Re: SV: Telnet auth

2018-10-17 Thread sercoinful 
Hi,

When I replace "reject_unverified_sender" to "reject" it works. Thanks.

Regards



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: SV: Telnet auth

2018-10-17 Thread Wietse Venema 
sercoinful:
> Hi,
> 
> I'm trying to use configuration like below. But authentication from local to
> local via telnet still not working. Anyone could send mail to local from
> local via telnet. Which part is not correct?

I see no 'reject' action in the rule with 'permit_sasl_authenticated'

Wietse

> main.cf
> smtpd_recipient_restrictions = permit_sasl_authenticated,
> reject_unauth_destination
> smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access
> hash:/etc/postfix/sender_access
> 
> /etc/postfix/sender_access
> xdomain.com reject_unverified_sender
> ydomain.com reject_unverified_sender
> 
> Regards
> 
> 
> 
> --
> Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
>

Re: SV: Telnet auth

2018-10-17 Thread sercoinful 
Hi,

I'm trying to use configuration like below. But authentication from local to
local via telnet still not working. Anyone could send mail to local from
local via telnet. Which part is not correct?

main.cf
smtpd_recipient_restrictions = permit_sasl_authenticated,
reject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access
hash:/etc/postfix/sender_access

/etc/postfix/sender_access
xdomain.com reject_unverified_sender
ydomain.com reject_unverified_sender

Regards



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html

Re: SV: Telnet auth

2016-05-18 Thread /dev/rob0 
Catalin Badirca  wrote:
> I will try to be more specific. Create an test account that can 
> send emails from postfix.

Send THROUGH Postfix is more accurate wording than send FROM.  Also, 
creation of the account does not matter.  By default there is no 
checking of sender addresses.

> Telnet on the postfix machine on port 25. Now send an email from 
> that test account to any other valid email on your domain. You will 
> see that you are allowed to do so without authentication. The whole 
> world can do that. I don't think you will want emails to be sent on 
> your user's behalf inside your domain.

Less common now than in years past, but there are still some 
legitimate reasons why this can happen.  Anyway, now your goal is 
clear.

> Is there any way postfix can stop that ?

On Wed, May 18, 2016 at 09:07:44PM +0200, Sebastian Nielsen wrote:
> Yes.
> Remove permit_sasl_authenticated and permit_mynetworks.
> Then add the following rule instead, immediately BEFORE
> reject_unauth_destination:
> check_sender_access hash:/etc/postfix/relay_auth
> 
> Inside the file relay_auth, which must be postmap:ed, you have the
> following:
> 
> yourdomain.com: permit_sasl_authenticated, reject

Two errors in that.  First, the colon is wrong.  Second, multiple 
results are not possible except when using restriction classes (and 
then, the result is still single: it's the name of the class.)

The OP continues to ask this question after it has been answered.
Refer back to Wietse's example given yesterday.  It was missing from 
my prior post because the actual goal, to prevent receipt of mail 
claiming to be from users@$mydomain from outside, was not yet clear.

However, I still recommend separation of inbound mail exchange from 
user-submitted mail, and this matter becomes more simple: just don't 
accept senders@$mydomain on port 25.

> This means when a outsider tries to send from lets say 
> t...@yourdomain.com to someot...@yourdomain.com without 
> authentication, the rule evaluated will be:
> " permit_sasl_authenticated, reject, reject_unauth_destination"

Again, this can only happen with restriction classes.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Re: SV: Telnet auth

2016-05-18 Thread Catalin Badirca 
This is what I was looking for. Thank you very very much Sebastien. I will try 
it right now and will post the result. 

Sent from my iPhone

> On 18 May 2016, at 22:07, Sebastian Nielsen  wrote:
> 
> Yes.
> Remove permit_sasl_authenticated and permit_mynetworks.
> Then add the following rule instead, immediately BEFORE
> reject_unauth_destination:
> check_sender_access hash:/etc/postfix/relay_auth
> 
> Inside the file relay_auth, which must be postmap:ed, you have the
> following:
> 
> yourdomain.com: permit_sasl_authenticated, reject
> 
> This means when a outsider tries to send from lets say t...@yourdomain.com
> to someot...@yourdomain.com without authentication, the rule evaluated will
> be:
> " permit_sasl_authenticated, reject, reject_unauth_destination"
> The word "reject" comes before "reject_unauth_destination", thus the mail
> will be rejected despite being to a allowed domain.
> If you instead tries to send from a non-"yourdomain.com" domain, then the
> check_sender_access will be skipped, and you will be allowed to send mail to
> local accounts.
> 
> This also have another advantage: authenticated accounts CANNOT send from
> another domain than your domain.
> 
> You can try for yourself. Try telnetting to this server: dns2.sebbe.eu which
> is my mail server.
> Then try to see if you can send spoofed mail originating from some account
> inside @sebbe.eu to sebast...@sebbe.eu
> 
> (I however use IP authentication, eg only mynetworks are allowed to relay,
> instead of account authentication)
> 
> -Ursprungligt meddelande-
> Från: owner-postfix-us...@postfix.org
> [mailto:owner-postfix-us...@postfix.org] För Catalin Badirca
> Skickat: den 18 maj 2016 20:53
> Till: D'Arcy J.M. Cain 
> Kopia: postfix-users@postfix.org
> Ämne: Re: Telnet auth
> 
> I will try to be more specific. Create an test account that can send emails
> from postfix. Telnet on the postfix machine on port 25. Now send an email
> from that test account to any other valid email on your domain. You will see
> that you are allowed to do so without authentication. The whole world can do
> that. 
> I don't think you will want emails to be sent on your user's behalf inside
> your domain. 
> 
> Is there any way postfix can stop that ?
> 
> 
>> On 18 May 2016, at 14:08, D'Arcy J.M. Cain  wrote:
>> 
>> On Wed, 18 May 2016 13:22:49 +0300
>> Catalin Badirca  wrote:
>>> I've tried your suggestion and the issue remains. Someone could 
>>> telnet into postfix and would be allowed to send mails from a valid 
>>> address to another valid address in mydomain without authentication.
>>> 
>>> Is there any way I can stop potential spam for mydomain ?
>> 
>> What do you mean by "telnet into postfix"?  Are you saying that valid 
>> users on your system are spamming your other users?  All you can do 
>> there is monitor your own house and slap anyone who does that.  It 
>> doesn't matter whether they spam their fellow users or the whole world.
>> your users are your responsibility but that's not a technical issue.
>> 
>> If you mean that someone can connect to your port 25 and send your 
>> users spam then yes, welcome to the twenty-first century and the spam 
>> problem that everyone is fighting.  That's the daily fight we all 
>> have.  There are a number of spam mitigation techniques that you can 
>> try.  None of them are 100% effective.  You can block known spam 
>> sites, use SPF, greylisting and other tools to slow down spam at the 
>> SMTP level and spamassassin, bogofilter and other filters after to 
>> catch suspected spam after it is accepted.  Look at spam-fighting 
>> sites for some ideas.
>> 
>> If you do find a way to block 100% of all spam please tell us how.
>> Better yet, package it and sell it.  You will be a billionaire.
>> 
>> --
>> D'Arcy J.M. Cain
>> System Administrator, Vex.Net
>> http://www.Vex.Net/ IM:da...@vex.net
>> VoIP: sip:da...@vex.net
> 
>