It is kind of split domain situation. Only modifying SPF and DKIM will not help us here.
Did you take a look at this:
Regards,
Sharif
I will have a look at it. But let me ask general question. I am not completely convinced if split domain is the problem. Maybe I explain to difficult.
Same problem. Our accountant has a system where we sent invoices from. The sender address is a emailaddress originally resided on our mailserver. We sent invoices to our clients with that emailadress as the sender, straight from our online bookkeeping software. The bookkeeping mailserver is in our SPF record. Mails from bookkeeping software to clients not hosted our Carbonio Server are received.
Mails to an emailadres resided on our Carbonio is not accepted because the from address is rejected with user not logged in.
But shouldn't this be possible ?
I will have a look at it. But let me ask general question. I am not completely convinced if split domain is the problem. Maybe I explain to difficult.
Same problem. Our accountant has a system where we sent invoices from. The sender address is a emailaddress originally resided on our mailserver. We sent invoices to our clients with that emailadress as the sender, straight from our online bookkeeping software. The bookkeeping mailserver is in our SPF record. Mails from bookkeeping software to clients not hosted our Carbonio Server are received.
Mails to an emailadres resided on our Carbonio is not accepted because the from address is rejected with user not logged in.
But shouldn't this be possible ?
Hi @anahuac, do you have any ideas ?
Hello!
I could managed this problem by this
# workaround for error Sender address rejected: not logged in zextras@mail:~$ zmprov mcf zimbraMtaSmtpdSenderLoginMaps "" zextras@mail:~$ zmprov mcf -zimbraMtaSmtpdSenderRestrictions reject_sender_login_mismatch
but it is huge security breach, as far as i know.
My situation is where an application uses real existing account in the mail server and try send to the server without authentication
e.g. Application -> MAIL FROM: alias1@domain.com RCPT TO: acc1@domain.com -> carbonioserver
I want to return SLM tunning back, but couldn't managed to whitelist particular senders by IP or account or whatever. Any help appreciated
zextras@mail:~$ zmcontrol -v Carbonio Release 24.7.1
Did some research on the problem...
@Max_S OP, you could add you host from SPF to mynetworks in Carbonio, but it is dangerous and i would not recommend that.
Since you have SASL enabled and you try to send mail from an existing account, you reasonably got
"<account@domain.com>: Sender address rejected: not logged in;",
because this user not logged in. This is handled by reject_sender_login_mismatch in the smtpd_sender_restrictions in Postfix. So you could remove this restriction, but from that moment mail sender in your domain could be forged even by your own users. Or (this is how i solved my problem, recommended solución) you may use blacklists (don't worry about the name, it could be used as whitelist too)
zextras@mail:~$ vim /opt/zextras/conf/postfix_reject_sender
user1@yourdomain.com OK
zextras@mail:~$ postmap /opt/zextras/conf/postfix_reject_sender
zextras@mail:~$ zmprov ms $(zmhostname) +zimbraMtaSmtpdSenderRestrictions "check_sender_access lmdb:/opt/zextras/conf/postfix_reject_sender"
zextras@mail:~$ zmmtactl restart && zmconfigdctl restart
From now on user1@yourdomain.com will skip login checks.
zextras@mail:~$ postconf smtpd_sender_restrictions smtpd_sender_restrictions = check_sender_access lmdb:/opt/zextras/conf/postfix_reject_sender, check_sender_access regexp:/opt/zextras/common/conf/tag_as_originating.re, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zextras/common/conf/tag_as_foreign.re
Checks are executed from left to right and blacklist comes first, then jump to recipient restrictions list if it finds MAIL FROM email in blacklist and it is followed by OK
Let me know if it helps. Maybe i missing something, i am not postfix guru whatsoever, but this works for me.
During my research i found something that i think should be addressed to the dev team:
I found some misconfiguration in default Carbonio installation, version printed above.
zextras@mail:~$ zmprov gcf zimbraMtaSmtpdSenderRestrictions zimbraMtaSmtpdSenderRestrictions: reject_sender_login_mismatch zextras@mail:~$ cat /opt/zextras/conf/zmconfigd/smtpd_sender_restrictions.cf %%exact VAR:zimbraMtaSmtpdSenderRestrictions reject_authenticated_sender_login_mismatch%% %%contains VAR:zimbraMtaSmtpdSenderRestrictions check_sender_access lmdb:/opt/zextras/conf/postfix_reject_sender%% %%contains VAR:zimbraServiceEnabled cbpolicyd^ check_policy_service inet:localhost:%%zimbraCBPolicydBindPort%%%% %%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zextras/common/conf/tag_as_originating.re%% permit_mynetworks, reject_sender_login_mismatch permit_sasl_authenticated permit_tls_clientcerts %%contains VAR:zimbraServiceEnabled amavis^ check_sender_access regexp:/opt/zextras/common/conf/tag_as_foreign.re%%
reject_sender_login_mismatch just hardcoded in the template file for sender_restrictions, manipulating variable value does not do anything.
