Posted by Zimbra have been release new Zimbra Collaboration Suite version 8.5.0 and have some changes, especially in the Enforcing a match between FROM address and sasl username/Sender Must Login. Zimbra default configuration allows the user to relay emails using a different email address from user to authenticate with smtp. The following is example configuration on Thunderbird
If your password compromised, spammer can use email address with password compromise for authentication smtp and identity email of Thunderbird changed with other email. Otherwise, if you testing use telnet, Zimbra allow send from and to same domain without authentication. This is very dangerous and can used spammer to sending fake mail. The following is example test use telnet
mail:~ # telnet mail.myemailserver.net 25 Trying 103.xxx.xxx.xxx Connected to mail.myemailserver.net. Escape character is '^]'. 220 mail.myemailserver.net ESMTP Postfix ehlo mail 250-mail.myemailserver.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:admin@myemailserver.net 250 2.1.0 Ok rcpt to:admin@myemailserver.net 250 2.1.5 Ok
The results sending email from admin@myemailserver.net to admin@myemailserver.net accepted. The good configuration, email server will asking password for admin@myemailserver.net. If use password and match, email can send to destination, if not use password, email server will deny.
How if i’m trying to send fake mail and use my boss email and sending email to accountant and told for sending money to my card? if email server not improve with sender must login/anti fake mail, Zimbra will accept email from and to with same domain without authentication/password.
How to improve Zimbra using sender must login/anti fake mail?
If using Zimbra 7.0, you can use this guidance http://imanudin.com/2013/05/05/improvement-anti-spam-zimbra-restricted-sendersender-must-login-pada-zimbra-7/ in Bahasa Indonesia and if using Zimbra 8.0, you can use this guidance http://imanudin.com/2013/10/29/improvement-anti-spam-zimbra-restricted-sendersender-must-login-pada-zimbra-8-dengan-exceptionpengecualian/ uses also Bahasa Indonesia 😀 .If using Zimbra 8.5, you can following this instruction
su - zimbra zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
Above configuration will not accept the user to relay emails using a different email address from user to authenticate with smtp
open file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add reject_sender_login_mismatch after permit_mynetworks
permit_mynetworks, reject_sender_login_mismatch
Above configuration will not accept if user not use authentication/password. After a minute, zmconfigd will update the postfix configuration automatically and apply the new rules. The following is example test use telnet after improve configuration sender must login/anti fake mail
ahmad:~ # telnet mail.myemailserver.net 25 Trying 103.xxx.xxx.xxx Connected to mail.myemailserver.net. Escape character is '^]'. 220 mail.myemailserver.net ESMTP Postfix ehlo mail 250-mail.myemailserver.net 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN mail from:admin@myemailserver.net 250 2.1.0 Ok rcpt to:admin@myemailserver.net 553 5.7.1 <admin@myemailserver.net> Sender address rejected: not logged in
The test above rejected with message not logged in.
Let’s see the video on Youtube
Good luck and hopefully useful 😀
Hi ,
I am using Zimbra 8.6 and i couldnt find check_sender_access lmdb:/opt/zimbra/conf/ldap-restricrelay.cf that you showed up at the last step, Can you share the configuration of that file?
Thanks
Hi,
which one the article did you mean?
This article ;How To Improvement Sender Must Login/Enforcing a Match Between From Address and sasl username On Zimbra 8.5
I found out where I went wrong.Thanks for your helping and responding as well.
Best Regards.
Hi,
I have versión 8.5, I did just that but not working.
zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
any idea?
Hi,
Ensure IP address that used for testing is not there on Zimbra Trusted Network
i do all the steps multiple time but no effect , i also sure that my ip is not in trusted network .
i am using zimbra 8.6.0.
any idea?!!
Hi,
Please post the result from the following command for debug :
Mas iman Sy sudah melalukan perintah di atas tapi kenapa nggak ngefek juga ya, seperti ini hasil telnetnya:
mail from:imron@xxx.xxx
250 2.1.0 Ok
rcpt to:imron@xxx.xxx
250 2.1.5 Ok
berikut perintah
cat /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf, hasilnya
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks, reject_sender_login_mismatch
permit_sasl_authenticated
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%
terimakasi
Hi mas Imron,
Pastikan proses telnet dilakukan dari luar network. Jangan dilakukan dari servernya sendiri
Mas Iman, terimakasih sudah mereplay postingan saya.
saya sudah eksekusi dari luar server email saya, masih nggak ngefek.
tapi sebelum saya upgrade ke zimbra 8.15, bisa mas, tapi setelah saya upgrade policy ini nggak berfungsi, terus saya update ke zimbra 9 zextras, masih nggak ngefek juga.
Hi mas Imron,
Kebetulan saya pakai versi itu juga dan it works mas. Pastikan testingnya dari luar network yang di trusted
bro
kalau kek gini kenapa ya
Jun 24 01:58:35 zimbra postfix/amavisd/smtpd[2178]: error: open database /opt/zimbra/conf/slm-exceptions-db.lmdb: No such file or directory
Yoi bro,
Tolong paste hasil perintah berikut :
Hi Thank you for your excellent post. It’s not clear for me how to add exceprions in version 8.6
In the past I was using 8.0.7 with excepions managed into a file and everything was working fine. But now I do not know hot to manage it in 8.6. Could you please be so kind to make a short and simple step by step video or file ?
Thank you in advance
Hi Nino,
Please try on this guidance : https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5. I am also use that guidance
if you please can help me how to publish mail server with zimbra on centos 7 to the internet and adding ssl cert
Hi Abumahmoud,
Yes with pleasure 😀
I ran these commands, but it does not seem to have any effect. How can reverse these changes and do a fresh run. I tried zmprov mcf -zimbraMtaSmtpdSenderRestrictions but it did not work.
Hi Srini,
Please make sure you not run/test from trusted IP. If you want to reverse, please run the following command
Hi!
I have two problems with the mta configuration maybe you can help me. After did the following:
zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
permit_mynetworks, reject_sender_login_mismatch
zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zmmtactl restart
zmconfigdctl restart
I’m unable to send mails using webmail. Using imap/smtp works perfectly
And using telnet the smtp server allows me to use a fake “from” to send mails to the domain configured in zimbra.
Thanks in advance
Finally I reconfigured and now works all fine but still can send with fake from to the domain configured in zimbra
Hi,
Are you testing telnet in Zimbra server directly? or from other server?
Hi Iman, could you please help me with the message “Error in service network” when a user try to login at zimbra web client? Thanks in advance
Hi,
Are you getting “error in service network” after configure this improvement? if yes, please revert the configuration to default
Is it possible to create an exception for a specific domain?
For example;
We have done:
“open file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add reject_sender_login_mismatch after permit_mynetworks”
..and it rejects all SASL users with mismatched email addresses
We would for domainA.com to not be rejected when SASL user does not match email address
Is this possible?
Hi RichV,
Please take a look in this guidance : https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5. Especially in exception section
I ran the following command:
su – zimbra
zmprov mcf zimbraMtaSmtpdSenderLoginMaps “” -zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
And now logging is not working for our zimbra server.
Hello,
If you want to disable improvement, please try perform command twice
Thanks for the quick reply!
I thought that command was related to the issue I’m having with not getting any logs and all of the services being in red status on the admin gui, but it seems like the sqlite db got erased somehow. Would you happen to know of a way to recreate it on zimbra 8.6?
I tried the steps in this article under “Reinitializing Logger Database From Scratch”, but it didn’t work: https://wiki.zimbra.com/wiki/Ajcody-Server-Topics
Thank you so much for your help, I really appreciate it.
Hello Aldo,
Please try this command and restart your syslog/rsyslog :
Hi Iman,
Unfortunately, that doesn’t fix the problem on my system.
If I run zmsyslogsetup and zmloggerinit, a db folder gets created under the /op/zimbra/logger/ directory, but the logger.sqlitedb file has no tables in it. I believe my logs stopped working after I tried to remove the improvement in this thread using: zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf -zimbraMtaSmtpdSenderRestrictions. It could also just be a coincidence that the logs stopped working around the same time, I’m not sure what’s wrong.
Hello Aldo,
I think, remove improvement not related to the logger 😀
Hello thanks for the tutorial. When I use the telnet method, it’s rejected as you’ve showed. However, when I use the mail command and set the From field accordingly, the emails are sent!!
echo “Test message” | mail -s “Testing” -a “From:test@example.com” -t test@example.com
What is the sure way to ensure that emails which have the same to/from fields are rejected by the server?
Hello David,
Are you use that command from Zimbra itself?
By the way, what OS is that you’re using?
Hello David,
If you mean OS on my laptop, i am using ElementaryOS. If you mean OS on my server, i am using CentOS or Ubuntu and especially SUSE 🙂
Hi Iman,
I’m test successful from your instruction. But I have 1 problem to discuss: When using thunderbird, I don’t change email address in account settings, beside that when I write new email, I choose customize From address and change to anything, the email send successful anyway. How can we prevent that?
Hi Iman,
Thank for your post.
Do you know how to authorize a user so that it can send mail on behalf of all domain accounts ?.
Thanks again
Hi Luis,
You can use exception. Please try the exception as mention from this link : https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5#Optional.2C_use_an_exception_DB
Hi Iman,
What I want to do is something as this:
@domain.com user@domain.com
And not to have to be adding a line for every user.
Is it possible to do this?
Sorry for my english and thank you for your answer
Hello Luis,
You can use exceptions as mentioned on the Wiki : https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5#Optional.2C_use_an_exception_DB
boss. buat zimbra 7 ada gak ??
Silakan mampir kesini mas : https://imanudin.com/2013/05/05/improvement-anti-spam-zimbra-restricted-sendersender-must-login-pada-zimbra-7/
Hi Iman,
in the old version of Zimbra 8.6 advice from this article are OK but after updating to version 8.7.1, this functionality does not work
Test on new version Zimbar 8.7.1:
exist user: user1.lab.com, user2.lab.com
the user does not exist: xyz@lab.com
—————————————————————-
telnet mail.lab.com 25
mail from: user1@lab.com
rcpt to: user2@lab.com
553 5.7.1 : Sender address rejected: not logged in
—————————————————————-
This is OK !!
but
—————————————————————-
telnet mail.lab.com 25
mail from: xyz@lab.com
rcpt to: user2@lab.com
data
354 End data with .
test
.
250 2.0.0 Ok: queued as 1234GG8F49
email send from non-existent user in my domain
—————————————————————-
IT IS NOT OK !!!!!!
I checked parameters:
zimbraMtaSmtpdSenderRestrictions: reject_authenticated_sender_login_mismatch
zimbraMtaSmtpdRejectUnlistedRecipient: yes
zimbraMtaSmtpdRejectUnlistedSender: yes
zimbraMtaSmtpdSenderLoginMaps: proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_sender_access
regexp:/opt/zimbra/postfix/conf/tag_as_originating.re,
permit_mynetworks,
reject_sender_login_mismatch,
permit_sasl_authenticated, permit_tls_clientcerts,
check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
everything is fine but it is not working properly.
Can you tested it on a new version of Zimbra 8.7.1 ?
Hi,
I Will try on ZCS 8.7
so will it work on 8.7 ?
Hi ronald,
Yes, it’s still work on 8.7. Few days ago, i’ve tried and tested again 😉
Hello iman
I checked the setting to version 8.7.0 on another production Zimbra and it is the same problem. A user who does not exist in domain can send mail.
The setting is OK if the user that sends exist in domain
Best Regards
Hi Tom,
Please make sure in your MTA trusted network had been configured like this
Please also try to perform this
insert reject_unlisted_sender above reject_unlisted_recipient
Thank you for your answer.
Today I checked your recommendations.
I set:
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender,reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client 1.antyspam.com, reject_rbl_client 2.antyspam.com, reject_rhsbl_client reject_rhsbl_sender, permit
mynetworks = 127.0.0.0/8 [mail server IP adres]/32
Unfortunately, the effect is the same continuous:
mail from: user1exist@example.com
rcpt to: user2exist@example.com
553 5.7.1 : Sender address rejected: not logged in
but
mail from: user_not_exist@example.com
rcpt to: user2exist@example.com
250 2.1.5 Ok
data
354 End data with .
test
.
250 2.0.0 Ok: queued as 123456
Best Regards
Hi Tom,
Please make sure Postfix has been reloaded or zmcontrol restart 😉
Hi Iman,
yes I restart Zimbra (zmcontrol stop && zmcontrol start) and restart phisical machine without result.
I did a test, I changed:
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender,reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client 1.antyspam.com, reject_rbl_client 2.antyspam.com, reject_rhsbl_client reject_rhsbl_sender, permit
on
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender,reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client 1.antyspam.com, reject_rbl_client 2.antyspam.com, reject_rhsbl_client reject_rhsbl_sender, permit
latest “permit” changed on “reject”
After the change works OK.
I have to check the impact of the Zimbra
Best Regards
I had to write:
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender,reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client 1.antyspam.com, reject_rbl_client 2.antyspam.com, reject_rhsbl_client reject_rhsbl_sender, reject
I’m sorry for my mistake
Hi Tom,
These is my configuration and it works. You can see reject_unlisted_sender above reject_unlisted_recipient
I have the same problem here 🙁
Hi all,
Thank You, Iman, for so good public resource! Many articles are great and useful!
But not so long ago I’ve found a bug that allow to skip all these restrictions via Thunderbird…
Version of my Zimbra is 8.6, I’ve done all steps from this article and from this manual – https://wiki.zimbra.com/wiki/Rejecting_false_%22mail_from%22_addresses
After that telnet check was OK, but if an attacker has stolen password of only one user then he will be able to send messages with any value in the field FROM and Zimbra will display these fake DisplayName and fake address of the mailbox!!!
Zimbra require the correct username only in Thunderbird ACCOUNT settings, but it allows You substitute any email address in FROM when You composing a letter.. ((
Most likely this is a bug on the postfix side.
Maybe someone have an idea how to fix this behavior??
I described in detail this situation on the zimbra forum (http://forums.zimbra.org/viewtopic.php?f=15&t=60813&sid=707f349619d3f3dc7e694f0d4f049079), but it unanswered yet..
Thanks a lot!
Hello Ivan,
Maybe you can try this one : https://imanudin.net/2014/09/11/improving-anti-spam-reject-unlisted-domain-on-zimbra-8-5/
Thanks for quick reply,
I previously forbidden Relay connections, when try to send from not my domain I received “Relay access denied”. This is OK.
In my case there a little different problem. I can send a letter with FAKE mail address in field FROM through smtp on my Zimbra server, authenticated with another user on it..
Also interesting fact that parameter zimbraSmtpRestrictEnvelopeFrom TRUE. Which means “the address for MAIL FROM in the SMTP session will always be set to the email address of the account…”
But it doesn’t work correctly..
In zimbraMtaMyNetworks has values: 127.0.0.0/8 and public IP address of this server.
Maybe I should delete public ip from there?
Thank You very much!
Hi Ivan,
On zimbraMtaMyNetworks, you only need listen 127.0.0.0/8 yourzimbraserver/32
example
127.0.0.0/8 192.168.80.11/32
Hi Iman,
I have followed your instruction in My Zimbra, but it didn’t work.
Could you tell me, is there any wrong with my Zimbra ?
Hereby the config :
[zimbra@xxxx ~]$ zmprov gcf zimbraMtaSmtpdSenderLoginMaps
zimbraMtaSmtpdSenderLoginMaps: proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
[zimbra@xxxx ~]$ zmprov gcf zimbraMtaSmtpdSenderRestrictions
zimbraMtaSmtpdSenderRestrictions: reject_authenticated_sender_login_mismatch
[zimbra@xxxx ~]$
Hi Iman,
could you please help me i’m using zimbra 8.0.7 free version. Please advice this above setup work with zimbra 8.0.7 free version ?
Thanks
M. Ramesh
Hi Ramesh,
You can try this guidance using Bahasa 😀 : https://ahmad.imanudin.com/2013/05/06/improvement-anti-spam-zimbra-restricted-sendersender-must-login-pada-zimbra-8/
HI iman ,
after i change my mta just like below i am able to send mail to other domain but for receiving its show error
cannot find your reverse hostname, [172.16.16.16]; from= to= proto=ESMTP helo=
my mta setting
127.0.0.0/8 serverip/32
can you please tel me how to resolve this issue
Hi Amit,
your problem are
This error caused you have PTR/Reverse DNS check. Please check again your configuration
Hi, what would it be an equivalent solution for Zimbra 7.x
Thanks
Hi Mauricio Leon,
You can use this one :
Please adjust with your relay server
Dear Iman,
I’ve tried your tips on my Zimbra 8.7.1 free edition but there is an error appear:
ERROR: account.INVALID_ATTR_VALUE (invalid attr value: invalid attr value – unable to modify attributes: ldap host=mail.mydomain.com:389: attribute ‘zimbraMtaSmtpdSenderRestrictions’ cannot have multiple values)
Wheter this tips can run at Zimbra 8.7.1 ?
Many thanks.
Hi Addo,
I think your configuration has been there. Please check with zmprov gs command to check the value
Hi Iman,
Look like the script was running.
But appears a new error when i test to send an email via Outlook to every destination address, like this:
“553 5.7.1 : Sender address rejected: not owned by user ;”
How to solve this matter?
Many thanks.
Hi Addo,
Please make sure your email client use SSL or TLS 465/587 on smtp configuration.
Hi Iman,
After i run the zmprov gs command, there is no ‘zimbraMtaSmtpdSenderRestrictions’ in my server’s list attributes.
Is there any missing symbol ‘+’ before ‘zimbraMtaSmtpdSenderRestrictions’ in your script ?
Or there is any mistake that i have ?
Many thanks.
Hi Addo,
The script is correct. Please try again with that script
is this work for centos 7 with zimbra 8.7.7? if not please guide me how to do it..
Yes, it is. I’ve also already try on Zimbra 8.8
Hello iman, how are you?
Can you help me?
How can I do to revert this configuration on zimbra 8.7 (ubuntu16.04)?
Hello Wendelms,
I am fine. How about you?
You can do commands from this comment : https://imanudin.net/2014/09/07/how-to-improvement-sender-must-loginenforcing-a-match-between-from-address-and-sasl-username-on-zimbra-8-5/#comment-10546
Hi Iman, I did this in a brand new server with 8.7 and if I add “reject_sender_login_mismatch” to the sender restriction file the users can’t send mails to the same domain from webmail. Thanks in advance
Hi,
Please make sure your IP on Zimbra server has been listed on the trusted network
Hi, thank you very much, however I detected a problem. When I write a new mail, in this moment i can change the FROM address to “boss” and it works.
Hi Jolubaro,
Please make sure your IP of pc/laptop that use to sending email from email client did not insert into the trusted network. By default, Zimbra will trust all network from IP that used on Zimbra server
Hello Iman,
how would you implement the rule “reject_sender_login_mismatch” using the web user interface for PolicyD Web Administration? I mean, do you have any hint on how to do that?
Thx in advance,
Paola
Hi Paola,
You should use CLI. That improvement there is no on Policyd WebUI
Hi iman,
do you mean that it hasn’t been done until now or that’s impossible?
Hi Paola,
Yes. You should configure from CLI
Okay, so you track SASLUsername instead of user@domain on the Web Administration Interface and, in doing so, you can implement a policy that rejects mails from user@domain in case the user didn’t login with his SASLUsername. It works.
Very useful. Thanks a lot for sharing.
Can you kindly write a tutorial on how to migrate zimbra in case we want to change server and need to keep all mails, contacts, passwords etc.
Hi Omi Azad,
You can use ZeXtras Migration Tools to migrate from Zimbra to Zimbra. I am usually using ZeXtras to do that
ZeXtras Migration Tool is for export only and then have to use their paid tool for import. That is a bit problematic. Their selling price model is also not friendly.
The command is
permit_mynetworks, reject_sender_login_mismatch
or
permit_mynetworks, reject_authenticated_sender_login_mismatch
Cause seems like this is not working.
Hi Omi Azad,
The first is proper configuration. If did not work, please make sure your trusted network has been configured properly. Only localhost and IP of your server that listed on Trusted Network
Thanks.
Not sure where this “trusted network” can be configured. But I think I can send mail to anyone in the same subnet. Zimbra perhaps considers the same subnet as trusted? Can you suggest what I should do?
Hi Omi Azad,
You can configure in Zimbra Admin | Configure | Servers | Edit Servers | MTA | Trusted Network. You should configure like this 127.0.0.0/8 your-Zimbra-ip/32
Hello
This works in Zimbra 8.8.8?
Hi Mario,
Yes, it works. I’ve testing on Zimbra 8.8.8 patch 4
Hi Iman,
How to block mail if Return-Path: and From: are not same.
I am using zimbra below version.
Release 8.8.8_GA_2009.RHEL7_64_20180322150747 RHEL7_64 FOSS edition, Patch 8.8.8_P6
Hi Ketan Adiyal,
Can you share the example return-path and from are not same?
Assalamualaikum Wr Wb bro,
saya coba prosedur di atas dan sudah ok :
situasi 1 : user1@domain1.com harus login dan harus ada user user1 status berhasil.
situasi2 : saat domain dirubah menjadi domain2.com, maka proses dianggap berhasil, padahal tidak ada domain2.com dalam server saya
saya lakukan pengiriman menggunakan aplikasi berbasis VB.NET 2008
Sepertinya server saya tidak membatasi atau menguji domain yang valid ya.
Wassalamualaikum Wr Wb.
tks
Edi
Waalaikumussalam,
Coba dikombinasikan juga dengan yang ini pak : https://imanudin.net/2014/09/11/improving-anti-spam-reject-unlisted-domain-on-zimbra-8-5/
Hi Iman
could you please help me i’m using Zimbra
Release 8.8.9.GA.3019.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.9_P4.
using telnet the smtp server allows me to use a fake “from” to send mails to the domain configured in zimbra.
Maybe someone have an idea how to fix this behavior?
Thanks
telnet mail.example.com 25
Trying XX.XX.XX.XX…
Connected to mail.example.com.
Escape character is ‘^]’.
220 ******************************
helo mail
250 mail.example.com
mail from:test@exampleNO.com
250 2.1.0 Ok
rcpt to:test@example.com
250 2.1.5 Ok
data
354 End data with .
.
250 2.0.0 Ok: queued as BE7816695E2
mynetworks = 127.0.0.0/8 10.200.4.4/32 for nat
zmprov gacf zimbraMtaSmtpdSenderRestrictions
zimbraMtaSmtpdSenderRestrictions: reject_authenticated_sender_login_mismatch
zmprov gacf zimbraMtaSmtpdRejectUnlistedRecipient
zimbraMtaSmtpdRejectUnlistedRecipient: yes
zmprov gacf zimbraMtaSmtpdRejectUnlistedSender
zimbraMtaSmtpdRejectUnlistedSender: yes
zmprov gcf zimbraMtaSmtpdSenderLoginMaps
zimbraMtaSmtpdSenderLoginMaps: proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
smtp_sender_restrictions.cf
%%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
%%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
permit_mynetworks
reject_sender_login_mismatch
permit_sasl_authenticated
reject_unlisted_sender
reject_authenticated_sender_login_mismatch
permit_tls_clientcerts
%%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%
Hello,
I think this is not your domain “mail from:test@exampleNO.com”. But another domain. So that email can receive by your server
Thanks a lot… may problem solved by your guide… i need one more help.. how to restrict mail relay….. anyone can send mail by relaying may domain…. your help would be appreciated.
Hello,
You can try this one : https://imanudin.net/2014/09/11/improving-anti-spam-reject-unlisted-domain-on-zimbra-8-5/
Hi iman,
could you help please. I’ve described my case in https://forums.zimbra.org/viewtopic.php?f=15&t=67124 and in short, I can’t send email from my domain without login, and it’s OK, but I can send any fake emails from my alias domains. Any solutions?
Thanks!
Hello Alex,
You can try this one : https://imanudin.net/2019/05/23/zimbra-tips-how-to-block-email-from-and-return-path-did-not-match/
Hi,
How can we disable this enforcement or allow some users to send emails even if the authentication user is different?
Hi,
If you want to make exception, please do follow
Above configuration is mean jhon.doe@example.com / jhon.doe can using jhon.doe@gmail.com in the from header. Postmap exception
Modify configuration to use exception