Took out localhost references from mynetworks on the ciphermail host and now it’s doing what I think I originally expected:
May 21 22:38:17 cmx01.la1.blah.com postfix/smtpd[322660]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 554 5.7.1 <yu...@ec2-6-7-8-9.us-east-2.compute.amazonaws.com>: Relay access denied; from=<jer...@blah.com> to=<yu...@ec2-6-7-8-9.us-east-2.compute.amazonaws.com> proto=ESMTP helo=<smtp.coldlogix.com> So what am I breaking by not having localhost defined in mynetworks. I tested typical mail and it still delivers…. Hmm. Thanks! -jeremy > On May 21, 2022, at 10:32 PM, Jeremy Hansen <jer...@skidrow.la> wrote: > > > >> On May 21, 2022, at 10:06 PM, Nick Tait <n...@tait.net.nz >> <mailto:n...@tait.net.nz>> wrote: >> >> On 21/05/22 19:09, Jeremy Hansen wrote: >>> Two MTAs, one is running Ciphermail. The ciphermail host relays mail to >>> the “permanent home” MTA where mail gets delivered to users and dovecot >>> runs for retrieval of mail. The hosts are internal only hosts. SSH port >>> forwarding is being used to basically export port 25 from the Ciphermail >>> host to an externally accessible AWS node. I guess the idea is if the >>> instance gets compromised, they’re not actually on the real MTA. This, >>> again, is where I’m saying “don’t do that” isn’t really in my control and >>> I’d like to just make this work without trying to alter the overall design. >> Hi Jeremy. >> >> Ironically, it looks like the act of 'securing' your MTA by using SSH >> tunnelling has actually turned it into an open relay. >> >> This is because the SSH tunnel proxies the connection at the TCP layer, >> meaning that from your MTA's perspective, the (internet-originating) SMTP >> connections appear to come from the loopback address. This is shown in the >> first line of the Ciphermail log. >> > Now that’s interesting… :-) > > This may be the explanation as to why this is even happening because I really > didn’t expect it to accept this mail in the first place since the user and > domain is nothing I have explicitly configured, but if it’s being tricked by > looking like it’s coming from localhost, that would make a lot of sense. > > So if I used something like HA Proxy like I believe someone else suggested, > perhaps it would show the actual IP of the client instead of localhost? > > If I remove localhost from my allows, I assume this would be enough to test > this theory. > >> May 20 23:16:33 cmx01.la1.blah.com <http://cmx01.la1.blah.com/> >> postfix/smtpd[285694]: connect from localhost[127.0.0.1] >> Your Ciphermail configuration defines mynetworks as follows: >> >> mynetworks = 127.0.0.0/8, [::1]/128, ${djigzo_mynetworks} >> And so when you specify "permit_mynetworks" in smtpd_mumble_restrictions, >> you are allowing all internet-originating connections to bypass all of your >> security checks: >> >> smtpd_helo_restrictions = >> smtpd_sender_restrictions = >> smtpd_relay_restrictions = ${{$compatibility_level} < {1} ? {} : >> {permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination}} >> smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination >> ${djigzo_rbl_clients} ${djigzo_reject_unverified_recipient? >> reject_unverified_recipient} >> smtpd_data_restrictions = >> smtpd_end_of_data_restrictions = >> Sorry, but my only suggestion is "don't do that"! :-( >> > > Trust me, I don’t want to do this but with this discovery, perhaps I can > approach it a different way to satisfy things... > >> Nick. >> >
signature.asc
Description: Message signed with OpenPGP
