1. Hi ,

    I am using Zimbra 8.6 and i couldnt find check_sender_access lmdb:/opt/zimbra/conf/ldap-restricrelay.cf that you showed up at the last step, Can you share the configuration of that file?


  2. This article ;How To Improvement Sender Must Login/Enforcing a Match Between From Address and sasl username On Zimbra 8.5
    I found out where I went wrong.Thanks for your helping and responding as well.

    Best Regards.

  3. Hi,

    I have versión 8.5, I did just that but not working.
    zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch

    any idea?

      1. i do all the steps multiple time but no effect , i also sure that my ip is not in trusted network .
        i am using zimbra 8.6.0.
        any idea?!!

        1. Hi,

          Please post the result from the following command for debug :

          su - zimbra
          zmprov gs `zmhostname` | grep -i mynetwork
          zmprov gcf zimbraMtaSmtpdSenderLoginMaps
          zmprov gcf zimbraMtaSmtpdSenderRestrictions
          cat /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
  4. bro

    kalau kek gini kenapa ya
    Jun 24 01:58:35 zimbra postfix/amavisd/smtpd[2178]: error: open database /opt/zimbra/conf/slm-exceptions-db.lmdb: No such file or directory

      1. Hi Thank you for your excellent post. It’s not clear for me how to add exceprions in version 8.6
        In the past I was using 8.0.7 with excepions managed into a file and everything was working fine. But now I do not know hot to manage it in 8.6. Could you please be so kind to make a short and simple step by step video or file ?
        Thank you in advance

  5. if you please can help me how to publish mail server with zimbra on centos 7 to the internet and adding ssl cert

  6. I ran these commands, but it does not seem to have any effect. How can reverse these changes and do a fresh run. I tried zmprov mcf -zimbraMtaSmtpdSenderRestrictions but it did not work.

    1. Hi Srini,

      Please make sure you not run/test from trusted IP. If you want to reverse, please run the following command

      su - zimbra
      zmprov mcf zimbraMtaSmtpdSenderLoginMaps "" -zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
  7. Hi!
    I have two problems with the mta configuration maybe you can help me. After did the following:

    zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch

    vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
    permit_mynetworks, reject_sender_login_mismatch

    zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
    zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
    zmmtactl restart
    zmconfigdctl restart

    I’m unable to send mails using webmail. Using imap/smtp works perfectly

    And using telnet the smtp server allows me to use a fake “from” to send mails to the domain configured in zimbra.

    Thanks in advance

  8. Finally I reconfigured and now works all fine but still can send with fake from to the domain configured in zimbra

  9. Hi Iman, could you please help me with the message “Error in service network” when a user try to login at zimbra web client? Thanks in advance

    1. Hi,

      Are you getting “error in service network” after configure this improvement? if yes, please revert the configuration to default

  10. Is it possible to create an exception for a specific domain?

    For example;
    We have done:
    “open file /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add reject_sender_login_mismatch after permit_mynetworks”
    ..and it rejects all SASL users with mismatched email addresses

    We would for domainA.com to not be rejected when SASL user does not match email address

    Is this possible?

  11. I ran the following command:

    su – zimbra
    zmprov mcf zimbraMtaSmtpdSenderLoginMaps “” -zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch

    And now logging is not working for our zimbra server.

    1. Hello,

      If you want to disable improvement, please try perform command twice

      zmprov mcf zimbraMtaSmtpdSenderLoginMaps ""
      zmprov mcf -zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
  12. Thanks for the quick reply!

    I thought that command was related to the issue I’m having with not getting any logs and all of the services being in red status on the admin gui, but it seems like the sqlite db got erased somehow. Would you happen to know of a way to recreate it on zimbra 8.6?

    I tried the steps in this article under “Reinitializing Logger Database From Scratch”, but it didn’t work: https://wiki.zimbra.com/wiki/Ajcody-Server-Topics

    Thank you so much for your help, I really appreciate it.

  13. Hi Iman,

    Unfortunately, that doesn’t fix the problem on my system.
    If I run zmsyslogsetup and zmloggerinit, a db folder gets created under the /op/zimbra/logger/ directory, but the logger.sqlitedb file has no tables in it. I believe my logs stopped working after I tried to remove the improvement in this thread using: zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf -zimbraMtaSmtpdSenderRestrictions. It could also just be a coincidence that the logs stopped working around the same time, I’m not sure what’s wrong.

  14. Hello thanks for the tutorial. When I use the telnet method, it’s rejected as you’ve showed. However, when I use the mail command and set the From field accordingly, the emails are sent!!

    echo “Test message” | mail -s “Testing” -a “From:test@example.com” -t test@example.com

    What is the sure way to ensure that emails which have the same to/from fields are rejected by the server?

    1. Hello David,

      If you mean OS on my laptop, i am using ElementaryOS. If you mean OS on my server, i am using CentOS or Ubuntu and especially SUSE 🙂

  15. Hi Iman,
    I’m test successful from your instruction. But I have 1 problem to discuss: When using thunderbird, I don’t change email address in account settings, beside that when I write new email, I choose customize From address and change to anything, the email send successful anyway. How can we prevent that?

  16. Hi Iman,

    Thank for your post.
    Do you know how to authorize a user so that it can send mail on behalf of all domain accounts ?.

    Thanks again

      1. Hi Iman,

        What I want to do is something as this:

        @domain.com user@domain.com

        And not to have to be adding a line for every user.
        Is it possible to do this?

        Sorry for my english and thank you for your answer

  17. Hi Iman,
    in the old version of Zimbra 8.6 advice from this article are OK but after updating to version 8.7.1, this functionality does not work

    Test on new version Zimbar 8.7.1:
    exist user: user1.lab.com, user2.lab.com
    the user does not exist: xyz@lab.com
    telnet mail.lab.com 25
    mail from: user1@lab.com
    rcpt to: user2@lab.com
    553 5.7.1 : Sender address rejected: not logged in
    This is OK !!

    telnet mail.lab.com 25
    mail from: xyz@lab.com
    rcpt to: user2@lab.com
    354 End data with .
    250 2.0.0 Ok: queued as 1234GG8F49

    email send from non-existent user in my domain
    IT IS NOT OK !!!!!!

    I checked parameters:
    zimbraMtaSmtpdSenderRestrictions: reject_authenticated_sender_login_mismatch
    zimbraMtaSmtpdRejectUnlistedRecipient: yes
    zimbraMtaSmtpdRejectUnlistedSender: yes
    zimbraMtaSmtpdSenderLoginMaps: proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
    smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_sender_access

    permit_sasl_authenticated, permit_tls_clientcerts,
    check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re

    everything is fine but it is not working properly.
    Can you tested it on a new version of Zimbra 8.7.1 ?

          1. Hello iman
            I checked the setting to version 8.7.0 on another production Zimbra and it is the same problem. A user who does not exist in domain can send mail.
            The setting is OK if the user that sends exist in domain

            Best Regards

          2. Hi Tom,

            Please make sure in your MTA trusted network had been configured like this


            Please also try to perform this

            su - zimbra
            vi /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf

            insert reject_unlisted_sender above reject_unlisted_recipient

          3. Thank you for your answer.
            Today I checked your recommendations.

            I set:

            smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender,reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client 1.antyspam.com, reject_rbl_client 2.antyspam.com, reject_rhsbl_client reject_rhsbl_sender, permit

            mynetworks = [mail server IP adres]/32

            Unfortunately, the effect is the same continuous:

            mail from: user1exist@example.com
            rcpt to: user2exist@example.com
            553 5.7.1 : Sender address rejected: not logged in


            mail from: user_not_exist@example.com
            rcpt to: user2exist@example.com
            250 2.1.5 Ok
            354 End data with .
            250 2.0.0 Ok: queued as 123456

            Best Regards

          4. Hi Iman,
            yes I restart Zimbra (zmcontrol stop && zmcontrol start) and restart phisical machine without result.
            I did a test, I changed:

            smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender,reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client 1.antyspam.com, reject_rbl_client 2.antyspam.com, reject_rhsbl_client reject_rhsbl_sender, permit


            smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender,reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client 1.antyspam.com, reject_rbl_client 2.antyspam.com, reject_rhsbl_client reject_rhsbl_sender, permit

            latest “permit” changed on “reject”
            After the change works OK.

            I have to check the impact of the Zimbra

            Best Regards

        1. I had to write:

          smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_sender,reject_unlisted_recipient, reject_non_fqdn_sender, reject_rbl_client 1.antyspam.com, reject_rbl_client 2.antyspam.com, reject_rhsbl_client reject_rhsbl_sender, reject

          I’m sorry for my mistake

          1. Hi Tom,

            These is my configuration and it works. You can see reject_unlisted_sender above reject_unlisted_recipient

            zimbra@mta1 ~]$ cat /opt/zimbra/conf/zmconfigd/smtpd_recipient_restrictions.cf 
            %%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_blacklist%%
            %%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
            %%exact VAR:zimbraMtaRestriction reject_invalid_helo_hostname%%
            %%exact VAR:zimbraMtaRestriction reject_non_fqdn_helo_hostname%%
            %%exact VAR:zimbraMtaRestriction reject_non_fqdn_sender%%
            %%exact VAR:zimbraMtaRestriction reject_unknown_client_hostname%%
            %%exact VAR:zimbraMtaRestriction reject_unknown_reverse_client_hostname%%
            %%exact VAR:zimbraMtaRestriction reject_unknown_helo_hostname%%
            %%exact VAR:zimbraMtaRestriction reject_unknown_sender_domain%%
            %%exact VAR:zimbraMtaRestriction reject_unverified_recipient%%
            %%contains VAR:zimbraMtaRestriction check_recipient_access lmdb:/opt/zimbra/conf/postfix_recipient_access%%
            %%contains VAR:zimbraMtaRestriction check_client_access lmdb:/opt/zimbra/conf/postfix_rbl_override%%
            %%contains VAR:zimbraMtaRestriction check_reverse_client_hostname_access pcre:/opt/zimbra/conf/fqrdns.pcre%%
            %%explode reject_rbl_client VAR:zimbraMtaRestrictionRBLs%%
            %%explode reject_rhsbl_client VAR:zimbraMtaRestrictionRHSBLCs%%
            %%explode reject_rhsbl_reverse_client VAR:zimbraMtaRestrictionRHSBLRCs%%
            %%explode reject_rhsbl_sender VAR:zimbraMtaRestrictionRHSBLSs%%
            %%contains VAR:zimbraMtaRestriction check_policy_service unix:private/policy%%
            %%contains VAR:zimbraMtaRestriction check_recipient_access ldap:/opt/zimbra/conf/ldap-splitdomain.cf%%
            %%exact VAR:zimbraMtaRestriction reject%%
  18. Hi all,

    Thank You, Iman, for so good public resource! Many articles are great and useful!

    But not so long ago I’ve found a bug that allow to skip all these restrictions via Thunderbird…

    Version of my Zimbra is 8.6, I’ve done all steps from this article and from this manual – https://wiki.zimbra.com/wiki/Rejecting_false_%22mail_from%22_addresses

    After that telnet check was OK, but if an attacker has stolen password of only one user then he will be able to send messages with any value in the field FROM and Zimbra will display these fake DisplayName and fake address of the mailbox!!!

    Zimbra require the correct username only in Thunderbird ACCOUNT settings, but it allows You substitute any email address in FROM when You composing a letter.. ((
    Most likely this is a bug on the postfix side.

    Maybe someone have an idea how to fix this behavior??

    I described in detail this situation on the zimbra forum (http://forums.zimbra.org/viewtopic.php?f=15&t=60813&sid=707f349619d3f3dc7e694f0d4f049079), but it unanswered yet..

    Thanks a lot!

  19. Thanks for quick reply,

    I previously forbidden Relay connections, when try to send from not my domain I received “Relay access denied”. This is OK.

    In my case there a little different problem. I can send a letter with FAKE mail address in field FROM through smtp on my Zimbra server, authenticated with another user on it..

    Also interesting fact that parameter zimbraSmtpRestrictEnvelopeFrom TRUE. Which means “the address for MAIL FROM in the SMTP session will always be set to the email address of the account…”
    But it doesn’t work correctly..

    In zimbraMtaMyNetworks has values: and public IP address of this server.

    Maybe I should delete public ip from there?

    Thank You very much!

  20. Hi Iman,

    I have followed your instruction in My Zimbra, but it didn’t work.
    Could you tell me, is there any wrong with my Zimbra ?
    Hereby the config :
    [zimbra@xxxx ~]$ zmprov gcf zimbraMtaSmtpdSenderLoginMaps
    zimbraMtaSmtpdSenderLoginMaps: proxy:ldap:/opt/zimbra/conf/ldap-slm.cf

    [zimbra@xxxx ~]$ zmprov gcf zimbraMtaSmtpdSenderRestrictions
    zimbraMtaSmtpdSenderRestrictions: reject_authenticated_sender_login_mismatch

    [zimbra@xxxx ~]$

  21. Hi Iman,
    could you please help me i’m using zimbra 8.0.7 free version. Please advice this above setup work with zimbra 8.0.7 free version ?

    M. Ramesh

  22. HI iman ,
    after i change my mta just like below i am able to send mail to other domain but for receiving its show error

    cannot find your reverse hostname, []; from= to= proto=ESMTP helo=

    my mta setting serverip/32

    can you please tel me how to resolve this issue

    1. Hi Amit,

      your problem are

      cannot find your reverse hostname, []; from= to= proto=ESMTP helo=

      This error caused you have PTR/Reverse DNS check. Please check again your configuration

    1. Hi Mauricio Leon,

      You can use this one :

      su - zimbra
      echo relay.imanudin.net emailrelay:passwordemailrelay > /opt/zimbra/conf/relay_password
      postmap /opt/zimbra/conf/relay_password
      postmap -q relay.imanudin.net /opt/zimbra/conf/relay_password
      postconf -e smtp_sasl_password_maps=hash:/opt/zimbra/conf/relay_password
      postconf -e smtp_sasl_auth_enable=yes
      postconf -e smtp_sasl_security_options=noanonymous
      postconf -e smtp_tls_security_level=may
      zmprov ms `zmhostname` zimbraMtaRelayHost relay.imanudin.net:587
      postfix reload

      Please adjust with your relay server

  23. Dear Iman,

    I’ve tried your tips on my Zimbra 8.7.1 free edition but there is an error appear:
    ERROR: account.INVALID_ATTR_VALUE (invalid attr value: invalid attr value – unable to modify attributes: ldap host=mail.mydomain.com:389: attribute ‘zimbraMtaSmtpdSenderRestrictions’ cannot have multiple values)
    Wheter this tips can run at Zimbra 8.7.1 ?
    Many thanks.

      1. Hi Iman,
        Look like the script was running.
        But appears a new error when i test to send an email via Outlook to every destination address, like this:
        “553 5.7.1 : Sender address rejected: not owned by user ;”
        How to solve this matter?
        Many thanks.

  24. Hi Iman,

    After i run the zmprov gs command, there is no ‘zimbraMtaSmtpdSenderRestrictions’ in my server’s list attributes.
    Is there any missing symbol ‘+’ before ‘zimbraMtaSmtpdSenderRestrictions’ in your script ?
    Or there is any mistake that i have ?
    Many thanks.

  25. Hi Iman, I did this in a brand new server with 8.7 and if I add “reject_sender_login_mismatch” to the sender restriction file the users can’t send mails to the same domain from webmail. Thanks in advance

  26. Hi, thank you very much, however I detected a problem. When I write a new mail, in this moment i can change the FROM address to “boss” and it works.

    1. Hi Jolubaro,
      Please make sure your IP of pc/laptop that use to sending email from email client did not insert into the trusted network. By default, Zimbra will trust all network from IP that used on Zimbra server

  27. Hello Iman,
    how would you implement the rule “reject_sender_login_mismatch” using the web user interface for PolicyD Web Administration? I mean, do you have any hint on how to do that?
    Thx in advance,

  28. Okay, so you track SASLUsername instead of user@domain on the Web Administration Interface and, in doing so, you can implement a policy that rejects mails from user@domain in case the user didn’t login with his SASLUsername. It works.

  29. Very useful. Thanks a lot for sharing.

    Can you kindly write a tutorial on how to migrate zimbra in case we want to change server and need to keep all mails, contacts, passwords etc.

      1. ZeXtras Migration Tool is for export only and then have to use their paid tool for import. That is a bit problematic. Their selling price model is also not friendly.

  30. The command is

    permit_mynetworks, reject_sender_login_mismatch


    permit_mynetworks, reject_authenticated_sender_login_mismatch

    Cause seems like this is not working.

    1. Hi Omi Azad,
      The first is proper configuration. If did not work, please make sure your trusted network has been configured properly. Only localhost and IP of your server that listed on Trusted Network

      1. Thanks.
        Not sure where this “trusted network” can be configured. But I think I can send mail to anyone in the same subnet. Zimbra perhaps considers the same subnet as trusted? Can you suggest what I should do?

        1. Hi Omi Azad,
          You can configure in Zimbra Admin | Configure | Servers | Edit Servers | MTA | Trusted Network. You should configure like this your-Zimbra-ip/32

  31. Hi Iman,

    How to block mail if Return-Path: and From: are not same.

    I am using zimbra below version.
    Release 8.8.8_GA_2009.RHEL7_64_20180322150747 RHEL7_64 FOSS edition, Patch 8.8.8_P6

  32. Assalamualaikum Wr Wb bro,
    saya coba prosedur di atas dan sudah ok :
    situasi 1 : user1@domain1.com harus login dan harus ada user user1 status berhasil.
    situasi2 : saat domain dirubah menjadi domain2.com, maka proses dianggap berhasil, padahal tidak ada domain2.com dalam server saya

    saya lakukan pengiriman menggunakan aplikasi berbasis VB.NET 2008
    Sepertinya server saya tidak membatasi atau menguji domain yang valid ya.

    Wassalamualaikum Wr Wb.


  33. Hi Iman
    could you please help me i’m using Zimbra
    Release 8.8.9.GA.3019.UBUNTU16.64 UBUNTU16_64 FOSS edition, Patch 8.8.9_P4.

    using telnet the smtp server allows me to use a fake “from” to send mails to the domain configured in zimbra.

    Maybe someone have an idea how to fix this behavior?


    telnet mail.example.com 25
    Trying XX.XX.XX.XX…
    Connected to mail.example.com.
    Escape character is ‘^]’.
    220 ******************************
    helo mail
    250 mail.example.com
    mail from:test@exampleNO.com
    250 2.1.0 Ok
    rcpt to:test@example.com
    250 2.1.5 Ok
    354 End data with .
    250 2.0.0 Ok: queued as BE7816695E2

    mynetworks = for nat

    zmprov gacf zimbraMtaSmtpdSenderRestrictions
    zimbraMtaSmtpdSenderRestrictions: reject_authenticated_sender_login_mismatch

    zmprov gacf zimbraMtaSmtpdRejectUnlistedRecipient
    zimbraMtaSmtpdRejectUnlistedRecipient: yes

    zmprov gacf zimbraMtaSmtpdRejectUnlistedSender
    zimbraMtaSmtpdRejectUnlistedSender: yes

    zmprov gcf zimbraMtaSmtpdSenderLoginMaps
    zimbraMtaSmtpdSenderLoginMaps: proxy:ldap:/opt/zimbra/conf/ldap-slm.cf

    %%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%%
    %%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/conf/postfix_reject_sender%%
    %%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%%
    %%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_originating.re%%
    %%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zimbra/common/conf/tag_as_foreign.re%%

    1. Hello,

      I think this is not your domain “mail from:test@exampleNO.com”. But another domain. So that email can receive by your server

  34. Thanks a lot… may problem solved by your guide… i need one more help.. how to restrict mail relay….. anyone can send mail by relaying may domain…. your help would be appreciated.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.