Hello all,
I use Postfix with mysql database for the users lookup. I have recently
found an information leak with the RCPT TO command.
Here is an example:
telnet mailserver 25
Trying XXX.XXX.XXX.XXX...
Connected to mailserver.
Escape character is '^]'.
220 mailserver ESMTP
helo mail
250 mailserver
mail from: t...@test.com
250 2.1.0 Ok
rcpt to: clau...@atpss.net
250 2.1.5 Ok
rcpt to: root
250 2.1.5 Ok
rcpt to: test
550 5.1.1 <test>: Recipient address rejected: User unknown in local
recipient table
How you can see, the rcpt to permit to verify the user, not only virtual
but also real (like root). There is any solution to fix that information
leak on my systems? Something like rcpt deny to some users, or all the
real users....
Here is my postconf -n:
alias_maps = hash:/etc/aliases
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = localhost
inet_protocols = ipv4
local_transport = local
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 15360000
mydestination = $myhostname, localhost.$mydomain
mydomain = [hidden]
myhostname = [hidden]
mynetworks = [hidden]
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
recipient_delimiter = -
relay_domains = $mydestination
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = no
smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtp_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtp_tls_loglevel = 1
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/dspam_learning, permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unauth_pipelining, reject_unauth_destination,
check_policy_service inet:127.0.0.1:10031 check_recipient_access
hash:/etc/postfix/dspam_domains
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_CApath = /etc/postfix/ssl
smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:51
virtual_mailbox_base = /var/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 524288000
virtual_mailbox_maps = $transport_maps,
mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 51
virtual_transport = dovecot
virtual_uid_maps = static:51
Any hint is well accepted.
Cordially,
Claudio Prono.
--
--------------------------------------------------------------------------------
Claudio Prono OPST
System Developer
Gsm: +39-349-54.33.258
@PSS Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc
