 pm
by iomarmochtar
Hello all,


In zimbra SMTP service (postfix) an auhenticated user can easily send email using customized header, one of them is From which can be replaced as anything.

i've tried following this wiki https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5 but not solve the issue.

You can test/reproduce this issue by using "Customize From Address" in Thunderbird or by using this python script. (adjust the variables with your environment).

Code: Select all

import smtplib

username = 'user_test@mail.lab'
password = 'test123'

fake_from  = 'admin@mail.lab'
orig_from = username
to_addr = 'omar@mail.lab'

server = '192.168.113.75'

subject = "Testing fake from"
mail_content = "This email originally from %s"%orig_from

mail_header = """Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: %s
From: %s
To: %s

%s
"""%(subject, fake_from, to_addr, mail_content)

server = smtplib.SMTP('%s:587'%server)
server.starttls()
server.login(username,password)
server.sendmail(orig_from, to_addr, mail_header)
server.quit()


copy - paste above script to a file then run it.
python reproduce.py

after searching in zimbra bugzilla there is no update since several months https://bugzilla.zimbra.com/show_bug.cgi?id=108036

if you have any solution of this bug (?) really appreciate

Re: Fake "From" Header by Authenticated User

Posted: Thu Sep 07, 2017 10:15 am
by iomarmochtar
Somebody can help me on this issue ?

Re: [SOLVED] Fake "From" Header by Authenticated User

Posted: Wed Sep 13, 2017 7:07 am
by iomarmochtar
See my blog for this issue workaround

https://iomarmochtar.wordpress.com/2017 ... om-header/

Re: [SOLVED] Fake "From" Header by Authenticated User

Posted: Thu Sep 14, 2017 7:54 am
by rioprayoga
Cool. I have the same issue in my customers. Thanks for your workaround.