Page 1 of 1

Force smtp auth for domain alias

Posted: Mon Oct 14, 2019 9:19 am
by yeeP6rai
I followed this manual https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5

Zimbra 8.8.15_GA_3869 (build 20190917004220)

My config

Code: Select all

[zimbra@mail ~]$ zmprov gcf zimbraMtaSmtpdRejectUnlistedRecipient                                   
zimbraMtaSmtpdRejectUnlistedRecipient: yes

[zimbra@mail ~]$ zmprov gcf zimbraMtaSmtpdRejectUnlistedSender   
zimbraMtaSmtpdRejectUnlistedSender: yes

[zimbra@mail ~]$ zmprov gcf zimbraMtaSmtpdSenderLoginMaps     
zimbraMtaSmtpdSenderLoginMaps: proxy:ldap:/opt/zimbra/conf/ldap-slm.cf

[zimbra@mail ~]$ zmprov gcf zimbraMtaSmtpdSenderRestrictions
zimbraMtaSmtpdSenderRestrictions: reject_authenticated_sender_login_mismatch


Code: Select all

[zimbra@mail ~]$ cat /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks,reject_sender_login_mismatch
permit_sasl_authenticated
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%


Code: Select all

[zimbra@mail ~]$ zmprov gs `zmhostname` zimbraMtaMyNetworks
# name mail.example.com
zimbraMtaMyNetworks: !10.1.62.4 127.0.0.0/8 10.1.62.0/24 10.1.63.0/24 172.16.0.0/12 192.168.0.0/16


When i tried to send fake email from my master domain example.com (not domain alias) and this email was blocked with "Sender address rejected: not logged in".
But I can connect from internet to zimbra mail server on 25 port and send fake email from my alias domain user@example-alias.com (alias to example.com) without smtp auth, for example:
1. from admin@example.com to user@example.com - Rejected with "Sender address rejected: not logged in"
2. from admin@example-alias.com to user@example-alias.com - OK
3. from admin@example-alias.com to user@example.com - OK

As a result my users receive messages like this viewtopic.php?p=293648#p293648

How to force smtp auth for domain aliases too?

Re: Force smtp auth for domain alias

Posted: Thu Nov 21, 2019 7:23 am
by yeeP6rai
Who has domain aliases, can you check this behavior with your data?
It's script to send test message

Code: Select all

#!/bin/bash -x
(echo open zimbra.myrealdomain.com 25
sleep 1
echo "ehlo mail.somedomain.com"
sleep 1
echo "mail from:admin@myaliasdomain.com"
sleep 1
echo "rcpt to:user@myaliasdomain.com"
sleep 1
echo "data"
sleep 1
echo "From: Admin <admin@myaliasdomain.com>"
sleep 1
echo "To: user@myaliasdomain.com"
sleep 1
echo "Fake text"
sleep 1
echo "."
sleep 1
) | telnet


It's my success result, with fake FROM admin@myaliasdomain.com to my user.

Code: Select all

+ echo open zimbra.myrealdomain.com 25
+ telnet
+ sleep 1
telnet> Trying 10.1.1.1...
Connected to zimbra.myrealdomain.com.
Escape character is '^]'.
220-zimbra.myrealdomain.com ESMTP Postfix
+ echo 'ehlo mail.somedomain.com'
+ sleep 1
220 zimbra.myrealdomain.com ESMTP Postfix
250-zimbra.myrealdomain.com
250-PIPELINING
250-SIZE 52428800
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
+ echo 'mail from:admin@myaliasdomain.com'
+ sleep 1
250 2.1.0 Ok
+ echo 'rcpt to:admin@myaliasdomain.com'
+ sleep 1
250 2.1.5 Ok
+ echo data
+ sleep 1
354 End data with <CR><LF>.<CR><LF>
+ echo 'From: Admin <admin@myaliasdomain.com>'
+ sleep 1
+ echo 'To: user@myaliasdomain.com'
+ sleep 1
+ echo 'Fake text'
+ sleep 1
+ echo .
+ sleep 1
250 2.0.0 Ok: queued as 7F3A211877A3