Re: Spammer succeeded in relaying through my server

Fri, 23 Dec 2022 20:28:08 -0800 

Yep. Totally agree.
In fact, these ports (25, 465 and 587) aren't even exposed off docker-compose. So that's guaranteed at the container level. Entering the container can only be done through the proxy protocol and its ports on the container-set. This will basically simplify all my future moves to new servers and will minimize the chance of any mistakes happening. 


Cheers,
Sam


On 23/12/2022 9:47 PM, Demi Marie Obenour wrote:

On 12/23/22 09:58, Samer Afach wrote:

Dear postfix experts:

I think I'm getting to the end of this problem. I was able to use
haproxy to relay connections to my docker container with correct source
information (and I'm seeing the correct IP addresses in the logs of
postfix/dovecot). I would appreciate it if you could take a look at my
settings before going public and changing the MX records back to this
server.

How I tested: I was actively blocking/unblocking firewalls,
starting/stopping containers (start, test, stop), and in every step, I
ran swaks, with one of these configurations (in fact, I'm planning to
automate these tests and run them periodically, what a nice tool this
turned out to be):

swaks --to a...@example.com --from=b...@example.com --server
mail.example.com:587 --tls
swaks --to a...@example.com --from=b...@example.com --server
mail.example.com:465 --tlsc
swaks --to a...@example.com --from=b...@example.com --server
mail.example.com:25 --tls
swaks --to a...@example.com --from=b...@example.com --server mail.example.com:25

I was consistently getting the result "Access denied" in swaks, which I
hope means that no relaying is possible anymore. Meanwhile, I succeeded
in sending messages with Thunderbird with proper authentication.

Email relaying was only possible when sending emails with swaks through
localhost (even though it's going through the proxy in localhost), i.e.:

swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:587 --tls
swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:465 
--tlsc
swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:25 --tls
swaks --to a...@example.com --from=b...@example.com --server 127.0.0.1:25

Does this constitute proof that relaying isn't possible anymore?

You need to ensure that the outside world cannot connect to Postfix or
Dovecot directly, bypassing HAProxy.

Reply via email to