Hello,
I'm a new user and during my testing I noticed some potentially
unintended behaviour with "reject_sender_login_mismatch" when SASL is
disabled on a master.cf port that leads to the ability to MAIL FROM
spoof senders on my domain to recipients within my domain.
In master.cf I use plain "smtp" (port 25) and a TLS wrapped
"submissions" (port 587).. I have SASL enabled for the submissions port
but do not want any authentication offered on the plain SMTP port (this
is working wonders at reducing the number of brute-force attacks).
"reject_sender_login_mismatch" of course is an alias for
"reject_authenticated_sender_login_mismatch,
reject_unauthenticated_sender_login_mismatch":
*reject_authenticated_sender_login_mismatch*
Reject the request when the client is authenticated with SASL,
but either the MAIL FROM address is not listed in
$smtpd_sender_login_maps
<https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>,
or the SASL login name is not an owner for that address.
This prevents an authenticated client from using a MAIL FROM
address that they do not explicitly own.
Note: to enforce that the From: header address matches the
envelope sender (MAIL FROM) address, use an external filter such
as a Milter, for the submission or submissions (formerly called
smtps) services. For example: https://github.com/magcks/milterfrom.
This feature is available in Postfix version 2.1 and later.
*reject_unauthenticated_sender_login_mismatch*
Reject the request when SASL is enabled, the MAIL FROM address
is listed in $smtpd_sender_login_maps
<https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>,
but the client is not authenticated with SASL.
With SASL enabled, this prevents an unauthenticated client from
using any MAIL FROM address that is listed in
$smtpd_sender_login_maps
<https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
Note: to enforce that the From: header address matches the
envelope sender (MAIL FROM) address, use an external filter such
as a Milter, for the submission or submissions (formerly called
smtps) services. For example: https://github.com/magcks/milterfrom.
This feature is available in Postfix version 2.1 and later.
Source: https://www.postfix.org/postconf.5.html
During my testing I noted that on the plain SMTP port a user could MAIL
FROM my domain to a user in my domain and Postfix would cheerfully
accept it - when I read more closely the above I then realised the SASL
needing to be enabled limitation.
I also looked at:
*reject_known_sender_login_mismatch*
When the client is authenticated with SASL, reject the request
when the MAIL FROM address is listed in $smtpd_sender_login_maps
<https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>,
but the SASL login name is not an owner for that address.
When the client is not authenticated with SASL, reject the
request when SASL is enabled, and the MAIL FROM address is
listed in $smtpd_sender_login_maps
<https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>.
This protects any MAIL FROM address that is listed in
$smtpd_sender_login_maps
<https://www.postfix.org/postconf.5.html#smtpd_sender_login_maps>,
while still allowing a client to use any unlisted MAIL FROM
address.
Note: to enforce that the From: header address matches the
envelope sender (MAIL FROM) address, use an external filter such
as a Milter, for the submission or submissions (formerly called
smtps) services. For example: https://github.com/magcks/milterfrom.
This feature is available in Postfix version 2.11 and later.
Which also has the "reject the request when SASL is enabled" limitation
that would not apply in my instance.
As a workaround I have smtpd_sender_restrictions including
"check_sender_access texthash:/etc/postfix/restricted_senders" and the
file containing each of my domains followed by " REJECT" (it would not
allow a variable such as $virtual_mailbox_domains).. I would have
expected "reject_sender_login_mismatch" to include (or its child
"reject_unauthenticated_sender_login_mismatch") or even
"reject_known_sender_login_mismatch" to have included when a user is not
logged in because SASL is also disabled.
While the workaround exists it seems a bit of a hack to list the domains
again rather than make use of $smtpd_sender_login_maps and without
specifically testing this behaviour (From/To Postfix domain on unauth
port) could be easily missed.
I haven't provided full config as the manual is pretty self explanatory
on the behaviour (and it's working as designed) - and it's that which I
am querying. I'm also aware the From: header has no protection from
forged headers, but this is not what I am querying.
Is this a known issue or have I uncovered an interesting MAIL FROM
spoofing edge case?
Kind Regards,
Matthew
P.s. "Reporting problems to postfix-users@postfix.org" on
https://www.postfix.org/DEBUG_README.html#mail does not mention you need
to be joined otherwise messages are silently discarded like it does on
https://www.postfix.org/lists.html
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
