On 22 Mar 2016, at 6:07, Torsten Stauder wrote:
Hi mailing-list,
I'm running a webserver which provides web- as well as mailservices.
To send (relay) mails, remote users have to authenticate, but
currently this is not necessary for local users (PHP etc...).
Unwise choice, unless your local users are all fastidious about
security.
This would be fine, but sometimes jerks inject php-files and start
spamming.
There's something badly broken if a webserver chronically permits that.
Virtually, I have no way to block them/enforce limits. Generally,
there are three ways to send mail via PHP:
a) Using an own smtp-engine in order to send mail directly to remote
hosts
Blocking this was simple - just added a rule to the firewall, that
only postfix-user is able to send mail to dpt=25
b) PHP's mail() via local postfix
Which, as I understand it, simply pipes messages into
/usr/sbin/sendmail.
Alternatives to mail() for a smart PHP spambot author include composing
his own messages and using one of about a half-dozen direct execution
mechanisms available if the PHP version and config allow for those. I
would guess that yours do, or you would not have this problem.
c) Own smtp-engine (e.g. phpmailer) via local postfix
So I want to enforce postfix to only accept sasl-authenticated mails
(even from localhost!), if the recipient is not a local user. For (b)
I wrote a wrapper which wraps mail() in the way that it automatically
adds an authentication. The script, that does the wrapping, checks
rate-limits. Going this way, I can enforce rate-limits without
changing php-code that relies on sending unauth-mails via mail().
Better to instead make sure that the user running your injection-prone
webserver cannot execute sendmail, directly or indirectly. SELinux works
great for this, provided you're willing to manage your local policy
wisely (which has gotten much less challenging in recent years.)
But still, one could send unauth mail using (c).
I tried to remove "permit_mynetworks" from
smtpd_recipients_restriction, but this didn't work as expected.
Better to simply remove local addresses (IPv4 and IPv6 loopbacks and
local interface addresses) from mynetworks. They are included by
default, which is unwise on a mail server also running a grossly
insecure webserver.
Any suggestions?
As always: 'postconf -n' output and logs *showing* that removing
permit_mynetworks didn't solve the problem would aid in diagnosis.
If you absolutely must allow PHP scripts on your webserver to send mail,
make them use standard mail submission via port 587 with real SASL auth.
