1 Topic by timmy

  • timmy
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 13

Topic: bypassed all security and checks /fake authenticated

==== Required information ====
- iRedMail version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Linux/BSD distribution name and version:
- Related log if you're reporting an issue:
======== Required information ====
- iRedMail version: 0.8.6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  mysql pro
- Linux/BSD distribution name and version: debian
- Related log if you're reporting an issue:
====

One of our clients received a scam paypal email today, with a from email address as our mail server. This worried me because, you should need to authenticate to send emails from our mail servers domain name (its setup within iredmail).

After some digging I found in the mail log it says
cbpolicyd[4586]: module=Greylisting, action=pass, host=195.228.238.70, helo=mail.naturalmeat.hu, from=service@naturalmeat.hu, to=client@CLIENTS-DOMAIN.co.uk, reason=authenticated

So it does believe its authenticated (full log bellow). But they  have not authenticated!

I then had the email forwarded to me from the client and I see in the headers they are spoofing from Received From headers before the email is sent from them to us.. basically they make it look like it was received from localhost on our server, and then sent to their server and then back to our server. See full headers bellow.

I believe the checks are blindly using these fake headers as a sign that the email came from localhost! and therefore authenticated?

mail.log:
-------------------------------

May 28 19:42:24 mx1 postfix/smtpd[22274]: connect from mail.naturalmeat.hu[195.228.238.70]
May 28 19:42:24 mx1 cbpolicyd[4586]: module=Greylisting, action=pass, host=195.228.238.70, helo=mail.naturalmeat.hu, from=service@naturalmeat.hu, to=client@CLIENTS-DOMAIN.co.uk, reason=authenticated
May 28 19:42:24 mx1 postfix/smtpd[22274]: DF7C81AB2001: client=mail.naturalmeat.hu[195.228.238.70]
May 28 19:42:25 mx1 postfix/cleanup[23207]: DF7C81AB2001: message-id=<01cf7aa3$Blat.v3.1.1$b6fb7d91$14d86a0cd947@naturalmeat.hu>
May 28 19:42:26 mx1 postfix/qmgr[2933]: DF7C81AB2001: from=<Service@naturalmeat.hu>, size=6360, nrcpt=1 (queue active)
May 28 19:42:26 mx1 postfix/smtpd[22274]: disconnect from mail.naturalmeat.hu[195.228.238.70]
May 28 19:42:29 mx1 postfix/smtpd[23212]: connect from mx1.OUR-MAIL-SERVER.co.uk[127.0.0.1]
May 28 19:42:29 mx1 postfix/smtpd[23212]: 216861AB2005: client=mx1.OUR-MAIL-SERVER.co.uk[127.0.0.1]
May 28 19:42:29 mx1 postfix/cleanup[23207]: 216861AB2005: message-id=<01cf7aa3$Blat.v3.1.1$b6fb7d91$14d86a0cd947@naturalmeat.hu>
May 28 19:42:29 mx1 postfix/qmgr[2933]: 216861AB2005: from=<Service@naturalmeat.hu>, size=6866, nrcpt=1 (queue active)
May 28 19:42:29 mx1 postfix/smtpd[23212]: disconnect from mx1.OUR-MAIL-SERVER.co.uk[127.0.0.1]
May 28 19:42:29 mx1 amavis[22638]: (22638-04) Passed CLEAN {RelayedOutbound}, LOCAL [195.228.238.70]:59269 [84.113.77.177] <Service@naturalmeat.hu> -> <client@CLIENTS-DOMAIN.co.uk>, Queue-ID: DF7C81AB2001, Message-ID: <01cf7aa3$Bla$
May 28 19:42:29 mx1 postfix/smtp[23209]: DF7C81AB2001: to=<client@CLIENTS-DOMAIN.co.uk>, relay=127.0.0.1[127.0.0.1]:10024, delay=4.3, delays=1.2/0/0/3.1, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0$
May 28 19:42:29 mx1 postfix/qmgr[2933]: DF7C81AB2001: removed
May 28 19:42:29 mx1 postfix/pipe[23213]: 216861AB2005: to=<client@CLIENTS-DOMAIN.co.uk>, relay=dovecot, delay=0.22, delays=0/0.01/0/0.21, dsn=2.0.0, status=sent (delivered via dovecot service)
May 28 19:42:29 mx1 postfix/qmgr[2933]: 216861AB2005: removed

--------------------------------
Email headers:

Received: from mail.naturalmeat.hu (mail.naturalmeat.hu [195.228.238.70])
    by mx1.OUR-MAIL-SERVER.co.uk (Postfix) with ESMTP id DF7C81AB2001
    for <client@CLIENTS-DOMAIN.co.uk>; Wed, 28 May 2014 19:42:24 +0100 (BST)
Received: from mx1.OUR-MAIL-SERVER.co.uk ([127.0.0.1])
    by localhost (mx1.OUR-MAIL-SERVER.co.uk [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id f_XvpZhCpmAg for <client@CLIENTS-DOMAIN.co.uk>;
    Wed, 28 May 2014 19:42:26 +0100 (BST)
Received: from localhost (mx1.OUR-MAIL-SERVER.co.uk [127.0.0.1])
    by mx1.OUR-MAIL-SERVER.co.uk (Postfix) with ESMTP id 216861AB2005
    for <client@CLIENTS-DOMAIN.co.uk>; Wed, 28 May 2014 19:42:29 +0100 (BST)
Received: from n-tul-dru-4131 (84-113-77-177.dynamic.surfer.at [84.113.77.177])
    (Authenticated sender: janos.seres)
    by mail.naturalmeat.hu (Postfix) with ESMTPA id 8ADB429023
    for <client@CLIENTS-DOMAIN.co.uk>; Wed, 28 May 2014 20:36:06 +0200 (CEST)
Received: from mail.naturalmeat.hu ([127.0.0.1])
    by localhost (mail.naturalmeat.hu [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id LKxffa1OsLEI for <client@CLIENTS-DOMAIN.co.uk>;
    Wed, 28 May 2014 20:36:06 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
    by mail.naturalmeat.hu (Postfix) with ESMTP id CD43829037
    for <client@CLIENTS-DOMAIN.co.uk>; Wed, 28 May 2014 20:36:06 +0200 (CEST)
Return-Path: <Service@naturalmeat.hu>
From: "Service PayPal" <janos.seres@mx1.OUR-MAIL-SERVER.co.uk>
To: <client@CLIENTS-DOMAIN.co.uk>
Subject: View your settings online today
Date: Wed, 28 May 2014 19:36:16 +0100
Message-ID: <01cf7aa3$Blat.v3.1.1$b6fb7d91$14d86a0cd947@naturalmeat.hu>
MIME-Version: 1.0
Content-Type: multipart/alternative;
    boundary="----=_NextPart_000_007C_01CF7B42.50D24810"
X-Priority: 1 (Highest)
X-MSMail-Priority: High
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac96pJPN8UfGc+LgRpW4FIp36ADlbw==
Importance: High

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: bypassed all security and checks /fake authenticated

timmy wrote:

After some digging I found in the mail log it says
cbpolicyd[4586]: module=Greylisting, action=pass, host=195.228.238.70, helo=mail.naturalmeat.hu, from=service@naturalmeat.hu, to=client@CLIENTS-DOMAIN.co.uk, reason=authenticated
So it does believe its authenticated (full log bellow). But they  have not authenticated!

It means this sender/client/sender server bypass the greylisting, not SMTP authentication.

timmy wrote:

From: "Service PayPal" <janos.seres@mx1.OUR-MAIL-SERVER.co.uk>

It forges the sender to 'user@[your_mail_server_hostname]'. Could you please show us output of command "postconf -n"?

3 Reply by timmy

  • timmy
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 13

Re: bypassed all security and checks /fake authenticated

Thanks for the reply, ok so if it was just greylisting that was bypassed.. then how did the mail get delivered?

Note I have the domain mx1.OUR-MAIL-SERVER.co.uk setup with email accounts so unauthenticated users should not be able to send from this address.

# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = ipv4
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 60000000
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 52428800
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = OUR-MAIL-SERVER.co.uk
myhostname = mx1.OUR-MAIL-SERVER.co.uk
mynetworks = 127.0.0.0/8,83.x.x.0/22
mynetworks_style = host
myorigin = mx1.OUR-MAIL-SERVER.co.uk
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_CAfile = $smtpd_tls_CAfile
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain =
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, reject_unauthenticated_sender_login_mismatch, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail_CA.pem
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

4 Reply by timmy

  • timmy
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 13

Re: bypassed all security and checks /fake authenticated

any ideas?

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: bypassed all security and checks /fake authenticated

No idea yet, need more log. Maybe login to server remotely to debug is better.

timmy wrote:

smtpd_sender_restrictions = permit_mynetworks, reject_unauthenticated_sender_login_mismatch, permit_sasl_authenticated

You have "reject_unauthenticated_sender_login_mismatch", is it possible that a authenticated smtp user forged this email? Maybe some mail account was cracked (weak password)?

6 Reply by timmy

  • timmy
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 13

Re: bypassed all security and checks /fake authenticated

Hi,

That was my first concern. They were not logged in - you can see that in the log above there is no auth between the connect and disconnect. I have also double checked other ways.

After quite a bit of testing an recreating, I realise I think the fake "received from" headers were just throwing me off.. Its even more simple to fool the server. All you have to do is pass any (non local to my server) address in the "MAIL FROM: " SMTP command in the initial negotiations, then after the "DATA" SMTP command, in the headers, put "From: anyone@mydomain.com"

The server then doesn't seem to care that they originally said the email was from someone else and now is from a local user. It doesn't require them to authenticate and it skips SPF checks (maybe other than the original MAIL FROM domain name).

How can this be patched / fixed?

I simple PHP script to simulate this:

<?php

$subject = 'test email 1';
$body = 'This is a test mail';

$to = 'client@CLIENTS-DOMAIN.co.uk';
$from = 'server@mx1.OUR-MAIL-SERVER.co.uk'; //note this address is on our server so should require auth to send from here

$headers = 'From: '.$from;

//note this one will be rejected because I havent authenticated and trying to send from mx1.OUR-MAIL-SERVER.co.uk
mail( $to, $subject, $body, $headers , '-f '.$from );


//note this one will get through because im sending a fake from address BUT still sending the header From: server@mx1.OUR-MAIL-SERVER.co.uk so will look like from us!
$subject = 'test email 2';
$fakeFrom = 'dfsdfsd@naturalmeat.hu';

mail( $to, $subject, $body, $headers , '-f '.$fakeFrom );

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: bypassed all security and checks /fake authenticated

Did you test it on server (127.0.0.1)?

8 Reply by timmy

  • timmy
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 13

Re: bypassed all security and checks /fake authenticated

no, from an external server.

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: bypassed all security and checks /fake authenticated

With default iRedMail settings, sender is forced to perform SMTP authentication for sending email, except you list sender IP address in Postfix parameter "mynetworks".

Could you please show us FULL, original log of your testing?

10 Reply by timmy

  • timmy
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 13

Re: bypassed all security and checks /fake authenticated

I dont know why you dont just use the script I provided, but sure. How should I get a "FULL" log ? I thought I gave a full log of the previous one so I may have not understood what I need to do.

You do make it very hard to submit bugs. I dont think you even ever released a fix for the last one I sent, but there you go

11 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,094

Re: bypassed all security and checks /fake authenticated

timmy wrote:

I dont know why you dont just use the script I provided

Your PHP script doesn't even specify a mail server, so it will use local MTA, which means it's 127.0.0.1 (localhost), but you insist on you tested it on an external server. A local generated mail doesn't apply restriction rules like mail submitted from remote mail client application (Outlook, Thunderbird, etc). I don't think it helps.

timmy wrote:

How should I get a "FULL" log ? I thought I gave a full log of the previous one so I may have not understood what I need to do.

I need the FULL log of your new TESTING -- log generated by Postfix while you testing this issue with your PHP script.

12 Reply by srd2010

  • srd2010
  • Member
  • Offline
  • Registered: 2013-08-06
  • Posts: 37

Re: bypassed all security and checks /fake authenticated

Just wanted to drop a line and report, that we are experiencing the same problems as mentioned by timmy.
We are investigating on the topic as well, but have no real conclusion so far.

13 Reply by timmy

  • timmy
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 13

Re: bypassed all security and checks /fake authenticated

Zhang, I dont specify a mail server yes. Thats what you do. You dont need to specify a mail server. It will use the local MTA to send the mail yes... BUT I'm running the script on an eternal server, so yes that server sends from its local MTA, which sends the mail to the correct MX - which is my mail server.

I dont know how to do what your asking for, please explain. I have provided the log from /var/log/mail.log please let me know they steps you want me to do and ill happily oblige.

Like I said if you want to test this your self, just run my php script from any external server you have and send the mail to email which is on a iredmail email server on another machine.

The sending machine needs to be configured correctly - iredmail still performs its basic pre checks like checking the sender identifies itself with a valid domain name etc

14 Reply by samym

  • samym
  • Member
  • Offline
  • Registered: 2014-08-13
  • Posts: 1

Re: bypassed all security and checks /fake authenticated

Zhang, timmy and srd2010 - I appear to be experiencing the same problem as you reported.

I don't see any updates to this in the forum, did this get resolved?

Thanks!