On 2023-06-08 at 20:39:21 UTC-0400 (Thu, 8 Jun 2023 17:39:21 -0700
(PDT))
Richard Troy via Postfix-users <rt...@sciencetools.com>
is rumored to have said:
Hi All,
This is my first posting here, and maybe I should have found this WAY
back in January, '23, if not LONG before. Surely background will help:
Maybe, but in all of that I have failed to find a useful description of
your problem.
This 27 or so year old site now with Fedora / Postfix / Dovecot (with
early adoption of all three) that I built was humming along just fine
until a major disaster in January and I've not yet been able to fully
recover because the Postfix / Dovecot pair has let the damned spammers
in again and again and again and again!
OH, sure, I got it down to a trickle, but these few Russian sites
always managed to get their spam through. I've never found out how
they got in, but I'm sure they'd be back as soon as I reopen internet
access on ports 587 and / or 993.
If you have an unmodified example of the delivered spam (in its pristine
RFC822/2822/5322 glory with Received headers) and the logs from Dovecot
and Postfix at the time of its delivery, those should illuminate where
the junk came from.
Note that Dovecot does not normally do anything with messages other than
store them (or maybe not even that, as Postfix can deliver by itself)
and read them again when IMAP or POP clients ask for them. Dovecot does
not leave any traces in mail. Dovecot DOES provide authentication for
Postfix, if you have that configured properly. I believe it may be
possible to enable an initial IMAP-based submission facility in Dovecot,
but it isn't commonly used.
[big snip]
And so I want to blame Dovecot for letting through the relaying. They
say no, it's Postfix!
They?
Maybe someone on this list knows if it's possible that Dovecot being
cracked can cause Postfix to become a spam relay
Possible? Clearly it would be. Postfix only knows that "authentication"
is something it asks Dovecot about. Control Dovecot's answers to Postfix
and you control everything Postfix knows about user authentication.
Dovecot has been remarkably resistant to attack for a long time. I would
not look first to it being compromised to explain an open relay issue.
It is far more likely that a client has been compromised and their
password is available to the spammer at will.
but I'd like to sidestep that for at least the moment:
A new feature that would make a HUGE difference to sites like mine:
Give me a white-list of the ONLY accounts (usernames) that can relay;
NOTHING ELSE can relay. ... THAT would do it! But no! Neither in
Postfix nor Dovecot is there such a thing! ...Such a thing CANNOT be
that hard to implement and obviously useful to many; is there a good
reason NOT to do this? Or am I wrong and it HAS been done?
Of course you *can* do that in Postfix. It's just not a structure used
in most systems, because most systems simply let any authenticated user
relay. It could be set up by forcing the authenticated identity to match
the sender address and using a static map with check_sender_access in
smtpd_relay_restrictions.
Combine that with a greylist type function (similar to the postgrey
package I have installed now) where the usual IP addresses for
particular relay users were let through, and new ones delayed, THAT
would be awesome, too! And this isn't even all that hard to do - I
could do it if I didn't already have a thousand obligations in life!
Seems a bit pointless if you have working secure authentication.
And if someone tells me I'm wrong and points me at how to do these
things, I'll fall out of my damned chair! And after picking myself up,
I'll find a way to send that person some sort of gift. THIS WOULD HAVE
SOLVED ALL MY PROBLEMS. And I'm sure MANY others could use this, too!
As a small digression on some of the above: I think I don't know
enough about how Postfix's use of port 587 is properly secured - the
"submission port". OK, STARTTLS we're told,
"Told?"
STARTTLS is used if you have it configured, it is not used if you do not
configure it. STARTTLS only protects the session from snooping, it does
not authenticate the user. That's the AUTH command, which in Postfix is
juist a portal to the Dovecot or Cyrus SASL library. Also dependent on
specific configuration
We know NOTHING about your configuration. See Viktor's reply.
but is it Postfix or Dovecot doing the authentication?
Yes. :)
Postfix acquires the credentials from the user and hands them to
Dovecot. Dovecot determines whether the credentials are valid. Dovecot
has its own idea of a user list independent of the "local" users known
to Postfix, unless you solely use real OS users for both. Postfix has
only a very shallow conceptual model of authentication, as it is
entirely dependent on Dovecot (or on some systems, Cyrus-SASL) to
perform the work.
How that authentication is used is dependent on the Postfix
configuration.
Does Postfix EVER read a password file? I think it does not,
Correct.
and so I say it has to be Dovecot, but some clearing up of that would
be nice...
It is quite simple to misconfigure Postfix as a de facto open relay, so
that no authentication is needed. It is possible to misconfigure Dovecot
such that it does not actually check anything (but it is NOT easy...) It
is possible for users to lose control of their passwords to malware,
persistently and repeatedly.
And, now that I think of it could this be a way to prove which is
guilty of letting the spammers in?
Unless you have specifically configured submission via Dovecot, Postfix
is what "let them in" because Postfix is what handles submission on port
587 (and possibly on 465 also) and general SMTP on port 25, which can
also be misconfigured with regards to authentication and/or relaying.
I MUST get Dovecot's use of the ports 587 / 993 working again to allow
my outside users to get email again, but HOW THE HELL DO I DO THIS and
NOT let the spammers in?!
My top suspicion based on your rather vague description of this as being
reduced to 'just the Russians' is that the problem is not with your
system at all, but with one user's machine. If you had a simple config
problem or some compromising bug in Postfix or Dovecot, it would be open
to all sorts of miscreants. A user who has spyware owning their machine
leaks their credentials to only one criminal spam operation. Repeatedly.
But that's very much a guess.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
