0

I have setup Zimbra to reject emails originating from users that are not logged in (spoofed emails).

I have this setup in /opt/zimbra/conf/domainrestrict

This has been working great for a long while.

I now have a need to "whitelist" a single email address that will always get caught by this configuration. The email originates from our website hosting system, but is sent on this email address' behalf. So to Zimbra, it appears to be a spoofed email address in the from field.

I tried adding this email address to /opt/zimbra/conf/postfix_recipient_access and setting it to OK, but it seems to still get caught up and rejected.

I also tried adding the hosting services ip addresses to zimbraMtaMyNetworks (postfix's myNetworks), but there's well over 70 IP addresses today, and this could change over time. This configuration seemed to not agree with Zimbra, and postfix started rejecting everything as having 451 4.3.0 Temporary lookup error. Session aborted, reason: lost connection. It seems the IP address list was too big and some timeout is occurring on the DNS server?

What can I do to keep rejecting spoofed emails, but allow ones for a specific email address to come through?

SnakeDoc
  • 560
  • 6
  • 23
  • Please try adding the email address in the same file `domainrestrict` with OK instead of REJECT and see if it works. – Diamond Sep 01 '16 at 13:56
  • @bangal I plan to try this today and will report back my findings. – SnakeDoc Sep 02 '16 at 18:01
  • @bangal Unfortunately that had no effect. – SnakeDoc Sep 02 '16 at 21:06
  • Can you please post the relevant postfix configuration to see how exactly you are doing the filtering? – Diamond Sep 05 '16 at 06:47
  • You realy do not wan't to use the zimbraMtaMyNetworks with such a large list. These ip numbers are probably not only used for your website, so any server/site that accidentally ends up on those ip numbers is able to use your server as an open relay and could be misused for sending spam (or worse) – Micha Kersloot Sep 05 '16 at 09:53
  • @bangal Do you have a suggestion on what parts you need? Zimbra manages the underlying Postfix configuration, so things might not be straight forward. – SnakeDoc Sep 06 '16 at 17:58
  • @MichaKersloot Turns out I have both configurations from your linked page: https://wiki.zimbra.com/wiki/Rejecting_false_%22mail_from%22_addresses One probably legacy, and the other newer 8.5 and above config probably set later at some time. What are your recommendations? Disable the `/opt/zimbra/conf/domainrestrict` settings? How to go about white-listing this email address then is still the question I guess. And yes, I did think that many IP's did not belong in that configuration file, and you're right about the sending servers being shared/random from the hosting provider. – SnakeDoc Sep 06 '16 at 18:00
  • I don't want to offend you but what exactly is the problem to have your website hosting system properly authenticate itself in zimbra (aka send mail via smtp)? I use a similar approach for all our servers and it works just fine. Fiddling with whitelisting/blacklisting just makes the configuration pretty intransparent and requires a lot of fine tuning (if you just whitelist the mail, everyone could use the server with the spoofed mail, so you have to implement IP restrictions and then change them when the server moves etc...). – Broco Sep 07 '16 at 13:03
  • @Broco In a perfect world, they'd do custom setups for every client. But it's not a perfect world, and those are unfortunately the constraints. – SnakeDoc Sep 07 '16 at 17:56
  • @SnakeDoc Can't you set up another small e-Mail server which forwards incoming mail to Zimbra? The scenery you describe is an administrative nightmare, good luck to the guy trying to figure it out if you hit a tree :D – Broco Sep 08 '16 at 07:35
  • @Broco Not if it's documented well. Yet another email server to manage doesn't sound appetizing. There's enough maintenance headaches with one already! lol – SnakeDoc Sep 08 '16 at 14:49
  • @Broco Found the solution ;-P – SnakeDoc Sep 11 '16 at 22:08
  • @SnakeDoc Nice, would you mind posting it for future reference and for other users? – Broco Sep 12 '16 at 09:12

3 Answers3

0

Have you tried using SPF focus on the IP address from which the email in question originates. SPF is essentially, for all practical purposes a white list of allowed IP addresses and hosts. Maybe see if you can go the email auth route?

Neil Anuskiewicz
  • 431
  • 1
  • 3
  • 15
  • Unfortunately this wont work, since the `myNetworks` list is checking if a user is logged into the server (via SMTP) before it allows a message to be delivered. So it rejects anything that is from the email server's domain but isn't logged in, and unfortunately our web host sends unauthenticated emails that appear to be one of our addresses. SPF checks out, but they get rejected due to this "spoofing" rule. – SnakeDoc Sep 02 '16 at 18:00
0

Maybe you can use authenticated SMTP on you webserver. That way the mail will be treated as from a local user instead of a remote mail system.

Micha Kersloot
  • 409
  • 2
  • 9
  • Although this would certainly solve the problem, unfortunately this isn't a possibility. Our hosting company will not modify their platform to facilitate authenticated SMTP. – SnakeDoc Sep 02 '16 at 18:01
  • Not sure which version of Zimbra you are using, but according to https://wiki.zimbra.com/wiki/Rejecting_false_%22mail_from%22_addresses in 8.5 and above there is a different way to get similair functionality. – Micha Kersloot Sep 05 '16 at 09:57
0

OK, the solution is not that difficult after all:

For Zimbra 8.5 and 8.6 (guide from: https://wiki.zimbra.com/wiki/Domain_level_blocking_of_users)

1) Create the postmap database as defined below Modify /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf, by adding this as the second line of the file:

%%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zimbra/postfix/conf/postfix_reject_sender%%

2) Then execute:

zmprov ms <zmhostname> +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zimbra/postfix/conf/postfix_reject_sender"

3) Create file /opt/zimbra/postfix/conf/postfix_reject_sender with the list of email addresses and domains to be rejected in the below format:

vendor@domain.com OK

4) postmap it and restart postfix

/opt/zimbra/postfix/sbin/postmap /opt/zimbra/postfix/conf/postfix_reject_sender
zmmtactl stop && zmmtactl start
SnakeDoc
  • 560
  • 6
  • 23