Zimbra, a leading collaboration platform, has emerged as the perfect solution for your Email communications. One of its standout features, often overlooked, is the ability to enforce a match between the From address and SASL (Simple Authentication and Security Layer) username.
Enforcing a match between the From address and SASL username in Zimbra is a critical step toward enhancing the security of your email system. This feature helps prevent phishing attacks and unauthorized access by ensuring that the sender’s identity is authenticated at multiple levels.
Follow these steps to implement this security measure effectively.
Step1: Use an exception DB (Optional)
If want an exceptions DB to allow other name of people to send as alternate addresses.
su - zimbra
cd /opt/zimbra/conf
vim slm-exceptions-db
Add the alternate ID addresses.
[email protected] [email protected],sarah.doe
Thats mean, user sarah.doe
or [email protected]
allows [email protected]
as an email sender in the from header.
Run postmap slm-exceptions-db to generate the database.
postmap slm-exceptions-db
View file with ls -al, you see new file .lmdb.
[zimbra@mail conf]$ ls -al slm-exceptions-db*
-rw-r----- 1 zimbra zimbra 106 Dec 4 13:18 slm-exceptions-db
-rw-r----- 1 zimbra zimbra 20480 Dec 4 13:18 slm-exceptions-db.lmdb
Step 2: Update zimbraMtaSmtpdRejectUnlistedRecipient & zimbraMtaSmtpdRejectUnlistedSender
zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zmmtactl restart
zmconfigdctl restart
Set the zimbraMtaSmtpdSenderLoginMaps portion
If the exception db is used
zmprov mcf zimbraMtaSmtpdSenderLoginMaps 'lmdb:/opt/zimbra/conf/slm-exceptions-db, proxy:ldap:/opt/zimbra/conf/ldap-slm.cf' +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
If the exception db is not used
zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
Edit the file smtpd_sender_restrictions
You need to edit the file opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf and add after the permit_mynetworks the line reject_sender_login_mismatch.
vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf
Should look like this:
permit_mynetworks, reject_sender_login_mismatch
After a minute, zmconfigd will update the postfix configuration automatically and apply the new rules. Now if an account is hacked, and this is in place, they will not be able to send out emails with different “from” addresses.
Test using Telnet SMTP
Important: Test from an external subnet outside of zimbraMtaMyNetworks
user$ telnet mail.example.com 25
Trying mail.example.com...
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
ehlo mail.example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: [email protected]
250 2.1.0 Ok
rcpt to: [email protected]
553 5.7.1 <[email protected]m>: Sender address rejected: not logged in
Reverse or Roll Back Configuration
If get errors or meet not suitable conditions, do reverse or roll back configuration.
su - zimbra
zmprov mcf zimbraMtaSmtpdSenderLoginMaps "" -zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch
By following these steps, you can effectively enforce a match between the From address and SASL username in Zimbra, strengthening the security of your email communication.
Please feel free for comment out. Hope it usefull.
Credit to Wiki Zimbra. Modified based on the author’s implementation.
This feature is not working for me and I am on zimbra 8.8.15
where I may be wrong, please let me know.