Re: SV: Telnet auth
This is what I was looking for. Thank you very very much Sebastien. I will try it right now and will post the result. Sent from my iPhone > On 18 May 2016, at 22:07, Sebastian Nielsen wrote: > > Yes. > Remove permit_sasl_authenticated and permit_mynetworks. > Then add the following rule instead, immediately BEFORE > reject_unauth_destination: > check_sender_access hash:/etc/postfix/relay_auth > > Inside the file relay_auth, which must be postmap:ed, you have the > following: > > yourdomain.com: permit_sasl_authenticated, reject > > This means when a outsider tries to send from lets say t...@yourdomain.com > to someot...@yourdomain.com without authentication, the rule evaluated will > be: > " permit_sasl_authenticated, reject, reject_unauth_destination" > The word "reject" comes before "reject_unauth_destination", thus the mail > will be rejected despite being to a allowed domain. > If you instead tries to send from a non-"yourdomain.com" domain, then the > check_sender_access will be skipped, and you will be allowed to send mail to > local accounts. > > This also have another advantage: authenticated accounts CANNOT send from > another domain than your domain. > > You can try for yourself. Try telnetting to this server: dns2.sebbe.eu which > is my mail server. > Then try to see if you can send spoofed mail originating from some account > inside @sebbe.eu to sebast...@sebbe.eu > > (I however use IP authentication, eg only mynetworks are allowed to relay, > instead of account authentication) > > -Ursprungligt meddelande- > Från: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] För Catalin Badirca > Skickat: den 18 maj 2016 20:53 > Till: D'Arcy J.M. Cain > Kopia: postfix-users@postfix.org > Ämne: Re: Telnet auth > > I will try to be more specific. Create an test account that can send emails > from postfix. Telnet on the postfix machine on port 25. Now send an email > from that test account to any other valid email on your domain. You will see > that you are allowed to do so without authentication. The whole world can do > that. > I don't think you will want emails to be sent on your user's behalf inside > your domain. > > Is there any way postfix can stop that ? > > >> On 18 May 2016, at 14:08, D'Arcy J.M. Cain wrote: >> >> On Wed, 18 May 2016 13:22:49 +0300 >> Catalin Badirca wrote: >>> I've tried your suggestion and the issue remains. Someone could >>> telnet into postfix and would be allowed to send mails from a valid >>> address to another valid address in mydomain without authentication. >>> >>> Is there any way I can stop potential spam for mydomain ? >> >> What do you mean by "telnet into postfix"? Are you saying that valid >> users on your system are spamming your other users? All you can do >> there is monitor your own house and slap anyone who does that. It >> doesn't matter whether they spam their fellow users or the whole world. >> your users are your responsibility but that's not a technical issue. >> >> If you mean that someone can connect to your port 25 and send your >> users spam then yes, welcome to the twenty-first century and the spam >> problem that everyone is fighting. That's the daily fight we all >> have. There are a number of spam mitigation techniques that you can >> try. None of them are 100% effective. You can block known spam >> sites, use SPF, greylisting and other tools to slow down spam at the >> SMTP level and spamassassin, bogofilter and other filters after to >> catch suspected spam after it is accepted. Look at spam-fighting >> sites for some ideas. >> >> If you do find a way to block 100% of all spam please tell us how. >> Better yet, package it and sell it. You will be a billionaire. >> >> -- >> D'Arcy J.M. Cain >> System Administrator, Vex.Net >> http://www.Vex.Net/ IM:da...@vex.net >> VoIP: sip:da...@vex.net > >
Re: Telnet auth
I will try to be more specific. Create an test account that can send emails from postfix. Telnet on the postfix machine on port 25. Now send an email from that test account to any other valid email on your domain. You will see that you are allowed to do so without authentication. The whole world can do that. I don't think you will want emails to be sent on your user's behalf inside your domain. Is there any way postfix can stop that ? > On 18 May 2016, at 14:08, D'Arcy J.M. Cain wrote: > > On Wed, 18 May 2016 13:22:49 +0300 > Catalin Badirca wrote: >> I've tried your suggestion and the issue remains. Someone could >> telnet into postfix and would be allowed to send mails from a valid >> address to another valid address in mydomain without authentication. >> >> Is there any way I can stop potential spam for mydomain ? > > What do you mean by "telnet into postfix"? Are you saying that valid > users on your system are spamming your other users? All you can do > there is monitor your own house and slap anyone who does that. It > doesn't matter whether they spam their fellow users or the whole world. > your users are your responsibility but that's not a technical issue. > > If you mean that someone can connect to your port 25 and send your > users spam then yes, welcome to the twenty-first century and the spam > problem that everyone is fighting. That's the daily fight we all > have. There are a number of spam mitigation techniques that you can > try. None of them are 100% effective. You can block known spam sites, > use SPF, greylisting and other tools to slow down spam at the SMTP > level and spamassassin, bogofilter and other filters after to catch > suspected spam after it is accepted. Look at spam-fighting sites for > some ideas. > > If you do find a way to block 100% of all spam please tell us how. > Better yet, package it and sell it. You will be a billionaire. > > -- > D'Arcy J.M. Cain > System Administrator, Vex.Net > http://www.Vex.Net/ IM:da...@vex.net > VoIP: sip:da...@vex.net
Re: Telnet auth
Thank you very much for your time and sorry for the long response time. I've tried your suggestion and the issue remains. Someone could telnet into postfix and would be allowed to send mails from a valid address to another valid address in mydomain without authentication. Is there any way I can stop potential spam for mydomain ? Thabk you ! Sent from my iPhone > On 16 May 2016, at 20:21, /dev/rob0 wrote: > >> On Mon, May 16, 2016 at 07:25:54PM +0300, Catalin Badirca wrote: >> I am breaking my head trying to solve the following thing. I have a >> Postfix server that accepts mail from $mydomain and delivers for > > "From $mydomain" probably has nothing to do with it. > >> standard $mydestination. I also have smtp_relay_redtriction to > > smtpd_relay_restrictions, spelling DOES count, and be especially > aware of the "smtp_* != smtpd_" issue. > >> allow sasl and reject other destinations than $mydomain. Standard > > s/mydomain/mydestination/ , that is. > >> until now. The thing is: if i telnet to the machine and try to send >> mail from a valid address to another valid address in $mydomain i >> can do it without beeing forced to authenticate. I can easily force >> reject instead of reject_unauth_destination and tale care of this >> but then no emails for me. >> >> Does anyone know a solution for this please ? > > It's quite simple, actually. > > Do not accept user submission on port 25. Remove all permit_* > restrictions from the global configuration. Don't advertise nor > accept AUTH on port 25. > > Do not accept mail exchange on port 587. > > main.cf: > ... > smtpd_relay_restrictions = reject_unauth_destination > submission_relay_restrictions = permit_sasl_authenticated, reject > # smtpd_sasl_auth_enable is "no" by default, so omit that, but > # other smtpd_sasl_* settings can go here > ... > > master.cf: > ... > submission inet n - n - - smtpd >-o smtpd_tls_auth_only=yes >-o smtpd_sasl_auth_enable=yes >-o smtpd_recipient_restrictions= >-o smtpd_relay_restrictions=$submission_relay_restrictions >-o milter_macro_daemon_name=ORIGINATING >-o syslog_name=postfix/submission > ... > > (That example assumes that TLS is set up for smtpd.) > > Yes, someone can still "telnet" to port 25 and send mail to your > addresses/users. That's what mail exchange is. Nothing is magic > about telnet, it is just one of many ways to make a TCP connection. > That's the same thing a MTA client will do when delivering mail on > behalf of their user to one of your addresses. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Telnet auth
Hi, I am breaking my head trying to solve the following thing. I have a Postfix server that accepts mail from $mydomain and delivers for standard $mydestination. I also have smtp_relay_redtriction to allow sasl and reject other destinations than $mydomain. Standard until now. The thing is: if i telnet to the machine and try to send mail from a valid address to another valid address in $mydomain i can do it without beeing forced to authenticate. I can easily force reject instead of reject_unauth_destination and tale care of this but then no emails for me. Does anyone know a solution for this please ? Thabk you for your help !
