1 Topic by Dominique

  • Dominique
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 98

Topic: Throttling not working when sending from fake email address

======== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.8.6
- Linux/BSD distribution name and version: CentOS 6
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue:
====

A customer's email account got hacked (or he gave it to someone through phishing).  I do limit every account to only be able to send x emails per 24 hours so it shouldn't really be a problem.

But... when they (the hackers) send email through my server using the hacked account but configure their email client so the emails are sent from a non-existing address in that domain, the server just accepts the email and sends it out, while Cluebringer is not even tracking it, as not linked to an account.

The easiest solution I can think of is to only allow people to send emails using the address they connect with as the sender, but I don't know how to configure that.

Any other solution to prevent my server from potentially sending out millions of emails because one of the customers got hacked would be very welcome smile

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: Throttling not working when sending from fake email address

*) Do you have 'reject_sender_login_mismatch' enabled in Postfix 'smtpd_sender_restrictions'?
*) Did you upgrade iRedAPD to iRedAPD-1.6.0 and enable 'reject_null_sender' plugin?

Show us output of command 'postconf -n' please.

3 Reply by Dominique

  • Dominique
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 98

Re: Throttling not working when sending from fake email address

I had to disable 'reject_sender_login_mismatch' because I have quite a few customers with form mailers on their website and with that restriction it was impossible to get mail delivered coming from an address hosted on that server.  The only solution there would be to change all form mailers so the originating address is something not on that server.

I will be upgrading to the latest versions of everything (on a new machine) very soon so I'll gladly wait till that is done before worrying about this any further.

This is my postconf -n:

alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
delay_warning_time = 0h
disable_vrfy_command = yes
enable_original_recipient = no
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 26214400
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = ip.secureserver
myhostname = xxxxxxxxxxxxxxxxxxxxxx
mynetworks = 127.0.0.0/8, xx.xx.xx.xx/24
mynetworks_style = host
myorigin = xxxxxxxxxxxxxxxxxxx
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_directory = /var/spool/postfix
queue_run_delay = 300s
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
relayhost = [n1smtpout.europe.secureserver.net]
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl-passwords
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = 
smtpd_sasl_path = ./dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/pki/tls/certs/2015/combined.crt
smtpd_tls_cert_file = /etc/pki/tls/certs/2015/yyyyyyyyyyy.crt
smtpd_tls_key_file = /etc/pki/tls/certs/2015/yyyyyyyyyyyyy.key
smtpd_tls_loglevel = 0
smtpd_tls_security_level = may
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
unknown_local_recipient_reject_code = 550
virtual_alias_domains = 
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,165

Re: Throttling not working when sending from fake email address

This becomes mission impossible if some user's password was leaked/hacked, because you cannot avoid sender login mismatch.

The only solution is: force all your users to use a STRONG password which is not easy to be cracked. Weak password is the weakest part of a mail server.

5 Reply by Dominique

  • Dominique
  • Member
  • Offline
  • Registered: 2014-01-09
  • Posts: 98

Re: Throttling not working when sending from fake email address

I replaced 'reject_sender_login_mismatch' with 'reject_authenticated_sender_login_mismatch' as the Postfix default is too restrictive in real world situations.  It makes the use of form mailers impossible and also prevents anyone from using the mailserver using a different SMTP server than iRedMail.

Some ISPs even block port 25 to force people to use theirs; so those users would have no way of ever sending emails to a colleague (within the same domain).

ZhangHuangbin wrote:

Weak password is the weakest part of a mail server.

I think that phishing is a whole lot easier than brute-force attacking an email account, especially since you have fail2ban running by default.  Would they even still bother knowing that people are so gullible?