70 thoughts on - How To Improvement Sender Must Login/Enforcing a Match Between From Address and sasl username On Zimbra 8.5

  • Hi ,

    I am using Zimbra 8.6 and i couldnt find check_sender_access lmdb:/opt/zimbra/conf/ldap-restricrelay.cf that you showed up at the last step, Can you share the configuration of that file?

    Thanks

  • This article ;How To Improvement Sender Must Login/Enforcing a Match Between From Address and sasl username On Zimbra 8.5
    I found out where I went wrong.Thanks for your helping and responding as well.

    Best Regards.

  • Hi,

    I have versión 8.5, I did just that but not working.
    zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch

    any idea?

      • i do all the steps multiple time but no effect , i also sure that my ip is not in trusted network .
        i am using zimbra 8.6.0.
        any idea?!!

        • Hi,

          Please post the result from the following command for debug :

          su - zimbra
          zmprov gs `zmhostname` | grep -i mynetwork
          zmprov gcf zimbraMtaSmtpdSenderLoginMaps
          zmprov gcf zimbraMtaSmtpdSenderRestrictions
          cat /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
          
  • bro

    kalau kek gini kenapa ya
    Jun 24 01:58:35 zimbra postfix/amavisd/smtpd[2178]: error: open database /opt/zimbra/conf/slm-exceptions-db.lmdb: No such file or directory

  • if you please can help me how to publish mail server with zimbra on centos 7 to the internet and adding ssl cert

  • I ran these commands, but it does not seem to have any effect. How can reverse these changes and do a fresh run. I tried zmprov mcf -zimbraMtaSmtpdSenderRestrictions but it did not work.

    • Hi Srini,

      Please make sure you not run/test from trusted IP. If you want to reverse, please run the following command

      su - zimbra
      zmprov mcf zimbraMtaSmtpdSenderLoginMaps "" -zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
      
  • Hi!
    I have two problems with the mta configuration maybe you can help me. After did the following:

    zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch

    vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
    permit_mynetworks, reject_sender_login_mismatch

    zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
    zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
    zmmtactl restart
    zmconfigdctl restart

    I’m unable to send mails using webmail. Using imap/smtp works perfectly

    And using telnet the smtp server allows me to use a fake “from” to send mails to the domain configured in zimbra.

    Thanks in advance

  • Hi Iman, could you please help me with the message “Error in service network” when a user try to login at zimbra web client? Thanks in advance

  • Is it possible to create an exception for a specific domain?

    For example;
    We have done:
    “open file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add reject_sender_login_mismatch after permit_mynetworks”
    ..and it rejects all SASL users with mismatched email addresses

    We would for domainA.com to not be rejected when SASL user does not match email address

    Is this possible?

  • I ran the following command:

    su – zimbra
    zmprov mcf zimbraMtaSmtpdSenderLoginMaps “” -zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch

    And now logging is not working for our zimbra server.

    • Hello,

      If you want to disable improvement, please try perform command twice

      zmprov mcf zimbraMtaSmtpdSenderLoginMaps ""
      zmprov mcf -zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
      
  • Thanks for the quick reply!

    I thought that command was related to the issue I’m having with not getting any logs and all of the services being in red status on the admin gui, but it seems like the sqlite db got erased somehow. Would you happen to know of a way to recreate it on zimbra 8.6?

    I tried the steps in this article under “Reinitializing Logger Database From Scratch”, but it didn’t work: https://wiki.zimbra.com/wiki/Ajcody-Server-Topics

    Thank you so much for your help, I really appreciate it.

  • Hi Iman,

    Unfortunately, that doesn’t fix the problem on my system.
    If I run zmsyslogsetup and zmloggerinit, a db folder gets created under the /op/zimbra/logger/ directory, but the logger.sqlitedb file has no tables in it. I believe my logs stopped working after I tried to remove the improvement in this thread using: zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf -zimbraMtaSmtpdSenderRestrictions. It could also just be a coincidence that the logs stopped working around the same time, I’m not sure what’s wrong.

  • Hello thanks for the tutorial. When I use the telnet method, it’s rejected as you’ve showed. However, when I use the mail command and set the From field accordingly, the emails are sent!!

    echo “Test message” | mail -s “Testing” -a “From:test@example.com” -t test@example.com

    What is the sure way to ensure that emails which have the same to/from fields are rejected by the server?

    • Hello David,

      If you mean OS on my laptop, i am using ElementaryOS. If you mean OS on my server, i am using CentOS or Ubuntu and especially SUSE 🙂

  • Hi Iman,
    I’m test successful from your instruction. But I have 1 problem to discuss: When using thunderbird, I don’t change email address in account settings, beside that when I write new email, I choose customize From address and change to anything, the email send successful anyway. How can we prevent that?

  • Hi Iman,

    Thank for your post.
    Do you know how to authorize a user so that it can send mail on behalf of all domain accounts ?.

    Thanks again

  • Hi Iman,
    in the old version of Zimbra 8.6 advice from this article are OK but after updating to version 8.7.1, this functionality does not work

    Test on new version Zimbar 8.7.1:
    exist user: user1.lab.com, user2.lab.com
    the user does not exist: xyz@lab.com
    —————————————————————-
    telnet mail.lab.com 25
    mail from: user1@lab.com
    rcpt to: user2@lab.com
    553 5.7.1 : Sender address rejected: not logged in
    —————————————————————-
    This is OK !!

    but
    —————————————————————-
    telnet mail.lab.com 25
    mail from: xyz@lab.com
    rcpt to: user2@lab.com
    data
    354 End data with .
    test
    .
    250 2.0.0 Ok: queued as 1234GG8F49

    email send from non-existent user in my domain
    —————————————————————-
    IT IS NOT OK !!!!!!

    I checked parameters:
    zimbraMtaSmtpdSenderRestrictions: reject_authenticated_sender_login_mismatch
    zimbraMtaSmtpdRejectUnlistedRecipient: yes
    zimbraMtaSmtpdRejectUnlistedSender: yes
    zimbraMtaSmtpdSenderLoginMaps: proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
    smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_sender_access

    regexp:/opt/zimbra/postfix/conf/tag_as_originating.re,
    permit_mynetworks,
    reject_sender_login_mismatch,
    permit_sasl_authenticated, permit_tls_clientcerts,
    check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re

    everything is fine but it is not working properly.
    Can you tested it on a new version of Zimbra 8.7.1 ?

          • Hello iman
            I checked the setting to version 8.7.0 on another production Zimbra and it is the same problem. A user who does not exist in domain can send mail.
            The setting is OK if the user that sends exist in domain

            Best Regards

          • Hi Tom,

            Please make sure in your MTA trusted network had been configured like this

            127.0.0.0/8 IP-OF-Server/32

            Please also try to perform this

            su - zimbra
            vi /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf
            

            insert reject_unlisted_sender above reject_unlisted_recipient

          • Thank you for your answer.
            Today I checked your recommendations.

            I set:

            smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender,reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client 1.antyspam.com, reject_rbl_client 2.antyspam.com, reject_rhsbl_client reject_rhsbl_sender, permit

            mynetworks = 127.0.0.0/8 [mail server IP adres]/32

            Unfortunately, the effect is the same continuous:

            mail from: user1exist@example.com
            rcpt to: user2exist@example.com
            553 5.7.1 : Sender address rejected: not logged in

            but

            mail from: user_not_exist@example.com
            rcpt to: user2exist@example.com
            250 2.1.5 Ok
            data
            354 End data with .
            test
            .
            250 2.0.0 Ok: queued as 123456

            Best Regards

          • Hi Iman,
            yes I restart Zimbra (zmcontrol stop && zmcontrol start) and restart phisical machine without result.
            I did a test, I changed:

            smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender,reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client 1.antyspam.com, reject_rbl_client 2.antyspam.com, reject_rhsbl_client reject_rhsbl_sender, permit

            on

            smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender,reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client 1.antyspam.com, reject_rbl_client 2.antyspam.com, reject_rhsbl_client reject_rhsbl_sender, permit

            latest “permit” changed on “reject”
            After the change works OK.

            I have to check the impact of the Zimbra

            Best Regards

        • I had to write:

          smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender,reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client 1.antyspam.com, reject_rbl_client 2.antyspam.com, reject_rhsbl_client reject_rhsbl_sender, reject

          I’m sorry for my mistake

          • Hi Tom,

            These is my configuration and it works. You can see reject_unlisted_sender above reject_unlisted_recipient

            zimbra@mta1 ~]$ cat /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf 
            %%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist%%
            %%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
            reject_non_fqdn_recipient
            permit_sasl_authenticated
            permit_mynetworks
            reject_unlisted_sender
            reject_unlisted_recipient
            %%exact VAR:zimbraMtaRestriction reject_invalid_helo_hostname%%
            %%exact VAR:zimbraMtaRestriction reject_non_fqdn_helo_hostname%%
            %%exact VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
            %%exact VAR:zimbraMtaRestriction reject_unknown_client_hostname%%
            %%exact VAR:zimbraMtaRestriction reject_unknown_reverse_client_hostname%%
            %%exact VAR:zimbraMtaRestriction reject_unknown_helo_hostname%%
            %%exact VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
            %%exact VAR:zimbraMtaRestriction reject_unverified_recipient%%
            %%contains VAR:zimbraMtaRestriction check_recipient_access lmdb:/opt/zimbra/conf/postfix_recipient_access%%
            %%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override%%
            %%contains VAR:zimbraMtaRestriction check_reverse_client_hostname_access pcre:/opt/zimbra/conf/fqrdns.pcre%%
            %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
            %%explode reject_rhsbl_client VAR:zimbraMtaRestrictionRHSBLCs%%
            %%explode reject_rhsbl_reverse_client VAR:zimbraMtaRestrictionRHSBLRCs%%
            %%explode reject_rhsbl_sender VAR:zimbraMtaRestrictionRHSBLSs%%
            %%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%%
            %%contains VAR:zimbraMtaRestriction check_recipient_access ldap:/opt/zimbra/conf/ldap-splitdomain.cf%%
            %%exact VAR:zimbraMtaRestriction reject%%
            permit
            
  • Hi all,

    Thank You, Iman, for so good public resource! Many articles are great and useful!

    But not so long ago I’ve found a bug that allow to skip all these restrictions via Thunderbird…

    Version of my Zimbra is 8.6, I’ve done all steps from this article and from this manual – https://wiki.zimbra.com/wiki/Rejecting_false_%22mail_from%22_addresses

    After that telnet check was OK, but if an attacker has stolen password of only one user then he will be able to send messages with any value in the field FROM and Zimbra will display these fake DisplayName and fake address of the mailbox!!!

    Zimbra require the correct username only in Thunderbird ACCOUNT settings, but it allows You substitute any email address in FROM when You composing a letter.. ((
    Most likely this is a bug on the postfix side.

    Maybe someone have an idea how to fix this behavior??

    I described in detail this situation on the zimbra forum (http://forums.zimbra.org/viewtopic.php?f=15&t=60813&sid=707f349619d3f3dc7e694f0d4f049079), but it unanswered yet..

    Thanks a lot!

  • Thanks for quick reply,

    I previously forbidden Relay connections, when try to send from not my domain I received “Relay access denied”. This is OK.

    In my case there a little different problem. I can send a letter with FAKE mail address in field FROM through smtp on my Zimbra server, authenticated with another user on it..

    Also interesting fact that parameter zimbraSmtpRestrictEnvelopeFrom TRUE. Which means “the address for MAIL FROM in the SMTP session will always be set to the email address of the account…”
    But it doesn’t work correctly..

    In zimbraMtaMyNetworks has values: 127.0.0.0/8 and public IP address of this server.

    Maybe I should delete public ip from there?

    Thank You very much!

  • Hi Iman,

    I have followed your instruction in My Zimbra, but it didn’t work.
    Could you tell me, is there any wrong with my Zimbra ?
    Hereby the config :
    [zimbra@xxxx ~]$ zmprov gcf zimbraMtaSmtpdSenderLoginMaps
    zimbraMtaSmtpdSenderLoginMaps: proxy:ldap:/opt/zimbra/conf/ldap-slm.cf

    [zimbra@xxxx ~]$ zmprov gcf zimbraMtaSmtpdSenderRestrictions
    zimbraMtaSmtpdSenderRestrictions: reject_authenticated_sender_login_mismatch

    [zimbra@xxxx ~]$

  • Hi Iman,
    could you please help me i’m using zimbra 8.0.7 free version. Please advice this above setup work with zimbra 8.0.7 free version ?

    Thanks
    M. Ramesh

  • HI iman ,
    after i change my mta just like below i am able to send mail to other domain but for receiving its show error

    cannot find your reverse hostname, [172.16.16.16]; from= to= proto=ESMTP helo=

    my mta setting
    127.0.0.0/8 serverip/32

    can you please tel me how to resolve this issue

    • Hi Amit,

      your problem are

      cannot find your reverse hostname, [172.16.16.16]; from= to= proto=ESMTP helo=
      

      This error caused you have PTR/Reverse DNS check. Please check again your configuration

    • Hi Mauricio Leon,

      You can use this one :

      su - zimbra
      echo relay.imanudin.net emailrelay:passwordemailrelay > /opt/zimbra/conf/relay_password
      postmap /opt/zimbra/conf/relay_password
      postmap -q relay.imanudin.net /opt/zimbra/conf/relay_password
      postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password
      postconf -e smtp_sasl_auth_enable=yes
      postconf -e smtp_sasl_security_options=noanonymous
      postconf -e smtp_tls_security_level=may
      zmprov ms `zmhostname` zimbraMtaRelayHost relay.imanudin.net:587
      postfix reload
      

      Please adjust with your relay server

  • Dear Iman,

    I’ve tried your tips on my Zimbra 8.7.1 free edition but there is an error appear:
    ERROR: account.INVALID_ATTR_VALUE (invalid attr value: invalid attr value – unable to modify attributes: ldap host=mail.mydomain.com:389: attribute ‘zimbraMtaSmtpdSenderRestrictions’ cannot have multiple values)
    Wheter this tips can run at Zimbra 8.7.1 ?
    Many thanks.

      • Hi Iman,
        Look like the script was running.
        But appears a new error when i test to send an email via Outlook to every destination address, like this:
        “553 5.7.1 : Sender address rejected: not owned by user ;”
        How to solve this matter?
        Many thanks.

  • Hi Iman,

    After i run the zmprov gs command, there is no ‘zimbraMtaSmtpdSenderRestrictions’ in my server’s list attributes.
    Is there any missing symbol ‘+’ before ‘zimbraMtaSmtpdSenderRestrictions’ in your script ?
    Or there is any mistake that i have ?
    Many thanks.

LEAVE A COMMENT