Public bug reported:
Binary package hint: postfix
Ubuntu 7.10, postfix 2.4.5-3ubuntu1
When configured as an Internet gateway I want postfix to forward
incoming mail to two intranet servers, they in turn relay outgoing mail
through it. There is no submission, SSL, or TLS authentication. The
problem is an external client can send mail to a user listed in
relay_domains using any valid relay_domain address. I would have
thought relay_domain sender addresses should only be permitted from
mynetworks.
As a work around to the problem I do this:
smtpd_sender_restrictions = permit_mynetworks,
reject_unknown_sender_domain, check_sender_access
hash:/etc/postfix/sender_access
permit_mynetworks allows internal mail to go out, and the
check_sender_access re-lists all the relay_domains with REJECT action.
The other restrictions prevent mail being relayed outside:
# context of SMTP HELO
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_client_access
hash:/etc/postfix/access, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
# context of SMTP connection request
smtpd_client_restrictions = permit_mynetworks, check_client_access
hash:/etc/postfix/access, reject_unknown_reverse_client_hostname,
reject_rbl_client pbl.spamhaus.org,
reject_rbl_client xbl.spamhaus.org,
reject_rbl_client list.dsbl.org
# context of RCPT TO
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
check_sender_access regexp:/etc/postfix/filter_10024_catchall,
permit
content_filter = smtp-amavis:[127.0.0.1]:10026
** Affects: postfix (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- postfix allows unauthorised relay_domain use
+ postfix allows unauthorised relay_domain spamming
** Description changed:
Binary package hint: postfix
Ubuntu 7.10, postfix 2.4.5-3ubuntu1
When configured as an Internet gateway I want postfix to forward
- incoming mail to two remote servers, they in turn relay outgoing mail
+ incoming mail to two intranet servers, they in turn relay outgoing mail
through it. There is no submission, SSL, or TLS authentication. The
problem is an external client can send mail to a user listed in
relay_domains using any valid relay_domain address. I would have
thought relay_domain sender addresses should only be permitted from
mynetworks.
As a work around to the problem I do this:
smtpd_sender_restrictions = permit_mynetworks,
reject_unknown_sender_domain, check_sender_access
hash:/etc/postfix/sender_access
permit_mynetworks allows internal mail to go out, and the
check_sender_access re-lists all the relay_domains with REJECT action.
** Description changed:
Binary package hint: postfix
Ubuntu 7.10, postfix 2.4.5-3ubuntu1
When configured as an Internet gateway I want postfix to forward
incoming mail to two intranet servers, they in turn relay outgoing mail
through it. There is no submission, SSL, or TLS authentication. The
problem is an external client can send mail to a user listed in
relay_domains using any valid relay_domain address. I would have
thought relay_domain sender addresses should only be permitted from
mynetworks.
As a work around to the problem I do this:
smtpd_sender_restrictions = permit_mynetworks,
reject_unknown_sender_domain, check_sender_access
hash:/etc/postfix/sender_access
permit_mynetworks allows internal mail to go out, and the
check_sender_access re-lists all the relay_domains with REJECT action.
+
+ The other restrictions prevent mail being relayed outside:
+
+ # context of SMTP HELO
+ smtpd_helo_required = yes
+ smtpd_helo_restrictions = permit_mynetworks, check_client_access
hash:/etc/postfix/access, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
+
+ # context of SMTP connection request
+ smtpd_client_restrictions = permit_mynetworks, check_client_access
hash:/etc/postfix/access, reject_unknown_reverse_client_hostname,
+ reject_rbl_client pbl.spamhaus.org,
+ reject_rbl_client xbl.spamhaus.org,
+ reject_rbl_client list.dsbl.org
+
+ # context of RCPT TO
+ smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination,
+ check_sender_access regexp:/etc/postfix/filter_10024_catchall,
+ permit
+
+ content_filter = smtp-amavis:[127.0.0.1]:10026
--
postfix allows unauthorised relay_domain spamming
https://bugs.launchpad.net/bugs/160945
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
