Rejecting false «mail from» addresses

Rejecting false «mail from» addresses

Note: To increase the Security, please combine this Article with the next one about Enforcing a match between FROM address and sasl username, for Zimbra Collaboration 8.5 and above.

By default any connection made to ZCS postfix and declares «mail from: local sender» (even if it is not) — the connection/email is accepted for local delivery. This wiki provides steps to block such connections. Once following is configured, postfix will accept «mail from: local sender» only if the connection made from a hosts in «mynetworks» OR the sender is sasl authenticated.

Modify «smtpd_sender_restrictions». We are adding a check before allowing a normal smtp connection. Allowing hosts in mynetwork, then allowing sasl authenticated too. Then a check for local domain address. If its true — the connection will be rejected.

Zimbra Collaboration 8.5 and above
For Zimbra Collaboration 8.5 and above, please use the next commands to increase the security and reject the logins for users that doesn’t exist in the LDAP:

zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zmmtactl restart
zmconfigdctl restart

rlufe

Добавить комментарий