环境:zimbra 8.8.12

新装好的 zimbra没有开启smtp认证,这就意味着别人只要知道你的主机就可以轻松地使用 telnet 利用你的主机进行垃圾、病毒、勒索邮件的发送,对于信息安全非常严重,如何解决这一问题?

 

先来看这里要解决的问题:防止别人伪造发件人进行垃圾邮件发送

表现为:比如你的域名为 chenxie.net,你的系统中并没有 ceo@chenxie.net这个用户,但是黑客伪造这个地址给全公司或其他人发送了邮件,那么可能就会有人上当受骗,如下 通过 telnet即可实现:

[root@localhost ~]# telnet mail.chenxie.net 25
Trying 47.52.58.180...
Connected to mail.chenxie.net.
Escape character is '^]'.
220 mail.chenxie.net ESMTP Postfix
ehlo hello
250-mail.chenxie.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:ceo@chenxie.net
250 2.1.0 Ok
rcpt to:zhangsan@chenxie.net
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Please transfer 10000 RMB to my back account, your boss.   
.
250 2.0.0 Ok: queued as B5F44162462

邮件服务器日志如下:

May 26 22:41:03 mail postfix/postscreen[28845]: CONNECT from [110.188.57.78]:4868 to [172.16.12.245]:25
May 26 22:41:03 mail postfix/postscreen[28845]: PASS OLD [110.188.57.78]:4868
May 26 22:41:03 mail postfix/smtpd[19102]: connect from unknown[110.188.57.78]
May 26 22:41:23 mail postfix/smtpd[19102]: NOQUEUE: filter: RCPT from unknown[110.188.57.78]: <ceo@chenxie.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<ceo@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello>
May 26 22:41:23 mail postfix/smtpd[19102]: NOQUEUE: filter: RCPT from unknown[110.188.57.78]: <ceo@chenxie.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<ceo@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello>
May 26 22:41:23 mail postfix/smtpd[19102]: D6A45162578: client=unknown[110.188.57.78]
May 26 22:41:26 mail postfix/cleanup[29000]: D6A45162578: message-id=<20190526144123.D6A45162578@mail.chenxie.net>
May 26 22:41:26 mail postfix/qmgr[5138]: D6A45162578: from=<ceo@chenxie.net>, size=311, nrcpt=1 (queue active)
May 26 22:41:27 mail postfix/amavisd/smtpd[29267]: connect from localhost[127.0.0.1]
May 26 22:41:27 mail postfix/amavisd/smtpd[29267]: 4AD1D16257A: client=localhost[127.0.0.1]
May 26 22:41:27 mail postfix/cleanup[29000]: 4AD1D16257A: message-id=<20190526144123.D6A45162578@mail.chenxie.net>
May 26 22:41:27 mail postfix/qmgr[5138]: 4AD1D16257A: from=<ceo@chenxie.net>, size=1008, nrcpt=1 (queue active)
May 26 22:41:27 mail postfix/amavisd/smtpd[29267]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
May 26 22:41:27 mail postfix/smtp[29265]: D6A45162578: to=<zhangsan@chenxie.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=13, delays=12/0.01/0/0.64, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4AD1D16257A)
May 26 22:41:27 mail postfix/qmgr[5138]: D6A45162578: removed
May 26 22:41:27 mail postfix/lmtp[29268]: 4AD1D16257A: to=<zhangsan@chenxie.net>, relay=mail.chenxie.net[47.52.58.180]:7025, delay=0.17, delays=0.01/0.01/0.1/0.05, dsn=2.1.5, status=sent (250 2.1.5 Delivery OK)
May 26 22:41:27 mail postfix/qmgr[5138]: 4AD1D16257A: removed
May 26 22:41:32 mail postfix/smtpd[19102]: disconnect from unknown[110.188.57.78] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

如上我们通过一个简单的telnet示例就实现了从 ceo@chenxie.net 给 zhangsan@chenxie.net 发送邮件,让张三转10000元到他的银行账户,很显然这种情况是绝对不能发生的,ceo@chenxie.net这个账户根本不存在,而当张三看到这封邮件的时候,必然认为是他的老板,可能就无条件服从了,最后发现竟然是骗局,造成了公司以及个人的财产、隐私等损失,所以绝对不允许这种情况的发生。

 

解决办法:开启smtp认证,强制要求发件人地址与系统用户相匹配才可发送

该解决办法适用于 zimbra 8.5 以上版本

1. 修改 zimbraMtaSmtpdRejectUnlistedRecipient 和 zimbraMtaSmtpdRejectUnlistedSender 的值(su – zimbra 到zimbra用户下执行)

zmprov mcf zimbraMtaSmtpdRejectUnlistedRecipient yes
zmprov mcf zimbraMtaSmtpdRejectUnlistedSender yes
zmmtactl restart
zmconfigdctl restart

2. 设置 zimbraMtaSmtpdSenderLoginMaps

zmprov mcf zimbraMtaSmtpdSenderLoginMaps  proxy:ldap:/opt/zimbra/conf/ldap-slm.cf +zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch

3. 编辑 /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf 文件,在permit_mynetworks 的那一行加上 reject_sender_login_mismatch 用逗号隔开

vim /opt/zimbra/conf/zmconfigd/smtpd_sender_restrictions.cf

如下:

permit_mynetworks, reject_sender_login_mismatch

稍等一两分钟,等待配置文件重新加载生效再进行测试。

 

4. 再次测试

  • 当发件人地址不存在时,提示: 550 5.1.0 <ceo@chenxie.net>: Sender address rejected: chenxie.net
[root@localhost ~]# telnet mail.chenxie.net 25
Trying 47.52.58.180...
Connected to mail.chenxie.net.
Escape character is '^]'.
220 mail.chenxie.net ESMTP Postfix
ehlo hello
250-mail.chenxie.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:ceo@chenxie.net
250 2.1.0 Ok
rcpt to:zhangsan@chenxie.net
550 5.1.0 <ceo@chenxie.net>: Sender address rejected: chenxie.net

日志如下:

May 26 22:53:42 mail postfix/smtpd[9498]: connect from unknown[110.188.57.78]
May 26 22:54:31 mail postfix/smtpd[9498]: NOQUEUE: filter: RCPT from unknown[110.188.57.78]: <ceo@chenxie.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<ceo@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello>
May 26 22:54:31 mail postfix/smtpd[9498]: NOQUEUE: filter: RCPT from unknown[110.188.57.78]: <ceo@chenxie.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10024; from=<ceo@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello>
May 26 22:54:31 mail postfix/smtpd[9498]: NOQUEUE: reject: RCPT from unknown[110.188.57.78]: 550 5.1.0 <ceo@chenxie.net>: Sender address rejected: chenxie.net; from=<ceo@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello>
  • 当发件人地址存在时,提示: 553 5.7.1 <lisi@chenxie.net>: Sender address rejected: not logged in
[root@localhost ~]# telnet mail.chenxie.net 25
Trying 47.52.58.180...
Connected to mail.chenxie.net.
Escape character is '^]'.
220 mail.chenxie.net ESMTP Postfix
ehlo hello
250-mail.chenxie.net
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:lisi@chenxie.net
250 2.1.0 Ok
rcpt to:zhangsan@chenxie.net
553 5.7.1 <lisi@chenxie.net>: Sender address rejected: not logged in

日志如下:

May 26 22:56:36 mail postfix/postscreen[11788]: CONNECT from [110.188.57.78]:7815 to [172.16.12.245]:25
May 26 22:56:36 mail postfix/postscreen[11788]: PASS OLD [110.188.57.78]:7815
May 26 22:56:36 mail postfix/smtpd[9498]: connect from unknown[110.188.57.78]
May 26 22:57:04 mail postfix/smtpd[9498]: NOQUEUE: filter: RCPT from unknown[110.188.57.78]: <lisi@chenxie.net>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<lisi@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello>
May 26 22:57:04 mail postfix/smtpd[9498]: NOQUEUE: reject: RCPT from unknown[110.188.57.78]: 553 5.7.1 <lisi@chenxie.net>: Sender address rejected: not logged in; from=<lisi@chenxie.net> to=<zhangsan@chenxie.net> proto=ESMTP helo=<hello>

 

如上可以看到,开启smtp认证之后,无论是本域存在的用户或者是本域不存在的用户,在没有登录的情况下都是不能发送的,保证了账户安全性。

 

本文参考自:https://wiki.zimbra.com/wiki/Enforcing_a_match_between_FROM_address_and_sasl_username_8.5 ,并结合我的实际情况总结得出,更多细节还可参考文中的描述介绍,文中还包含了如何设置例外的账户的方式,也就是指定不用进行smtp认证的用户,但是我并不推荐,所以本文就没有写,谢谢。

 

 

发表评论

电子邮件地址不会被公开。

21 − = 15