1

Topic: External users/bot can perform user impersonation

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2 MARIADB edition
- Deployed with iRedMail Easy or the downloadable installer? downloadable installer
- Linux/BSD distribution name and version: Debian 10 Buster
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

I've noticed that external users/IPs (not present in mynetworks section) can impersonate and send emails without authentication to the email addresses hosted on iRedMail.
To give you an example:

Return-Path: <user@mydomain.tld>
Delivered-To: user@mydomain.tld
Received: from mail2.mydomain.tld (localhost [127.0.0.1])
    by mail2.mydomain.tld (Postfix) with ESMTP id 4FSwc93VpJzxRF
    for <user@mydomain.tld>; Sun, 25 Apr 2021 19:53:13 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail2.mydomain.tld
Received: from mail2.mydomain.tld ([127.0.0.1])
    by mail2.mydomain.tld (mail2.mydomain.tld [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 6qB-P4iqHdXg for <user@mydomain.tld>;
    Sun, 25 Apr 2021 19:53:08 +0200 (CEST)
Received: from test.com (93-41-xxx-xxx.ip82.fastwebnet.it [93.41.xxx.xxx])
    by mail2.mydomain.tld (Postfix) with SMTP id 4FSwbv2jPMzxRD
    for <user@mydomain.tld>; Sun, 25 Apr 2021 19:52:48 +0200 (CEST)
Message-Id: <4FSwc93VpJzxRF@mail2.mydomain.tld>
Date: Sun, 25 Apr 2021 19:53:13 +0200 (CEST)
From: user@mydomain.tld

I know this is a postfix behavior that accepts emails from the same domain without authentication but I noticed that sometimes I receive spam or scam email by using that method.

I have resolved this problem by adding "reject_unauth_destination" under "smtpd_sender_restrictions" like this:

# Sender restrictions
smtpd_sender_restrictions =
    reject_non_fqdn_sender
    reject_unlisted_sender
    permit_mynetworks
    permit_sasl_authenticated
    reject_unauth_destination
    check_sender_access pcre:/etc/postfix/sender_access.pcre
    reject_unknown_sender_domain

Everything seems to be working fine but I'm not sure if this option can cause any other unexpected problem

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: External users/bot can perform user impersonation

dark-vex wrote:

I have resolved this problem by adding "reject_unauth_destination" under "smtpd_sender_restrictions" like this:

Are you sure this fix the issue?

Postfix checks the sender/recipient address specified in smtp directive "MAIL FROM:" and "RCPT TO:", not the ones in mail headers.

3

Re: External users/bot can perform user impersonation

Zhang you might be right and I think somehow I'm got blind because worked in the first attempt. sad

It seems I'm getting inconsistent results during each attempt.

- After the restart of postfix

[daniele@ddl ~]$ openssl s_client -starttls smtp -connect mail2.mydomain.tld:25
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3460 bytes and written 450 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
---
250 CHUNKING

helo mail.anotherdomain.eu

250 mail2.mydomain.tld

mail from: d.test@mydomain.tld

250 2.1.0 Ok
rcpt to: d.test@mydomain.tld

554 5.7.1 <d.test@mydomain.tld>: Sender address rejected: Access denied
quit

221 2.0.0 Bye
closed

- All the other attempt

[daniele@ddl ~]$ openssl s_client -starttls smtp -connect mail2.mydomain.tld:25
---
250 CHUNKING

helo mail.anotherdomain.eu

250 mail2.mydomain.tld

mail from: d.test@mydomain.tld
250 2.1.0 Ok

rcpt to: d.test@mydomain.tld
250 2.1.5 Ok

data
354 End data with <CR><LF>.<CR><LF>
test
.

250 2.0.0 Ok: queued as 4FcBs44FTPzxTp
quit

221 2.0.0 Bye
closed

Apologies for that!

4

Re: External users/bot can perform user impersonation

Ok I've deleted that parameter and I did something different..
Since there is already "check_sender_access pcre:/etc/postfix/sender_access.pcre" I've added inside "sender_access.pcre" file:

/^(.*)@mydomain.(net|com)/ 550 Method not Allowed by a local policy

In order to fully test it and avoid unexpected delivery problems I placed temporary "warn_if_reject" in front of "check_sender_access" which will log a warning.