SV: MAIL FROM validiity
SPF and DKIM is mail tools to prevent spoofing of non-local domains. OP was out after tools to prevent local spoofing. One is for example: 1: reject_sender_login_mismatch 2: Other is a check_sender_access table containing "yourdomain.com: permit_sasl_authenticated, reject". 3: Another one is reject_unlisted_sender Of course, all those tools perform a completely different check and they all can be used in unison. 1 would prevent all mismatches between login names and MAIL FROM. However, it won't prevent a unauthenticated client from sending a spoofed mail from a local mailbox X to a local mailbox Y (I think the tables can be setup to enforce this for unauthenticated clients too however). 2: This prevents authenticated senders from sending outside the domain the server is authorative for, but also prevents any unauthenticated client from spoofing the MAIL FROM as a local mailbox when sending mail that is targeted to a local mailbox. 3: This is a tool that prevents all unknown local adresses to be used as a sender. Another good thing with check_sender_access as described in 2 is that this can be used along with IP-based authentication (permit_mynetworks) to enforce so only specific domains can be used, and those domains cannot be used as a sender by unauthorized individuals, so even if you have SASL disabled, you can still enforce certain domains. -Ursprungligt meddelande- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Matthias Fechner Skickat: den 14 mars 2016 21:05 Till: postfix-users@postfix.org Ämne: Re: MAIL FROM validiity Am 14.03.2016 um 12:50 schrieb Pascal Maes: > I would like that everybody who is sending mail from outside our network and > identified with sasl uses the email address corresponding to the uid. > The mail should be rejected if the uid and the email address do not match. I think a good start here is SPF and DKIM. With this you can enforce that now other email server should accept mails thats are not delivered over your email servers with your own domains. Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook smime.p7s Description: S/MIME Cryptographic Signature
SV: MAIL FROM validiity
The rule is still a good idea to have even if you have a rule to reject a sasl mismatch, because the suggested rule also rejects mail which have a spoofed local sender destined for a local mailbox. Something that none of the standard rules can enforce. -Ursprungligt meddelande- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Pascal Maes Skickat: den 14 mars 2016 12:50 Till: postfix-users@postfix.org Ämne: Re: MAIL FROM validiity > Le 12 mars 2016 à 17:28, @lbutlra écrit : > > On Mar 10, 2016, at 10:14 AM, Sebastian Nielsen wrote: >> Create a file containing the following (where yourdomain.com is the >> domain your authenticated users send from): >> >> yourdomain.com: permit_sasl_authenticated, reject >> >> postmap the file. >> >> Then use: >> smtpd_recipient_restrictions = >> ... >> check_sender_access hash:/path/to/file >> ... >> >> Note that permit_sasl_authenticated is removed from the recipient >> restrictions, because that is handled by check_sender_access. >> >> This will give two-fold security: >> Anyone that is authenticated, MUST use your domain to take advantage >> of authentication. Eg, if they send a mail from lets say >> some...@someotherdomain.com it will be "relay rejected" even if they >> authenticate. >> >> Also, the second "reject" in the map file, will force-reject anyone >> that attempts to use "yourdomain.com" as sender without >> authentication, causes everyone who tries to send a mail with your >> domain as sender, into a local mailbox, example: >> >> MAIL FROM: ad...@yourdomain.com >> RCPT TO: vic...@yourdomain.com >> >> That sender will then be rejected with the reason that the sender >> address is invalid, UNLESS they authenticate before. > > Ay comments on the advisability and utility of this method? At first blush it > seems a bit too good to be true. > > What’s the catch? > Well, perhaps it's working fine but it's not what I want. I would like that everybody who is sending mail from outside our network and identified with sasl uses the email address corresponding to the uid. The mail should be rejected if the uid and the email address do not match. -- Pascal smime.p7s Description: S/MIME Cryptographic Signature
SV: MAIL FROM validiity
Create a file containing the following (where yourdomain.com is the domain your authenticated users send from): yourdomain.com: permit_sasl_authenticated, reject postmap the file. Then use: smtpd_recipient_restrictions = ... check_sender_access hash:/path/to/file ... Note that permit_sasl_authenticated is removed from the recipient restrictions, because that is handled by check_sender_access. This will give two-fold security: Anyone that is authenticated, MUST use your domain to take advantage of authentication. Eg, if they send a mail from lets say some...@someotherdomain.com it will be "relay rejected" even if they authenticate. Also, the second "reject" in the map file, will force-reject anyone that attempts to use "yourdomain.com" as sender without authentication, causes everyone who tries to send a mail with your domain as sender, into a local mailbox, example: MAIL FROM: ad...@yourdomain.com RCPT TO: vic...@yourdomain.com That sender will then be rejected with the reason that the sender address is invalid, UNLESS they authenticate before. -Ursprungligt meddelande- Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] För Pascal Maes Skickat: den 10 mars 2016 14:54 Till: postfix-users@postfix.org Ämne: MAIL FROM validiity Hello, >From time to time, one of our users is caught by a phishing attempt. His account is then used to send spam and generally the MAIL FROM does not match one of our addresses. I found this to test the validity of the MAIL FROM /etc/postfix/main.cf : smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders smtpd_recipient_restrictions = ... reject_sender_login_mismatch permit_sasl_authenticated ... with /etc/postfix/controlled_envelope_senders (in our case) email uid but that will not be easy to implement here; for example, some addresses are used by a few people and we don't always know that. Would it be possible to test only the existence of the MAIL FROM ? Regards, -- Pascal smime.p7s Description: S/MIME Cryptographic Signature