On 22.06.25 12:44, Matthew via Postfix-users wrote:
I'm a new user and during my testing I noticed some potentially
unintended behaviour with "reject_sender_login_mismatch" when SASL is
disabled on a master.cf port that leads to the ability to MAIL FROM
spoof senders on my domain to recipients within my domain.
I've had the same problem 3 years ago, perhaps you can stury the thread we
were discussing this:
https://marc.info/?t=165168138100003&r=1&w=2
In master.cf I use plain "smtp" (port 25) and a TLS wrapped
"submissions" (port 587).. I have SASL enabled for the submissions
port but do not want any authentication offered on the plain SMTP port
(this is working wonders at reducing the number of brute-force
attacks).
"reject_sender_login_mismatch" of course is an alias for
"reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch":
*reject_authenticated_sender_login_mismatch*
Reject the request when the client is authenticated with SASL,
but either the MAIL FROM address is not listed in
$smtpd_sender_login_maps
<https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>,
or the SASL login name is not an owner for that address.
This prevents an authenticated client from using a MAIL FROM
address that they do not explicitly own.
Note: to enforce that the From: header address matches the
envelope sender (MAIL FROM) address, use an external filter such
as a Milter, for the submission or submissions (formerly called
smtps) services. For example: https://github.com/magcks/milterfrom.
This feature is available in Postfix version 2.1 and later.
*reject_unauthenticated_sender_login_mismatch*
Reject the request when SASL is enabled, the MAIL FROM address
is listed in $smtpd_sender_login_maps
<https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>,
but the client is not authenticated with SASL.
With SASL enabled, this prevents an unauthenticated client from
using any MAIL FROM address that is listed in
$smtpd_sender_login_maps
<https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
Note: to enforce that the From: header address matches the
envelope sender (MAIL FROM) address, use an external filter such
as a Milter, for the submission or submissions (formerly called
smtps) services. For example: https://github.com/magcks/milterfrom.
This feature is available in Postfix version 2.1 and later.
Source: https://www.postfix.org/postconf.5.html
During my testing I noted that on the plain SMTP port a user could
MAIL FROM my domain to a user in my domain and Postfix would
cheerfully accept it - when I read more closely the above I then
realised the SASL needing to be enabled limitation.
I also looked at:
*reject_known_sender_login_mismatch*
When the client is authenticated with SASL, reject the request
when the MAIL FROM address is listed in $smtpd_sender_login_maps
<https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>,
but the SASL login name is not an owner for that address.
When the client is not authenticated with SASL, reject the
request when SASL is enabled, and the MAIL FROM address is
listed in $smtpd_sender_login_maps
<https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
This protects any MAIL FROM address that is listed in
$smtpd_sender_login_maps
<https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>,
while still allowing a client to use any unlisted MAIL FROM
address.
Note: to enforce that the From: header address matches the
envelope sender (MAIL FROM) address, use an external filter such
as a Milter, for the submission or submissions (formerly called
smtps) services. For example: https://github.com/magcks/milterfrom.
This feature is available in Postfix version 2.11 and later.
Which also has the "reject the request when SASL is enabled"
limitation that would not apply in my instance.
As a workaround I have smtpd_sender_restrictions including
"check_sender_access texthash:/etc/postfix/restricted_senders" and the
file containing each of my domains followed by " REJECT" (it would
not allow a variable such as $virtual_mailbox_domains).. I would have
expected "reject_sender_login_mismatch" to include (or its child
"reject_unauthenticated_sender_login_mismatch") or even
"reject_known_sender_login_mismatch" to have included when a user is
not logged in because SASL is also disabled.
While the workaround exists it seems a bit of a hack to list the
domains again rather than make use of $smtpd_sender_login_maps and
without specifically testing this behaviour (From/To Postfix domain on
unauth port) could be easily missed.
I haven't provided full config as the manual is pretty self
explanatory on the behaviour (and it's working as designed) - and it's
that which I am querying. I'm also aware the From: header has no
protection from forged headers, but this is not what I am querying.
Is this a known issue or have I uncovered an interesting MAIL FROM
spoofing edge case?
Kind Regards,
Matthew
P.s. "Reporting problems to postfix-users@postfix.org" on
https://www.postfix.org/DEBUG_README.html#mail does not mention you
need to be joined otherwise messages are silently discarded like it
does on https://www.postfix.org/lists.html
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
