subject:"SV\: MAIL FROM validiity"

SV: MAIL FROM validiity

2016-03-14 Thread Sebastian Nielsen

SPF and DKIM is mail tools to prevent spoofing of non-local domains.
OP was out after tools to prevent local spoofing.

One is for example:
1: reject_sender_login_mismatch
2: Other is a check_sender_access table containing "yourdomain.com: 
permit_sasl_authenticated, reject".
3: Another one is reject_unlisted_sender

Of course, all those tools perform a completely different check and they all 
can be used in unison.
1 would prevent all mismatches between login names and MAIL FROM. However, it 
won't prevent a unauthenticated client from sending a spoofed mail from a local 
mailbox X to a local mailbox Y (I think the tables can be setup to enforce this 
for unauthenticated clients too however).
2: This prevents authenticated senders from sending outside the domain the 
server is authorative for, but also prevents any unauthenticated client from 
spoofing the MAIL FROM as a local mailbox when sending mail that is targeted to 
a local mailbox.
3: This is a tool that prevents all unknown local adresses to be used as a 
sender.


Another good thing with check_sender_access as described in 2 is that this can 
be used along with IP-based authentication (permit_mynetworks) to enforce so 
only specific domains can be used, and those domains cannot be used as a sender 
by unauthorized individuals, so even if you have SASL disabled, you can still 
enforce certain domains.


-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
För Matthias Fechner
Skickat: den 14 mars 2016 21:05
Till: postfix-users@postfix.org
Ämne: Re: MAIL FROM validiity

Am 14.03.2016 um 12:50 schrieb Pascal Maes:
> I would like that everybody who is sending mail from outside our network and 
> identified with sasl uses the email address corresponding to the uid.
> The mail should be rejected if the uid and the email address do not match.

I think a good start here is SPF and DKIM.
With this you can enforce that now other email server should accept mails thats 
are not delivered over your email servers with your own domains.

Gruß
Matthias

-- 

"Programming today is a race between software engineers striving to build 
bigger and better idiot-proof programs, and the universe trying to produce 
bigger and better idiots. So far, the universe is winning." -- Rich Cook



smime.p7s
Description: S/MIME Cryptographic Signature

SV: MAIL FROM validiity

2016-03-14 Thread Sebastian Nielsen

The rule is still a good idea to have even if you have a rule to reject a sasl 
mismatch, because the suggested rule also rejects mail which have a spoofed 
local sender destined for a local mailbox.
Something that none of the standard rules can enforce.

-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] 
För Pascal Maes
Skickat: den 14 mars 2016 12:50
Till: postfix-users@postfix.org
Ämne: Re: MAIL FROM validiity


> Le 12 mars 2016 à 17:28, @lbutlr  a écrit :
> 
> On Mar 10, 2016, at 10:14 AM, Sebastian Nielsen  wrote:
>> Create a file containing the following (where yourdomain.com is the 
>> domain your authenticated users send from):
>> 
>> yourdomain.com: permit_sasl_authenticated, reject
>> 
>> postmap the file.
>> 
>> Then use:
>>  smtpd_recipient_restrictions =
>>  ...
>>  check_sender_access hash:/path/to/file
>>  ...
>> 
>> Note that permit_sasl_authenticated is removed from the recipient 
>> restrictions, because that is handled by check_sender_access.
>> 
>> This will give two-fold security:
>> Anyone that is authenticated, MUST use your domain to take advantage 
>> of authentication. Eg, if they send a mail from lets say 
>> some...@someotherdomain.com it will be "relay rejected" even if they 
>> authenticate.
>> 
>> Also, the second "reject" in the map file, will force-reject anyone 
>> that attempts to use "yourdomain.com" as sender without 
>> authentication, causes everyone who tries to send a mail with your 
>> domain as sender, into a local mailbox, example:
>> 
>> MAIL FROM: ad...@yourdomain.com
>> RCPT TO: vic...@yourdomain.com
>> 
>> That sender will then be rejected with the reason that the sender 
>> address is invalid, UNLESS they authenticate before.
> 
> Ay comments on the advisability and utility of this method? At first blush it 
> seems a bit too good to be true.
> 
> What’s the catch?
> 

Well, perhaps it's working fine but it's not what I want.


I would like that everybody who is sending mail from outside our network and 
identified with sasl uses the email address corresponding to the uid.
The mail should be rejected if the uid and the email address do not match.


--
Pascal







smime.p7s
Description: S/MIME Cryptographic Signature

SV: MAIL FROM validiity

2016-03-10 Thread Sebastian Nielsen

Create a file containing the following (where yourdomain.com is the domain
your authenticated users send from):
 
yourdomain.com: permit_sasl_authenticated, reject

postmap the file.

Then use:
   smtpd_recipient_restrictions =
   ...
   check_sender_access hash:/path/to/file
   ...

Note that permit_sasl_authenticated is removed from the recipient
restrictions, because that is handled by check_sender_access.

This will give two-fold security:
Anyone that is authenticated, MUST use your domain to take advantage of
authentication. Eg, if they send a mail from lets say
some...@someotherdomain.com it will be "relay rejected" even if they
authenticate.

Also, the second "reject" in the map file, will force-reject anyone that
attempts to use "yourdomain.com" as sender without authentication, causes
everyone who tries to send a mail with your domain as sender, into a local
mailbox, example:

MAIL FROM: ad...@yourdomain.com
RCPT TO: vic...@yourdomain.com

That sender will then be rejected with the reason that the sender address is
invalid, UNLESS they authenticate before.

-Ursprungligt meddelande-
Från: owner-postfix-us...@postfix.org
[mailto:owner-postfix-us...@postfix.org] För Pascal Maes
Skickat: den 10 mars 2016 14:54
Till: postfix-users@postfix.org
Ämne: MAIL FROM validiity

Hello,


>From time to time, one of our users is caught by a phishing attempt.
His account is then used to send spam and generally the MAIL FROM does not
match one of our addresses.

I found this to test the validity of the MAIL FROM

/etc/postfix/main.cf :

   smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders


   smtpd_recipient_restrictions =
   ...
   reject_sender_login_mismatch
   permit_sasl_authenticated
   ...

with /etc/postfix/controlled_envelope_senders (in our case)

email   uid

but that will not be easy to implement here; for example, some addresses are
used by a few people and we don't always know that.


Would it be possible to test only the existence of the MAIL FROM ?


Regards,
-- 
Pascal







smime.p7s
Description: S/MIME Cryptographic Signature

SV: MAIL FROM validiity

SV: MAIL FROM validiity

SV: MAIL FROM validiity

3 matches

Site Navigation

Mail list logo

Footer information