zimbra 开启smtp认证,防止伪造本域发件人发送垃圾邮件
新装好的 zimbra 默认是没有开启smtp认证的,这就意味着别人只要知道你的主机地址就可以轻松地使用 telnet 利用你的主机发送垃圾邮件、病毒邮件、欺诈邮件、勒索邮件等,信息安全问题非常严重,岂能让这种事发生,如何解决这一问题?
系统环境:CentOS7.7 64位
Zimbra版本:Zimbra-8.8.15
本文所涉及到的邮件账户说明:
ceo@chenxie.net (不存在)
zhangsan@chenxie.net (存在)
lisi@chenxie.net (存在)
首先来看看我是如何伪造邮件的(这只是很基础的方式,真正的黑客工具先进的多)
系统中并没有 ceo@chenxie.net 这个用户,现在我要使用 ceo@chenxie.net 发送邮件给 zhangsan@qooco.com ,如下 通过 telnet即可实现:
[root@localhost ~]# telnet mail.chenxie.net 25
Trying 47.52.194.54...
Connected to mail.chenxie.net.
Escape character is '^]'.
220 mail.chenxie.net ESMTP Postfix
ehlo hello
250-mail.chenxie.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:ceo@chenxie.net
250 2.1.0 Ok
rcpt to:zhangsan@chenxie.net
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Please transfer 10000 RMB to my account, your boss.
.
250 2.0.0 Ok: queued as 4D66563FFF
quit
221 2.0.0 Bye
Connection closed by foreign host.邮件服务器日志如下:
Dec 2 12:12:10 mail postfix/postscreen[13270]: CONNECT from [171.217.163.251]:21365 to [172.16.12.249]:25 Dec 2 12:12:10 mail postfix/postscreen[13270]: PASS OLD [171.217.163.251]:21365 Dec 2 12:12:10 mail postfix/smtpd[13271]: connect from unknown[171.217.163.251] Dec 2 12:12:22 mail postfix/smtpd[13271]: NOQUEUE: filter: RCPT from unknown[171.217.163.251]: <ceo@chenxie.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<ceo@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello> Dec 2 12:12:22 mail postfix/smtpd[13271]: NOQUEUE: filter: RCPT from unknown[171.217.163.251]: <ceo@chenxie.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<ceo@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello> Dec 2 12:12:22 mail postfix/smtpd[13271]: 4D66563FFF: client=unknown[171.217.163.251] Dec 2 12:12:29 mail postfix/cleanup[10971]: 4D66563FFF: message-id=<20191202041222.4D66563FFF@mail.chenxie.net> Dec 2 12:12:29 mail postfix/qmgr[8182]: 4D66563FFF: from=<ceo@chenxie.net>, size=356, nrcpt=1 (queue active) Dec 2 12:12:30 mail postfix/amavisd/smtpd[11336]: connect from localhost[127.0.0.1] Dec 2 12:12:30 mail postfix/amavisd/smtpd[11336]: 4F5C264003: client=localhost[127.0.0.1] Dec 2 12:12:30 mail postfix/cleanup[10971]: 4F5C264003: message-id=<20191202041222.4D66563FFF@mail.chenxie.net> Dec 2 12:12:30 mail postfix/qmgr[8182]: 4F5C264003: from=<ceo@chenxie.net>, size=1079, nrcpt=1 (queue active) Dec 2 12:12:30 mail postfix/smtp[13275]: 4D66563FFF: to=<zhangsan@chenxie.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=12, delays=11/0/0.01/0.36, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4F5C264003) Dec 2 12:12:30 mail postfix/qmgr[8182]: 4D66563FFF: removed Dec 2 12:12:30 mail postfix/lmtp[11337]: 4F5C264003: to=<zhangsan@chenxie.net>, relay=mail.chenxie.net[47.52.194.54]:7025, delay=0.19, delays=0.02/0/0.11/0.07, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK) Dec 2 12:12:30 mail postfix/qmgr[8182]: 4F5C264003: removed Dec 2 12:12:34 mail postfix/smtpd[13271]: disconnect from unknown[171.217.163.251] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
zhangsan@chenxie.net 收到的邮件:
如上我们通过一个简单的 telnet 示例就实现了从 ceo@chenxie.net 给 zhangsan@chenxie.net 发送邮件,让张三转10000元到他的银行账户,很显然这种情况是绝对不能发生的,ceo@chenxie.net这个账户根本不存在,而当张三看到这封邮件的时候,他也不知道究竟有没有ceo@chenxie.net这个账户很可能就认为是他的老板,直接将钱转了过去,最后发现竟然是骗局,造成了公司以及个人的财产、隐私等损失,所以绝对不允许这种情况的发生。
解决办法:开启smtp认证,强制要求发件人地址与系统用户相匹配才可发送
该解决办法适用于 zimbra 8.5 以上版本
1. 修改 zimbraMtaSmtpdRejectUnlistedRecipient 和 zimbraMtaSmtpdRejectUnlistedSender 的值(su - zimbra 到zimbra用户下执行)
zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zmmtactl restart
zmconfigdctl restart2. 设置 zimbraMtaSmtpdSenderLoginMaps
zmprov mcf zimbraMtaSmtpdSenderLoginMaps proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch3. 编辑 /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf 文件
vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf在 permit_mynetworks 的那一行加上 reject_sender_login_mismatch 用逗号隔开,如下:
permit_mynetworks, reject_sender_login_mismatch稍等一两分钟,等待配置文件重新加载生效再进行测试。
4. 再次测试
注意:telnet 时请不要在zimbra服务器以及和zimbra服务器同网段的服务器上测试,因为zimbra默认已将本机和所在网段加入信任,看不到效果。
关于如果查看Zimbra已经信任的网络可以登录后台,然后依次点击 配置-服务器-mail.chenxie.net-MTA-MTA信任的网络 即可看到。
当不存在的 ceo@chenxie.net 向存在的 zhangsan@chenxie.net 发送邮件时:
提示: 550 5.1.0 <ceo@chenxie.net>: Sender address rejected: chenxie.net
[root@localhost ~]# telnet mail.chenxie.net 25
Trying 47.52.194.54...
Connected to mail.chenxie.net.
Escape character is '^]'.
220 mail.chenxie.net ESMTP Postfix
ehlo hello
250-mail.chenxie.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:ceo@chenxie.net
250 2.1.0 Ok
rcpt to:zhangsan@chenxie.net
550 5.1.0 <ceo@chenxie.net>: Sender address rejected: chenxie.net
quit
221 2.0.0 Bye
Connection closed by foreign host.日志如下:
Dec 2 12:40:27 mail postfix/smtpd[7633]: connect from unknown[171.217.163.251] Dec 2 12:40:47 mail /postfix-script[7927]: the Postfix mail system is running: PID: 8180 Dec 2 12:40:47 mail postfix/smtpd[7633]: NOQUEUE: filter: RCPT from unknown[171.217.163.251]: <ceo@chenxie.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<ceo@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello> Dec 2 12:40:47 mail postfix/smtpd[7633]: NOQUEUE: filter: RCPT from unknown[171.217.163.251]: <ceo@chenxie.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<ceo@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello> Dec 2 12:40:47 mail postfix/smtpd[7633]: NOQUEUE: reject: RCPT from unknown[171.217.163.251]: 550 5.1.0 <ceo@chenxie.net>: Sender address rejected: chenxie.net; from=<ceo@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello> Dec 2 12:40:51 mail postfix/smtpd[7633]: disconnect from unknown[171.217.163.251] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
当存在的 lisi@chenxie.net 向存在的 zhangsan@chenxie.net 发送邮件时:
提示: 553 5.7.1 <lisi@chenxie.net>: Sender address rejected: not logged in
[root@localhost ~]# telnet mail.chenxie.net 25
Trying 47.52.194.54...
Connected to mail.chenxie.net.
Escape character is '^]'.
220 mail.chenxie.net ESMTP Postfix
ehlo hello
250-mail.chenxie.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:lisi@chenxie.net
250 2.1.0 Ok
rcpt to:zhangsan@chenxie.net
553 5.7.1 <lisi@chenxie.net>: Sender address rejected: not logged in
quit
221 2.0.0 Bye
Connection closed by foreign host.日志如下:
Dec 2 12:44:17 mail postfix/postscreen[11651]: CONNECT from [171.217.163.251]:23425 to [172.16.12.249]:25 Dec 2 12:44:17 mail postfix/postscreen[11651]: PASS OLD [171.217.163.251]:23425 Dec 2 12:44:17 mail postfix/smtpd[11652]: connect from unknown[171.217.163.251] Dec 2 12:44:45 mail postfix/smtpd[11652]: NOQUEUE: filter: RCPT from unknown[171.217.163.251]: <lisi@chenxie.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<lisi@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello> Dec 2 12:44:45 mail postfix/smtpd[11652]: NOQUEUE: filter: RCPT from unknown[171.217.163.251]: <lisi@chenxie.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<lisi@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello> Dec 2 12:44:45 mail postfix/smtpd[11652]: NOQUEUE: reject: RCPT from unknown[171.217.163.251]: 553 5.7.1 <lisi@chenxie.net>: Sender address rejected: not logged in; from=<lisi@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello> Dec 2 12:44:47 mail postfix/smtpd[11652]: disconnect from unknown[171.217.163.251] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
如上可以看到,开启smtp认证之后,无论是本域存在的用户或者是本域不存在的用户,在没有登录的情况下都是不能发送的,保证了账户安全性。
本文参考自 Zimbra 官方 wiki,并结合我的实际情况总结得出,更多细节可参考原文介绍,文中还包含了如何设置例外的账户,也就是指定不用进行smtp认证的用户,但是我并不推荐,所以本文就没有写,谢谢。
原文地址:https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5
hi
我配置后,本域不管匿名还是真实用户,都需要认证,但伪造其他域像fsdjkd@qq.com就可以发送邮件
匿名
1
hello
请问一下 ,怎样配置使 telnet mail 25端口,需要登录认证,但发件人可以是伪造的情况
额 这个需求合理吗 😛