Zimbra have functions to enable access to IMAP/POP on all users. Admin can perform check/uncheck to enable/disable that function on users. But, Zimbra did not have functions to enable/disable access to SMTP SASL. However, Postfix can do that. And you can make some modification in your Postfix to achieve.
I’ve tried to restrict SASL Login on my Zimbra and it works properly. I usually use this tips to restrict SASL login when my user’s password is leaked.
# Open smtpd_sender_restrictions.cf
su - zimbra vi /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
Add check_sasl_access lmdb:/opt/zimbra/conf/sasl_access above permit_sasl_authenticated. Please see example below
permit_mynetworks check_sasl_access lmdb:/opt/zimbra/conf/sasl_access permit_sasl_authenticated
# Save and create sasl_access
please fill it as follows
user1 REJECT Sorry, you cannot use SMTP for now email@example.com REJECT Sorry, you cannot use SMTP for now
Note : You can change REJECT with HOLD or DISCARD. If using REJECT, all email from that user will be rejected and user getting error “Sorry, you cannot use SMTP for now”
# Save and postmap
Below is an example when users getting restricted SASL access
saslauthd: auth_zimbra: firstname.lastname@example.org auth OK mail postfix/smtps/smtpd: NOQUEUE: filter: RCPT from subs30-116-206-xx-xx.three.co.id[116.206.xx.xx]: <email@example.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<firstname.lastname@example.org> to=<email@example.com> proto=ESMTP helo= mail postfix/smtps/smtpd: NOQUEUE: reject: RCPT from subs30-116-206-xx-xx.three.co.id[116.206.xx.xx]: 554 5.7.1 <firstname.lastname@example.org>: SASL login name rejected: Sorry, you cannot use SMTP for now; from=<email@example.com> to=<firstname.lastname@example.org> proto=ESMTP
I hope Zimbra will be adding a button to automatic restrict SASL Login/Access 😉
Good luck and hopefully useful 🙂
Hi!, thanks for your info.
This solution its for a single user?? it means, that i Need to add all user (emails) in the file: /opt/zimbra/conf/sasl_access ???
Yes, you need to add some/all users
Hi, it is possible to enter IP addresses in sasl_access ? Because i have a lot of sasl authentication failed messages on /var/log/mail.log like “postfix/submission/smtpd: warning: unknown[126.96.36.199]: SASL LOGIN authentication failed: authentication failure” but there is no email address, just the ip address…
Thanks in advance!
You can try to use fail2ban 🙂
I try this solution but all the legitimate users also reject from the server please advice
Could you give me a log when your legitimate users getting rejected?
I role back the settings. but you can see the log file
Apr 24 10:47:09 mail saslauthd: auth_zimbra: email@example.com auth OK
Apr 24 10:47:10 mail postfix/submission/smtpd: NOQUEUE: filter: RCPT from unknown[192.168.1.18]: : Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from= to= proto=ESMTP helo=
Apr 24 10:47:10 mail postfix/submission/smtpd: NOQUEUE: reject: RCPT from unknown[192.168.1.18]: 451 4.3.5 Server configuration error; from= to= proto=ESMTP helo=
Server configuration error
Server configuration error means your configuration is not properly. Please try to revert your configuration and make sure your Zimbra work properly. Then, you can try again.
is there any way allow legitimate user reject others
is there any way allow legitimate user?????
Thank you very much Iman,
If I enable “Restrict SASL Login/Access” and someone try to authenticate with my user, Zimbra will authenticate first or Zimbra will prevent the authentication processes?
Ps: We use SASL authentication with Active Directory and Password Policy.
I think user will authenticate first
Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026″ anyone knows about this issue how to fix, from Zimbra send mail to Gmail
It’s mean there problem with amavis scanning. You can try to disable amavis to make sure email work properly