Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Postfix security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
NathanZachary
Moderator
Moderator


Joined: 30 Jan 2007
Posts: 2471
Location: /home/zach

PostPosted: Thu Jul 16, 2015 9:32 pm    Post subject: Postfix security Reply with quote

Hello all,

I have a question regarding Postfix smtpd security. I have it so that Postfix will reject mail relaying if the smtpd user is not authenticated, but how do I go about it when it isn't a *relayed* message, but one to the same domain. For instance, if I try:

Code:

$ telnet mail.myhost.com 587
Trying {IP ADDRESS}...
Connected to mail.myhost.com.
Escape character is '^]'.
220 mail.myhost.com ESMTP Postfix
ehlo mail.myhost.com
250-mail.myhost.com
250-PIPELINING
250-SIZE 50000000
250-VRFY
250-ETRN
250-AUTH CRAM-MD5 PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: zach@myhost.com
250 2.1.0 Ok
rcpt to: someaddress@gmail.com
554 5.7.1 <someaddress@gmail.com>: Relay access denied
quit
221 2.0.0 Bye
Connection closed by foreign host.


That's what I would expect to happen.

However, if I try:

Code:

$ telnet mail.myhost.com 587
Trying {IP ADDRESS}...
Connected to mail.myhost.com.
Escape character is '^]'.
220 mail.myhost.com ESMTP Postfix
ehlo mail.myhost.com
250-mail.myhost.com
250-PIPELINING
250-SIZE 50000000
250-VRFY
250-ETRN
250-AUTH CRAM-MD5 PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: zach@myhost.com
250 2.1.0 Ok
rcpt to: someoneelse@myhost.com
550 5.1.1 <someoneelse@myhost.com>: Recipient address rejected: User unknown in virtual mailbox table
rcpt to: abuse@myhost.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
test mail
.
250 2.0.0 Ok: queued as E609A100069
quit
221 2.0.0 Bye
Connection closed by foreign host.


I see that it rejects if the recipient is unknown (again, which I would expect), but it allows me to send if the recipient is known... without authenticating with a password.

Is there something obvious that I'm missing? My mail server isn't an open relay, but it allows for this type of interaction with smtpd, which I consider to be unwanted.

Thanks!

Cheers,
Nathan Zachary
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7252
Location: almost Mile High in the USA

PostPosted: Thu Jul 16, 2015 10:47 pm    Post subject: Reply with quote

If mail.myhost.com is actually receiving mail for myhost.com, then you're really not relaying when sending to myhost.com - you are the endpoint.

What are you trying to accomplish here? I had to do the same on my mail server (sendmail) because if someone sends mail to me, they can't necessarily authenticate before sending mail to me, even if it's a legitimate email relayed from another host.

It seems that you want either all mail to require authentication (which would stop you from receiving any mail unless you have another machine relaying mail to this machine and it can setup an authenticated session) or am I not understanding the problem here, which may very well be the case?
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
NathanZachary
Moderator
Moderator


Joined: 30 Jan 2007
Posts: 2471
Location: /home/zach

PostPosted: Fri Jul 17, 2015 1:34 am    Post subject: Reply with quote

I guess it just seems strange to me, because then anyone could connect to this mail server and send mail with completely spoofed headers and such. I thought that there would be a way to require authentication even if it was going to an endpoint on the same mail server (not relaying). Maybe I am the one that is misunderstanding it conceptually.
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7252
Location: almost Mile High in the USA

PostPosted: Fri Jul 17, 2015 2:08 am    Post subject: Reply with quote

Yes, unfortunately yes if someone knows an account on your endpoint server, you are stuck with that person being able to spoof headers and send mail to anyone there. You don't trust other servers anyway, they could be fabricating headers too - pretty much only the last hop - yours - you can trust as well as the IP address of that last machine that connected to you. Pretty much only secure mail (all servers must authenticate with each other) or whitelist is the only way to prevent spoofed headers.

Having these would completely break the peer to peer mail system described in the RFC. I'm sure Google, Yahoo, Hotmail, etc. would love to kill all the small mail servers like ours by peering each other and restricting mail to our "insecure" machines, but luckily there are too many out there including businesses.

Then again they are already doing this by trying to make sure that their respective IM services beat out on email. The younger population thinking "email" old and antiquated.

Sigh.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
papahuhn
l33t
l33t


Joined: 06 Sep 2004
Posts: 623

PostPosted: Fri Jul 17, 2015 8:51 pm    Post subject: Reply with quote

NathanZachary, how did you configure submission? Usually, its smtpd_client_restrictions are set to something like "permit_sasl_authenticated,reject". This way, the telneted mail to abuse@myhost.com wouldn't have been queued.
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
NathanZachary
Moderator
Moderator


Joined: 30 Jan 2007
Posts: 2471
Location: /home/zach

PostPosted: Thu Jul 23, 2015 9:47 pm    Post subject: Reply with quote

@papahuhn,

I have the smtpd_client_restrictions set to:

Code:

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject


but for amavisd, I have:

Code:

localhost:10025 inet n  -       n       -       25      smtpd
  -o smtpd_client_restrictions=


I would think that makes sense, though.

Cheers,
Nathan Zachary
_________________
“Truth, like infinity, is to be forever approached but never reached.” --Jean Ayres (1972)
---avatar cropped from =AimanStudio---
Back to top
View user's profile Send private message
papahuhn
l33t
l33t


Joined: 06 Sep 2004
Posts: 623

PostPosted: Fri Jul 24, 2015 10:14 am    Post subject: Reply with quote

Code:

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject


I don't get it. Can you set the verbose flag vor smtpd, restart, try telnet again and look for "START Client host RESTRICTIONS" in the logs?
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
magic919
Advocate
Advocate


Joined: 17 Jun 2005
Posts: 2182
Location: Berkshire, UK

PostPosted: Tue Aug 11, 2015 8:49 am    Post subject: Reply with quote

Can you not achieve this with smtpd_recipient_restrictions?

Near the top do permit_sasl_authenticated

Lower down do check_sender_access and pop your own domain(s) in there.
Back to top
View user's profile Send private message
gordonb3
Apprentice
Apprentice


Joined: 01 Jul 2015
Posts: 185

PostPosted: Mon Aug 17, 2015 10:39 am    Post subject: Reply with quote

This is not possible.

Submission is simply a mirror for port 25 to circumvent ISP blocking. Since remote MTA's do not have an account on your domain, no login method is implemented for delivery to the email domain that has been defined as local to the server. Therefore, if you want the server to only accept mail from authenticated users it must not have any local email domain defined. I.e. it should only relay, preferably through your main MTA that does have the local email domain defined.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum