1 Topic by laurent.bardi

  • laurent.bardi
  • Member
  • Offline
  • Registered: 2021-10-04
  • Posts: 11

Topic: send-email-without-smtp-authentication

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.6.2 OPENLDAP edition.
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: debian11
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): ldap
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro? yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi, i do not understand, i follow https:__docs.iredmail.org/allow.send.without.smtp.auth.html#allow-some-user-to-send-email-without-smtp-authentication

i ve replaced X.Y.Y.Z.W with my public ip addresses and domaine.com is a replace of my own domain


file /opt/iredapd/settings.py :
MYNETWORKS = ['10.0.0.0/9', 'X.Y.Z.W/24']
ALLOWED_FORGED_SENDERS = ['uparis1@domaine.com']

file /etc/postfix/sender_access.pcre :
/^uparis1@comaine\.com$/     OK
/^10\./       OK

then test in thunderbird

when i try to sen and email as uparis1 without auth (but with start_ssl) i ve got

Jan 26 15:05:04 vm-deb64-20 postfix/submission/smtpd[2446]: connect from unknown[10.64.1.136]
Jan 26 15:05:04 vm-deb64-20 postfix/submission/smtpd[2446]: Anonymous TLS connection established from unknown[10.64.1.136]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Jan 26 15:05:04 vm-deb64-20 postfix/submission/smtpd[2446]: NOQUEUE: reject: RCPT from unknown[10.64.1.136]: 554 5.7.1 <unknown[10.64.1.136]>: Client host rejected: Access denied; from=<uparis1@domaine.com> to=<lolo@domaine.com> proto=ESMTP helo=<[10.64.1.136]>

with auth and start_ssl it works

where is my mistake ?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Cthulhu

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 816

Re: send-email-without-smtp-authentication

If you give proper config settings without changeing relevant informations, i will look into it, but with that much guessing (correct ip/subnet compared to login attempt? correct sender for login mismatch? correct regex?) i dun invest my time into it

3 Reply by laurent.bardi

  • laurent.bardi
  • Member
  • Offline
  • Registered: 2021-10-04
  • Posts: 11

Re: send-email-without-smtp-authentication

Cthulhu wrote:

If you give proper config settings without changeing relevant informations, i will look into it, but with that much guessing (correct ip/subnet compared to login attempt? correct sender for login mismatch? correct regex?) i dun invest my time into it

ok
more /opt/iredapd/settings.py
....
MYNETWORKS = ['10.0.0.0/9', '193.48.0.0/24']
ALLOWED_FORGED_SENDERS = ['uparis1@ipbs.fr']


more  /etc/postfix/sender_access.pcre
/^uparis1@ipbs\.fr$/     OK
/^10\./       OK

result in syslog  :
Jan 26 15:44:47 vm-deb64-20 postfix/submission/smtpd[4411]: connect from unknown[10.64.1.136]
Jan 26 15:44:47 vm-deb64-20 postfix/submission/smtpd[4411]: Anonymous TLS connection established from unknown[10.64.1.136]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Jan 26 15:44:47 vm-deb64-20 postfix/submission/smtpd[4411]: NOQUEUE: reject: RCPT from unknown[10.64.1.136]: 554 5.7.1 <unknown[10.64.1.136]>: Client host rejected: Access denied; from=<uparis1@ipbs.fr> to=<lolo@ipbs.fr> proto=ESMTP helo=<[10.64.1.136]>

4 Reply by Cthulhu (edited by Cthulhu 2023-01-27 00:28:38)

  • Cthulhu
  • Member
  • Offline
  • Registered: 2019-06-04
  • Posts: 816

Re: send-email-without-smtp-authentication

Jan 26 15:44:47 vm-deb64-20 postfix/submission/smtpd[4411]: connect from unknown[10.64.1.136]

MYNETWORKS = ['10.0.0.0/9', '193.48.0.0/24']

This does not match, aswell i doubt that you run your vps at 10.x.x.x since this is reserved for virtual networks, and it would allow ANY user under this network to send as forged which is a very huge security issue

Did you restart postfix after your changes? And why is it neccesary for you to send as unauth sender at all?

Edit:

/^10\./       OK

this regex makes no sense and would allow anything which stats with 10 to bypass

5 Reply by laurent.bardi

  • laurent.bardi
  • Member
  • Offline
  • Registered: 2021-10-04
  • Posts: 11

Re: send-email-without-smtp-authentication

Cthulhu wrote:

Jan 26 15:44:47 vm-deb64-20 postfix/submission/smtpd[4411]: connect from unknown[10.64.1.136]

MYNETWORKS = ['10.0.0.0/9', '193.48.0.0/24']

This does not match, aswell i doubt that you run your vps at 10.x.x.x since this is reserved for virtual networks, and it would allow ANY user under this network to send as forged which is a very huge security issue


my internal net is a subnet of A class 10. and 10.0.0.0/9 is 10.0.0.1 to 10.127.254.254 (my LAN)); 193.48.0.0/24 is my C class outside network (my WAN ; i use pat/nat from LAN to WAN)  so i dont think it is a mistake or i misunderstood parameters ?


Did you restart postfix after your changes? And why is it neccesary for you to send as unauth sender at all?

why not ? :-} More seriously because some machine makers use microcode to send mail, but think that we always stand in 1995.

i even reboot because i dont know how to restart iredapd.


Edit:

/^10\./       OK

this regex makes no sense and would allow anything which stats with 10 to bypass

yes network addresses in 10.0.0.0/9 always began with "10."

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: send-email-without-smtp-authentication

"submission" service is configured to allow only authenticated users in /etc/postfix/master.cf like below:

submission inet n       -       n       -       -       smtpd
    ...
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    ...

if you want to bypass internal networks, insert rule "permit_mynetworks" and list your trusted IP addresses/networks in "mynetworks" parameter in /etc/postfix/main.cf:

submission inet n       -       n       -       -       smtpd
    ...
    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    ...