Risk of Address Rewriting causing Open Relay?
Good evening, Short version of the question: If I am rewriting sender addresses using: /^(.+)@pt\.lu$/ $1+pt.lu:[EMAIL PROTECTED] /^(.+)+pt.lu:[EMAIL PROTECTED]/ [EMAIL PROTECTED] How important is the risk to be used as open relay? Long version of the problem: The Luxembourgish Internet Provider P&T (pt.lu) is only accepting mail originating from @pt.lu if the sender is on their ip network (or is authenticated). Their policy can be found at: http://www.pt.lu/webdav/site/portailEPT/groups/DT_redacteurs/public/downloads/Politique%20e-mail.pdf This makes it impossible to relay mail from [EMAIL PROTECTED] sent to [EMAIL PROTECTED] back to [EMAIL PROTECTED] Unfortunately there is no "Debian" or official Postfix version of SRS (Sender Rewriting Scheme) or RPR (Return Path Rewriting). That's why I am thinking about using the more risky method of simple address rewriting like described before. How important is the risk to be used as open relay? Thanks for your comments, Yves
Re: Risk of Address Rewriting causing Open Relay?
??? My rewriting idea works for my purpose. I am just trying to investigate the risk... Best Regards, Yves On 24.10.2008, at 22:28, Wietse Venema wrote: Postfix relay permission is decided before (recipient) address rewriting. For example, we don't want "relay access denied" when a virtual alias changes an address in a local domain into a remote address. Wietse
Re: Risk of Address Rewriting causing Open Relay?
Re, I don't use it for relay permission but for the destination server to accept the mail. Best Regards, Yves On 24.10.2008, at 23:12, Wietse Venema wrote: Wietse: Postfix relay permission is decided before (recipient) address rewriting. For example, we don't want "relay access denied" when a virtual alias changes an address in a local domain into a remote address. Yves Kreis: My rewriting idea works for my purpose. I am just trying to investigate the risk... Let's apply some simple logic here. 1) Postfix relay permission is decided before (recipient) address rewriting. 2) Therefore, (recipient) address rewriting has no effect on Postfix relay permission. In addition, Postfix does not use sender addresses for relay permission decisions. Changing that would be a bad idea. Wietse
Re: Risk of Address Rewriting causing Open Relay?
Wietse: Postfix relay permission is decided before (recipient) address rewriting. For example, we don't want "relay access denied" when a virtual alias changes an address in a local domain into a remote address. Yves Kreis: My rewriting idea works for my purpose. I am just trying to investigate the risk... ... I don't use it for relay permission but for the destination server to accept the mail. Your subject says: Risk of Address Rewriting causing Open Relay? Is this about Postfix address rewriting? Is this about Postfix becoming an open relay? I don't mind where to write my reply. However I didn't notice any such instructions when subscribing... Anyhow: Yes it is about postfix address rewriting (which can be done as well though sender_canonical_maps afaik). And yes it is about Postfix becoming an open relay. The rule /^(.+)+pt.lu:[EMAIL PROTECTED]/ [EMAIL PROTECTED] forwards all mails sent to xxx+pt.lu:[EMAIL PROTECTED] to [EMAIL PROTECTED] So the server theoretically is an open relay, however you need to know the password. How important is the risk of this choice? Best Regards, Yves
Re: Risk of Address Rewriting causing Open Relay?
Anyhow: Yes it is about postfix address rewriting (which can be done as well though sender_canonical_maps afaik). I wrote that Postfix address rewriting has no effect on Postfix relay permissions. It has effect on the other server accepting the mail or not! Best Regards, Yves
Re: Risk of Address Rewriting causing Open Relay?
Yves Kreis: Anyhow: Yes it is about postfix address rewriting (which can be done as well though sender_canonical_maps afaik). I wrote that Postfix address rewriting has no effect on Postfix relay permissions. It has effect on the other server accepting the mail or not! You need to learn the difference between "necessary" and "sufficient". Postfix (sender) address rewriting may be NECESSARY for the remote server to accept your mail, but it is not SUFFICIENT to create an open relay. To be an open relay, a system has to accept mail from any remote client for any remote destination. OK, we are talking about definitions then... How crucial is my configuration? It only opens relay to one domain if the password is known... Thanks, Yves
Change in pcre file requires reload?
In main.cf I have a configuration line: sender_canonical_maps = pcre:/etc/postfix/pt_lu.pcre When I change something inside pt_lu.pre, do I then need to reload postfix? Thanks, Yves
Re: Change in pcre file requires reload?
On 09.01.2009, at 10:31, Edward Krack wrote: postmap /etc/postfix/pt_lu.pcre postfix reload http://www.postfix.org/PCRE_README.html On Fri, Jan 9, 2009 at 2:57 AM, Yves Kreis wrote: In main.cf I have a configuration line: sender_canonical_maps = pcre:/etc/postfix/pt_lu.pcre When I change something inside pt_lu.pre, do I then need to reload postfix? Thanks, Yves postmap for pcre files? Are you sure? The readme doesn't mention postmap or reload... Best Regards, Yves
Milter invocation when sending to local mail
Dear, Does Postfix invoke milter when sending a DSN for local mail? Thanks, Yves
Conditionally change FROM
Dear, I want/need to change the FROM part of the e-mails if they are forwarded to the (sub-)domains (sub.)xxx.tld Where in the documentation should I look for a solution? Thanks, Yves
PCRE Conditional Canonical Address Mapping
Dear,
Can I use a canonical map like:
if /^To: u...@domain\.com$/
/^From: (".*" )*(.+)@(.+)$/ From: ${1}${2}+$...@anotherdomain.com
endif
Thanks,
Yves
Re: PCRE Conditional Canonical Address Mapping
On 11.03.2009, at 11:49, Wietse Venema wrote:
Yves Kreis:
Dear,
Can I use a canonical map like:
if /^To: u...@domain\.com$/
/^From: (".*" )*(.+)@(.+)$/ From: ${1}${2}+$...@anotherdomain.com
endif
Dear Yves, please RTFM the pcre_table manpage.
if /pattern/flags
endif Match the input string against the patterns
between if and
endif, IF AND ONLY IF THAT SAME INPUT STRING ALSO
MATCHES PAT-
TERN. The if..endif can nest.
Dear Wietse,
Sorry, I read it multiple times but I overlooked this information.
Thanks,
Yves
Re: PCRE Conditional Canonical Address Mapping
On 11.03.2009, at 11:49, Wietse Venema wrote:
Yves Kreis:
Dear,
Can I use a canonical map like:
if /^To: u...@domain\.com$/
/^From: (".*" )*(.+)@(.+)$/ From: ${1}${2}+$...@anotherdomain.com
endif
Dear Yves, please RTFM the pcre_table manpage.
if /pattern/flags
endif Match the input string against the patterns
between if and
endif, IF AND ONLY IF THAT SAME INPUT STRING ALSO
MATCHES PAT-
TERN. The if..endif can nest.
Sorry, I overlooked this. Can I parse the whole headers at once, i.e.
use something similar without the ^ and $ or are the headers feeded
into the canonical map line by line?
Thanks,
Yves
SRS or RPR in Postfix
Dear, Is it (technically) possible to implement SRS or RPR in Postfix using either a milter plugin or a policy? Does anyone know of such an implementation? Is the new sendmail "socketmap" functionality available in Postfix? Thanks, Yves
Re: SRS or RPR in Postfix
On 21.03.2009, at 14:41, Sahil Tandon wrote: Is it (technically) possible to implement SRS or RPR in Postfix using either a milter plugin or a policy? Does anyone know of such an implementation? It is technically possible with an SMTP-based content filter; I don't know of any existing implementations. Did I get this right and you are talking of a Postfix After-Queue Content Filter as described in http://www.postfix.org/FILTER_README.html? Thanks, Yves
Re: libsrs patch for Postfix
On 08.09.2011, at 22:17, Wietse Venema wrote: Heiko Wundram: Hey! I'm currently working up a patch for Postfix which implements support for libsrs2 functionality in the Postfix core. Instead of tearing up Postfix, consider implementing sender and recipient address manipulations with a Milter plugin. This would do all the work at the time the message is stored into the mail queue. Thus, you'd always verify+unobfuscate local envelope recipients, and you'd always sign+obfuscate local envelope senders, for some suitable definition of "local". Support for sender replacement (SMFIR_CHGFROM) is available with Postfix 2.5 and later; recipient manipulation has been available since Postfix 2.3. Wietse And I would be interested in a working Milter plugin but not a patch... Yves
