Zimbra’s Distribution Lists are widely deployed on account of their powerful productivity-enhancing features, but in a default Zimbra installation, anyone anywhere can send email to any of your distribution lists — lists like “firstname.lastname@example.org” are particularly ripe for exploitation by bad actors. This post will show you how to secure your Zimbra Distribution Lists.
Key Zimbra Distribution List features include:
- Nesting. Distribution Lists can be members of other Distribution Lists, so for example email@example.com, firstname.lastname@example.org, email@example.com and firstname.lastname@example.org can be members of email@example.com.
- Ownership and Management. Different users can be made owners of different lists, effectively blocking other users from making unauthorized changes to one or more Distribution Lists.
- Dynamic Distribution Lists. Membership in these kinds of lists is automatic, based on LDAP filters. These are great for call centers or other environments where there are frequent staff changes; these lists update themselves automatically with members being added and removed essentially in real time based on each user’s LDAP attributes and the LDAP filters configured for specifying list membership.
- Highly Granular Rights and Permissions. This is where this blog post focuses; we will use rights to enhance the security of your Distribution Lists.
From a functional standpoint, Zimbra Distribution Lists are nothing more than an email address expansion mechanism. Our process for securing your Distribution Lists therefore works at the Zimbra MTA level.
Fortunately, we can lock down who can send emails to any Zimbra Distribution List, while leaving other useful Distribution Lists (like “firstname.lastname@example.org”) open to anyone. So let’s go through the lock down process step-by-step:
Step One: Enable The Milter
First, we need to enable Zimbra’s milter on the MTA servers. The milter ships with Zimbra but due to an accident of history (I was once told it wasn’t very stable when first introduced) the milter is not enabled by default. It’s the milter that manages and checks rights at the MTA level to allow or deny a sender from sending an email to a Distribution List.
As the Zimbra user from the commandline on every one of your MTA servers just run:
zmprov ms `zmhostname` zimbraMilterServerEnabled TRUE zmmilterctl start zmmilterctl status
Although the milter is running now, all Distribution Lists remain open, kind of like a new firewall deployment that has default “allow all” rules configured at initial launch.
Step Two: Understanding “Rights”
The lockdown process begins with applying “rights” to a Distribution List. Here are The Rules:
- Rights can be positive (allow) or negative (deny).
- If no rights are explicitly applied to a Distribution List, anyone anywhere can send an email to the list.
- Rights can be granted on a specific Distribution List to a user, a domain, another distribution list, every account on the Zimbra system, the public (everyone everywhere), or any combination thereof.
- Rights can also be granted on a Domain, in which case ALL Distribution Lists in the domain inherit those rights.
- Multiple Rights can be granted for each Distribution List.
- There are four commonly used rights:
- The ability to send TO a Distribution List.
- The ability to send AS a Distribution List (useful for example to allow members of the Distribution List “email@example.com” to send emails AS coming from “firstname.lastname@example.org”).
- The ability to view the addresses of members in a Distribution List.
- The owner of the Distribution List.
- Negative Rights override positive rights in the event of a conflict. Here’s an example: Suppose you have a Distribution List “email@example.com” and another Distribution List called “firstname.lastname@example.org”. Normally, you’ll only want members of management to be able to send an email to email@example.com. But, suppose there is one management executive whom you don’t want to be able to send to firstname.lastname@example.org? Well, you could just grant rights individually to all of the managers, except for this one individual. But it would be much easier first to grant a positive right to send to the email@example.com Distribution List to the firstname.lastname@example.org Distribution List, and then to grant a negative right to the individual manager you need to exclude from sending to the email@example.com Distribution List. Even though that individual is a member of management, the negative right targeting the individual overrides the individual’s positive right by dint of his/her membership in the management Distribution List.
- Another example is if you have a Distribution List you want to remain public, like “firstname.lastname@example.org” (so you don’t apply any rights at all to the list), but you have some outsiders who abuse the list, e.g. an unethical recruiter. In this case, you would apply a positive right to the Public to send to the list, and then a negative right to block the unethical recruiter’s email address (or indeed the recruiter’s entire company domain if you so wished).
Step Three: Apply Rights Using the Zimbra Command Line Interface
The Zimbra Admin Guide has an excellent section on managing access to Distribution Lists. Let’s take a look at how to selectively restrict who can send to a Distribution List. You’ll find more examples in the actual Admin Guide.
Let’s presume you’ve set up a new Distribution List “email@example.com”. It’s a Dynamic Distribution List that contains all active accounts in the domain. Let’s also presume there’s another Distribution List called “firstname.lastname@example.org”, and a user “email@example.com” who is a member of “firstname.lastname@example.org”.
- To allow everyone in the management list, except Mark, to be able to send emails to “email@example.com”.
- To prevent everyone in the domain from seeing the members of any Distribution List on the domain.
So first, let’s prevent The World from sending to “firstname.lastname@example.org” and just allow the management list to send to “email@example.com”:
zmprov grr dl firstname.lastname@example.org grp email@example.com sendToDistList
Recall that, once you apply any right to a Distribution List as we have done above, the list is no longer “open”. Now let’s keep Mark from being able to send to this list:
zmprov grr dl firstname.lastname@example.org usr email@example.com -sendToDistList
Note that in the above example, we prepended a minus sign to the sendToDistList right; this means we are applying a negative (deny) right. Now all we need to need to do is prevent everyone in the domain from viewing all lists’ members:
zmprov grr domain mycompany.com dom mycompany.com -viewDistList
Step Four: Check The Rights Granted On A Distribution List
You can check that rights were applied in two different ways. First, you can use zmprov:
zimbra@mail2:~$ zmprov ckr dl firstname.lastname@example.org email@example.com sendToDistList DENIED Via: target type : dl target : firstname.lastname@example.org grantee type : usr grantee : email@example.com right : DENY sendToDistList zimbra@mail2:~$ zmprov ckr dl firstname.lastname@example.org email@example.com sendToDistList ALLOWED Via: target type : dl target : firstname.lastname@example.org grantee type : grp grantee : email@example.com right : sendToDistList zimbra@mail2:~$
zimbra@mail2:~$ zmprov gdl firstname.lastname@example.org | grep ACE zimbraACE: aee99b4b-da40-4c5d-bf28-34a11d3d391c grp sendToDistList zimbraACE: b0f16bd5-22ab-4ac5-9953-5bf83c7e7a80 usr -sendToDistList zimbraACE: cbdee8f8-xy78-6v24-gf89-68sdgg98348d usr ownDistList zimbra@mail2:~$
Next, you’ll need to find the account or Distribution List based on a human-readable attribute, using the zimbraId above, like so:
zimbra@mail2:~$ zmprov gdl aee99b4b-da40-4c5d-bf28-34a11d3d391c | grep "mail: "
zimbra@mail2:~$ zmprov ga b0f16bd5-22ab-4ac5-9953-5bf83c7e7a80 | grep "# name"
# name email@example.com
Fixing Mistakes And/Or Making Changes
Taking the time to periodically audit the positive and negative rights assigned to your Distribution Lists will help keep you secure from bad actors, and there will likely come a time when you need to modify one or more rights that have been previously assigned. This is straightforward to do, in two steps: First, revoke (i.e. delete) the no-longer-wanted right, and then second, grant the right you want to replace the revoked right. To be clear, there is no mechanism to modify an existing right. So let’s say Mark got a promotion, and is now eligible to send emails to firstname.lastname@example.org. To do that, we need to revoke his deny right that we originally granted above. Easy! Just do:
zmprov rvr dl email@example.com usr firstname.lastname@example.org -sendToDistList
In this article we learned:
- That all Zimbra Distribution Lists can be emailed to by anyone, anywhere, creating a security exposure.
- The Rules around how rights impact access to and use of Distribution Lists.
- How to lock down our Distribution Lists to prevent them from being abused by Bad Actors.
- How to document existing rights applied to Distribution Lists and how to update them periodically.
If you need help with your Zimbra Distribution Lists’ security, or any other Zimbra security matter, just get in touch!
Hope that helps,
L. Mark Stone
Mission Critical Email LLC
20 August 2021
The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone personally. The contents of this site are not intended as advice for any purpose and are subject to change without notice. Mission Critical Email makes no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.