1 Topic by ng

  • ng
  • Member
  • Offline
  • Registered: 2015-08-31
  • Posts: 8

Topic: Postfix acting like a open relay for local domains

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.1 >> 0.9.2
- Linux/BSD distribution name and version: Debian 7.8
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
====

Hi to all!
As posted here, I'm having a problem where anyone can send mail to my virtual users acting as anyone but a mailbox user.

Anyone have an idea how to solve this?

NOTE: smtpd_helo_restrictions now is: permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname

Thank you all!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Postfix acting like a open relay for local domains

With default iRedMail settings, this issue won't happen at all, you changed too many restriction rules in Postfix.

Default settings in /etc/postfix/main.cf:

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre

smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unlisted_sender, permit_sasl_authenticated, permit_mynetworks

3 Reply by ng (edited by ng 2015-08-31 21:56:31)

  • ng
  • Member
  • Offline
  • Registered: 2015-08-31
  • Posts: 8

Re: Postfix acting like a open relay for local domains

EDIT: Actualy with stock settings the issue still persist

This is the script i'm using for testing:

<?php
require 'PHPMailer/PHPMailerAutoload.php';

$mail = new PHPMailer;

//$mail->SMTPDebug = 3;                               // Enable verbose debug output

$mail->isSMTP();                                      // Set mailer to use SMTP
$mail->Host = 'myEmailServer.com';  // Specify main and backup SMTP servers
$mail->SMTPAuth = false;                               // Enable SMTP authentication
$mail->SMTPSecure = 'tls';                            // Enable TLS encryption, `ssl` also accepted
$mail->Port = 25;                                    // TCP port to connect to
$mail->Hostname = 'anyValidhostname.com';

$mail->From = 'aNonMailboxUser@anyExistingDomain.com';
$mail->FromName = 'Mailer';
$mail->addAddress('anyuserin@mydomain.com', 'NAME');     // Add a recipient

$mail->isHTML(true);                                  // Set email format to HTML

$mail->Subject = 'TEST SUBJECT';
$mail->Body    = 'This is the HTML message body <b>in bold!</b>';
$mail->AltBody = 'This is the body in plain text for non-HTML mail clients';

if(!$mail->send()) {
    echo 'Message could not be sent.';
    echo 'Mailer Error: ' . $mail->ErrorInfo;
} else {
    echo 'Message has been sent';
}

--------------------
Thank you, i will test stock settings.

If it's a short answer, for learning purpose can you tell me what can cause the problem i've described?

Thank you

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Postfix acting like a open relay for local domains

ng wrote:

If it's a short answer, for learning purpose can you tell me what can cause the problem i've described?

Just use iRedMail default settings.

5 Reply by ng

  • ng
  • Member
  • Offline
  • Registered: 2015-08-31
  • Posts: 8

Re: Postfix acting like a open relay for local domains

ZhangHuangbin wrote:
ng wrote:

If it's a short answer, for learning purpose can you tell me what can cause the problem i've described?

Just use iRedMail default settings.

as reported, the issue exist also with iredmail default setting. The only thing i've changed in main.cf are the rules that you have post me back (replaced with the originals and restarted postfix before re-testing)

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Postfix acting like a open relay for local domains

With below setting, your script didn't perform smtp authentication, so it actually acts like a MTA (mail server), that's why your server accepts emails from different senders:

'$mail->SMTPAuth = false;                               // Enable SMTP authentication

I suggest you compare your Postfix settings and default iRedMail settings posted above, then check Postfix manual page to under what these restriction rules are used for:
http://www.postfix.org/postconf.5.html

If you want to change some settings, please make sure you clearly understand what it impacts.

7 Reply by ng (edited by ng 2015-08-31 22:41:24)

  • ng
  • Member
  • Offline
  • Registered: 2015-08-31
  • Posts: 8

Re: Postfix acting like a open relay for local domains

ZhangHuangbin wrote:

With below setting, your script didn't perform smtp authentication, so it actually acts like a MTA (mail server), that's why your server accepts emails from different senders:

'$mail->SMTPAuth = false;                               // Enable SMTP authentication

I suggest you compare your Postfix settings and default iRedMail settings posted above, then check Postfix manual page to under what these restriction rules are used for:
http://www.postfix.org/postconf.5.html

If you want to change some settings, please make sure you clearly understand what it impacts.

Now iredmail is running on all-stock-settings, i know the AUTH is set to off, is set off on purpose.
I am receiving a lot of spam because of this problem, i can rewrite my question as:

It's possibile to block access to the relay for all unauthenticated user on postfix 2.96? So it's possibile to receive email but send only if authenticated (I can't upgrade postfix ATM because of maintenance on backup server, after the upgrade i think i can solve the problem with smtpd_relay_restrictions)

Thank you

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Postfix acting like a open relay for local domains

You didn't get my point.

If you don't perform smtp auth, you are considered as another MTA (mail server), so the communication between your  iRedMail server and your script is actually communication between 2 MTAs. In this case, your iRedMail server just verify whether recipient exists, it doesn't verify sender on localhost. This is not an open relay, it's just a normal SMTP session.

With default iRedMail settings, all local users are forced to perform smtp auth for sending emails.

9 Reply by ng (edited by ng 2015-08-31 23:13:13)

  • ng
  • Member
  • Offline
  • Registered: 2015-08-31
  • Posts: 8

Re: Postfix acting like a open relay for local domains

ZhangHuangbin wrote:

You didn't get my point.

If you don't perform smtp auth, you are considered as another MTA (mail server), so the communication between your  iRedMail server and your script is actually communication between 2 MTAs. In this case, your iRedMail server just verify whether recipient exists, it doesn't verify sender on localhost. This is not an open relay, it's just a normal SMTP session.

With default iRedMail settings, all local users are forced to perform smtp auth for sending emails.

Look, this is my main.cf 

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
smtpd_tls_key_file = /etc/ssl/private/iRedMail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache


# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = email.mydomain.domain
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/postfix/aliases
myorigin = email.mydomain.domain
mydestination = $myhostname, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.1
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
virtual_alias_domains =
mydomain = email.mydomain.domain
allow_percent_hack = no
swap_bangpath = no
mynetworks_style = host
smtpd_data_restrictions = reject_unauth_pipelining
#smtpd_sasl_exceptions_networks = 217.220.34.18
smtpd_sasl_exceptions_networks =
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_tls_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 0
smtp_tls_note_starttls_offer = yes


delay_warning_time = 0h
maximal_queue_lifetime = 4h
bounce_queue_lifetime = 4h
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtpd_helo_required = yes
# smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access pcre:/etc/postfix/helo_access.pcre
queue_run_delay = 300s
minimal_backoff_time = 300s
maximal_backoff_time = 4000s
enable_original_recipient = no
disable_vrfy_command = yes
home_mailbox = Maildir/
allow_min_user = no
message_size_limit = 15728640
virtual_minimum_uid = 2000
virtual_uid_maps = static:2000
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf, proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql/virtual_mailbox_maps.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_maps.cf, proxy:mysql:/etc/postfix/mysql/catchall_maps.cf, proxy:mysql:/etc/postfix/mysql/domain_alias_catchall_maps.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/sender_bcc_maps_domain.cf
recipient_bcc_maps = proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_user.cf, proxy:mysql:/etc/postfix/mysql/recipient_bcc_maps_domain.cf
relay_domains = $mydestination, proxy:mysql:/etc/postfix/mysql/relay_domains.cf
#smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = yes
smtpd_sasl_tls_security_options = noanonymous

smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031,
smtpd_tls_security_level = may
smtpd_tls_loglevel = 0
smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
tls_random_source = dev:/dev/urandom
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/dovecot-auth
content_filter = smtp-amavis:[127.0.0.1]:10024
smtp-amavis_destination_recipient_limit = 1

#smtpd_client_restrictions =  permit_sasl_authenticated, permit_mynetworks
#smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
#smtpd_sender_restrictions = permit_sasl_authenticated, reject_sender_login_mismatch, reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unlisted_sender, reject_unauth_destination, permit_mynetworks
#smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf

smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre

smtpd_recipient_restrictions = reject_unknown_recipient_domain, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

smtpd_sender_restrictions = reject_unknown_sender_domain, reject_non_fqdn_sender, reject_unlisted_sender, permit_sasl_authenticated, permit_mynetworks

I've understood that is a MTA communication, but in this case it isn't an MTA speaking to himself?

The script for sending email is run on another machine, my preoccupation is that one of my user could fall in scam.

I'm not defining my server an total open relay, but anyone could send an fake email from anything to one of my user an try to scam, is there a solution for this problem?

Thank you for your time

10 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Postfix acting like a open relay for local domains

The restriction rules defined in smtpd_*_restrictions are used to detect spam...

11 Reply by ng

  • ng
  • Member
  • Offline
  • Registered: 2015-08-31
  • Posts: 8

Re: Postfix acting like a open relay for local domains

ZhangHuangbin wrote:

The restriction rules defined in smtpd_*_restrictions are used to detect spam...

I'll remake my question:
It's possible to disallow people to use my MTA to send out email, unless they are authenticated?

In the actual stage i can easly fake an email claiming to be another one:
- without even authenticating on MY server
- using any email in MAIL FROM: except for mailbox (not alias) in my database
- using any of my user in RCPT TO:

...and i'm willing to forbid that.

thank you

12 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Postfix acting like a open relay for local domains

ng wrote:

It's possible to disallow people to use my MTA to send out email, unless they are authenticated?

Again, default iRedMail settings is ok for you.

ng wrote:

In the actual stage i can easly fake an email claiming to be another one:

You still didn't get my point.

Of course you can fake sender address (From:) with your script, but your iRedMail server only accepts emails sent to existing local recipients. I repeat, without smtp authentication, your script acts as a MTA, not a client.

13 Reply by ng

  • ng
  • Member
  • Offline
  • Registered: 2015-08-31
  • Posts: 8

Re: Postfix acting like a open relay for local domains

ZhangHuangbin wrote:
ng wrote:

It's possible to disallow people to use my MTA to send out email, unless they are authenticated?

Again, default iRedMail settings is ok for you.

ng wrote:

In the actual stage i can easly fake an email claiming to be another one:

You still didn't get my point.

Of course you can fake sender address (From:) with your script, but your iRedMail server only accepts emails sent to existing local recipients. I repeat, without smtp authentication, your script acts as a MTA, not a client.

First of all thank you for all the clarifications.

I think i've found the problem, using "proxy:" in front of mysql maps is causing the server to not verify the senders (smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf), there is a way to bugfix this?

Removing the proxy prefix the server now block all request where MAIL FROM: is one of my local address (i've edited the sender_login_maps.cf to also link the alias to the mailbox owner)

Thank you

14 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Postfix acting like a open relay for local domains

proxy: doesn't verify address. Reference:
http://www.postfix.org/proxymap.8.html

15 Reply by ng

  • ng
  • Member
  • Offline
  • Registered: 2015-08-31
  • Posts: 8

Re: Postfix acting like a open relay for local domains

ZhangHuangbin wrote:

proxy: doesn't verify address. Reference:
http://www.postfix.org/proxymap.8.html

First of all, thank you for the patience and for the clarifications.
I've managed to solve some problems:
- the sender_login_maps.cf has corrupted permission causing proxymap to fail
- my sender_login_maps.cf won't consider aliases, so i modified the query in:

SELECT mailbox.username FROM mailbox,domain WHERE mailbox.username=(SELECT goto FROM alias WHERE address = '%s') AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.enablesmtp=1 AND mailbox.active=1 AND domain.backupmx=0 AND domain.active=1

to map aliases into users

the only problem remaining is fake emails, i think i will implement an spf to mark the faked messages

Have a nice day