[SOLVED] Fake "From" Header by Authenticated User

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
iomarmochtar
Posts: 41
Joined: Sat Sep 13, 2014 3:54 am
Location: Indonesia
Contact:

[SOLVED] Fake "From" Header by Authenticated User

Postby iomarmochtar » Wed Sep 06, 2017 12:56 pm

Hello all,


In zimbra SMTP service (postfix) an auhenticated user can easily send email using customized header, one of them is From which can be replaced as anything.

i've tried following this wiki https://wiki.zimbra.com/wiki/Enforcing_ ... ername_8.5 but not solve the issue.

You can test/reproduce this issue by using "Customize From Address" in Thunderbird or by using this python script. (adjust the variables with your environment).

Code: Select all

import smtplib

username = 'user_test@mail.lab'
password = 'test123'

fake_from  = 'admin@mail.lab'
orig_from = username
to_addr = 'omar@mail.lab'

server = '192.168.113.75'

subject = "Testing fake from"
mail_content = "This email originally from %s"%orig_from

mail_header = """Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: %s
From: %s
To: %s

%s
"""%(subject, fake_from, to_addr, mail_content)

server = smtplib.SMTP('%s:587'%server)
server.starttls()
server.login(username,password)
server.sendmail(orig_from, to_addr, mail_header)
server.quit()


copy - paste above script to a file then run it.
python reproduce.py

after searching in zimbra bugzilla there is no update since several months https://bugzilla.zimbra.com/show_bug.cgi?id=108036

if you have any solution of this bug (?) really appreciate
Last edited by iomarmochtar on Wed Sep 13, 2017 7:06 am, edited 2 times in total.


iomarmochtar
Posts: 41
Joined: Sat Sep 13, 2014 3:54 am
Location: Indonesia
Contact:

Re: Fake "From" Header by Authenticated User

Postby iomarmochtar » Thu Sep 07, 2017 10:15 am

Somebody can help me on this issue ?
iomarmochtar
Posts: 41
Joined: Sat Sep 13, 2014 3:54 am
Location: Indonesia
Contact:

Re: [SOLVED] Fake "From" Header by Authenticated User

Postby iomarmochtar » Wed Sep 13, 2017 7:07 am

See my blog for this issue workaround

https://iomarmochtar.wordpress.com/2017 ... om-header/
User avatar
rioprayoga
Posts: 7
Joined: Mon Apr 17, 2017 4:45 am
Contact:

Re: [SOLVED] Fake "From" Header by Authenticated User

Postby rioprayoga » Thu Sep 14, 2017 7:54 am

Cool. I have the same issue in my customers. Thanks for your workaround.

Return to “Administrators”

Who is online

Users browsing this forum: MSN [Bot] and 8 guests