Re: How to protect against compromised email account password
Am 20.02.2019 um 03:39 schrieb Bill Cole: On 19 Feb 2019, at 5:56, Admin Beckspaced wrote: Dear Postfix Users, just recently the computer of a client got infected with malware and the email password was compromised. The bad guys immediately started sending out spam emails via our mail servers. We got notified by our monitoring system a bit later ... and fixed things But lots and lots of spam emails have been sent via out mail server. How do you protect your mail system against a compromised password and mass spam mail sending? Nothing is absolutely perfect but there are useful approaches, some external to Postfix proper: 1. Rate limiting. Postfix has some of this (smtpd_client_*_limit parameters) but you may be able to get more effective and subtle limits via external tools (e.g. I have some custom code in MIMEDefang.) 2. Only offer SASL authentication on submission services (ports 587 and 465,) for port 587 only after STARTTLS, and require TLS (i.e. smtpd_tls_security_level=encrypt on submission) 3. Apply the same spam filtering to your outbound mail as your inbound mail. If you use something like SpamAssassin which treats your locally-originated mail as special (e.g. a significant negative score for ALL_TRUSTED and/or ALL_INTERNAL in SpamAssassin) you should reduce or eliminate that special treatment. 4. Restrict access to your submission ports. This is best done outside of Postfix, either in a host-resident packet filter or a discrete firewall/router. It also requires that you know your users to some degree, at least enough to know whether they travel widely or pass their mail through cloud servers. Do you need to accept submissions from China? From Vietnam? Random AWS, Azure, OVH, or Digital Ocean IPs? If your users are world travelers who might need to come in via a Kazakh mobile network, consider adding a separate submission service on a non-standard port just for those users, so that your 587 service can be tightly limited. Or just set up a webmail service for them and tell them they just can't do direct submission from Tashkent. 5. Separate individual identities for authentication and email. This is probably the least common trick but it is extremely effective against both brute-force password guessing attacks AND most forms of "credential stuffing" using compromised user+password pairs from other sites. For example, the email address I'm using for this mailing list cannot be used as a username for authentication anywhere: not on the mail server where I submit mail for it, my inbound MX (which doesn't do AUTH anyway,) or my IMAP server. Where I pick up and submit mail for this address, I authenticate with a username that I use nowhere else and which cannot be directly translated to an email address that accepts mail from the world at large. This sort of approach demands some user training but it essentially eliminates account cracking that isn't grounded in the compromise of personal devices. 6. Enforce strong password rules & encourage users to use a password manager so that they can follow those rules more easily. 7. Prohibit the use of Windows, Android, jailbroken iOS, or macOS with SIP disbled on client devices. I'm only half kidding... Hello Bill, thanks for the extensive list. now I got some food for thought and can think about proper strategies and solutions. greetings Becki
Re: about single bounce and double bounce.
On 20.02.19 16:49, natsu wrote:
I am using postfix-2.10.1-6.el7 and set "double_bounce_sender = double -
bounce".
your mail is quite hard to read.
it would be great to use mail client that does not random spaces around
dashes, slashes, equal signs etc. and even to queue IDs.
... and does not wrap log lines.
Let me question about single bounce and double bounce.
· About single bounce
Sending to a mail address that does not exist results in a single bounce.
The single bounce was recorded in the mail log as shown below.
The sender address is empty ("from = <>"), I realize this is a
specification, is it correct?
yes
Do you want to discard single bounce by default?
yes. They are designed so to avoid endeless mail loops.
Feb 20 15:59:34 hoge postfix / local [4102]: B 9 B 3628 D 539: to = <
r...@example.com>, relay = local, delay = 0.02, delays = 0 / 0.01 / 0 /
0.01, dsn = 2.0.0 , status = sent (delivered to maildir)
horrible...
I thought that double bounce would be generated by sending mail with a mail
address that does not exist as a sender and destination, but the following
log was output.
Feb 20 16:21:01 hoge postfix/pickup[3714]: 023B228D536: uid=0 from=<
hog...@hoge1.example.com>
this is the original mail
Feb 20 16:21:01 hoge postfix/qmgr[3715]: 0581728D539: from=<>, size=2497,
nrcpt=1 (queue active)
Feb 20 16:21:01 hoge postfix/bounce[4339]: 023B228D536: sender non-delivery
notification: 0581728D539
Feb 20 16:21:01 hoge postfix/qmgr[3715]: 023B228D536: removed
Feb 20 16:21:01 hoge postfix/local[4340]: 0581728D539: to=<
hog...@hoge1.example.com>, relay=local, delay=0, delays=0/0/0/0, dsn=5.1.1,
status=bounced (unknown user: "hoge11")
and this is the bounce from <> to original sender.
When double bounce occurred, I thought that "from = "
would be output, but as far as I confirmed it was "from = <>". If double
bounce occurs, will not "from = " appear?
the double bounce did not occur, at least not in the logs above.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
Re: How to protect against compromised email account password
Christos Chatzaras skrev den 2019-02-19 12:23: Also we use Postfix relays with Rspamd checking the From header (we don't allow users to spoof From address) and doing rate limits (500 e-mails / hour). If someones tries to send more e-mails then the extra e-mails go to queue for later delivery. So we have some time to manually check. On 19.02.19 14:02, Benny Pedersen wrote: you have users that can write 500 emails in one hour ? yes, bigger companies that send newsletters or notifications to even their users. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Microsoft dick is soft to do no harm
Re: about single bounce and double bounce.
Thank you for your reply.
>your mail is quite hard to read.
> it would be great to use mail client that does not random spaces around
> dashes, slashes, equal signs etc. and even to queue IDs.
> ... and does not wrap log lines.
I'm sorry. I will be careful.
Thank you for your reply despite difficulty reading.
> the double bounce did not occur, at least not in the logs above.
I would like to generate double bounce in the verification environment, but
how do I do it?
(I thought that double bounce would occur if sending mail with a mail
address that does not exist as a sender and a recipient.)
If double bounce occurs, will it be output to the log?
Will not output such as "from = "?
If nothing is output, how do you decide whether double bounce occurred?
I am waiting for reply.
Thank you.
2019年2月20日(水) 18:25 Matus UHLAR - fantomas :
> On 20.02.19 16:49, natsu wrote:
> >I am using postfix-2.10.1-6.el7 and set "double_bounce_sender = double -
> >bounce".
>
> your mail is quite hard to read.
> it would be great to use mail client that does not random spaces around
> dashes, slashes, equal signs etc. and even to queue IDs.
> ... and does not wrap log lines.
>
> >Let me question about single bounce and double bounce.
> >
> >· About single bounce
> >
> >Sending to a mail address that does not exist results in a single bounce.
> >The single bounce was recorded in the mail log as shown below.
> >The sender address is empty ("from = <>"), I realize this is a
> >specification, is it correct?
>
> yes
>
> >Do you want to discard single bounce by default?
>
> yes. They are designed so to avoid endeless mail loops.
>
> >Feb 20 15:59:34 hoge postfix / local [4102]: B 9 B 3628 D 539: to = <
> >r...@example.com>, relay = local, delay = 0.02, delays = 0 / 0.01 / 0 /
> >0.01, dsn = 2.0.0 , status = sent (delivered to maildir)
>
> horrible...
>
> >I thought that double bounce would be generated by sending mail with a
> mail
> >address that does not exist as a sender and destination, but the following
> >log was output.
>
> >Feb 20 16:21:01 hoge postfix/pickup[3714]: 023B228D536: uid=0 from=<
> >hog...@hoge1.example.com>
>
> this is the original mail
>
> >Feb 20 16:21:01 hoge postfix/qmgr[3715]: 0581728D539: from=<>, size=2497,
> >nrcpt=1 (queue active)
> >Feb 20 16:21:01 hoge postfix/bounce[4339]: 023B228D536: sender
> non-delivery
> >notification: 0581728D539
> >Feb 20 16:21:01 hoge postfix/qmgr[3715]: 023B228D536: removed
> >Feb 20 16:21:01 hoge postfix/local[4340]: 0581728D539: to=<
> >hog...@hoge1.example.com>, relay=local, delay=0, delays=0/0/0/0,
> dsn=5.1.1,
> >status=bounced (unknown user: "hoge11")
>
>
> and this is the bounce from <> to original sender.
>
> >When double bounce occurred, I thought that "from = bou...@.com>"
> >would be output, but as far as I confirmed it was "from = <>". If double
> >bounce occurs, will not "from = " appear?
>
> the double bounce did not occur, at least not in the logs above.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Linux IS user friendly, it's just selective who its friends are...
>
Re: about single bounce and double bounce.
On 20.02.19 21:40, natsu wrote: Thank you for your reply. your mail is quite hard to read. it would be great to use mail client that does not random spaces around dashes, slashes, equal signs etc. and even to queue IDs. ... and does not wrap log lines. I'm sorry. I will be careful. Thank you for your reply despite difficulty reading. the double bounce did not occur, at least not in the logs above. I would like to generate double bounce in the verification environment, but how do I do it? (I thought that double bounce would occur if sending mail with a mail address that does not exist as a sender and a recipient.) If double bounce occurs, will it be output to the log? Will not output such as "from = "? If nothing is output, how do you decide whether double bounce occurred? the double bounce should be generated when notify_classes contains "2bounce" and it will be sent to 2bounce_notice_recipient (which is postmaster by default) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "To Boot or not to Boot, that's the question." [WD1270 Caviar]
Disable bounce for message
Hi list. I am sending an email from the command line using the postfix'es sendmail command like this: cat my_message | sendmail -t -r [local_virtual_sender_account] -oi What I want to do is completely disable receiving bounce messages in case of error. I suspect setting the Return-Path to <> would not be enough, as it will be overwritten by the -r (or -f) option. Is it possible doing this via the command line? Thank you, Stavros
Re: Disable bounce for message
> On Feb 20, 2019, at 1:16 PM, Stavros Tsolakos wrote: > > I am sending an email from the command line using the postfix'es > sendmail command like this: > > cat my_message | sendmail -t -r [local_virtual_sender_account] -oi > > What I want to do is completely disable receiving bounce messages in > case of error. I suspect setting the Return-Path to <> would not be > enough, as it will be overwritten by the -r (or -f) option. Perhaps surprisingly the answers are in the sendmail(1) manpage. :-) Just one fact to keep in mind, that may not be covered. The "Return-Path" header is NOT a sender-side interface. It gets deleted when messages are queued for delivery, and is only put back on final delivery by the destination system delivering the message to the recipient's mailbox. The sendmail options you're looking for are: -i - Leading "." is just text -t - Read the recipient list from the message headers -f - Specify the envelope sender. -N - "never" or one or more of delay, failure, success The "-r" option is a legacy form of the equivalent "-f" option. -- Viktor.
Re: Disable bounce for message
>> What I want to do is completely disable receiving bounce messages in >> case of error. I suspect setting the Return-Path to <> would not be >> enough, as it will be overwritten by the -r (or -f) option. > > Perhaps surprisingly the answers are in the sendmail(1) manpage. :-) !!! I can't believe how many times I have read the description of the -N parameter and still my brain failed to process it properly, expecting to find something involving "Return-Path". Seems I need a second pair of eyes... Thank you very much and apologies for the dumb question! Stavros
Re: Disable bounce for message
> On Feb 20, 2019, at 1:41 PM, Stavros Tsolakos wrote: > > !!! I can't believe how many times I have read the description of the -N > parameter and still my brain failed to process it properly, expecting to > find something involving "Return-Path". Seems I need a second pair of > eyes... > > Thank you very much and apologies for the dumb question! For the record, the "never" setting does not *guarantee* that no bounce will be sent by some remote MTA that does not support DSN. Your local system will not generate a bounce, and if the message is then accepted by systems that support DSN they should not send a bounce either, but at some point along the delivery path, DSN support may be missing or disabled, and if delivery fails after that point a bounce may be sent. You can set an empty envelope with "-f '<>'", which will preclude bounces, but may hamper deliverabilty. -- Viktor.
Cannot get sasl auth working on ubuntu 18.04
Hi, I have installed the sasl packages and configured sasl so testsaslauthd works perfectly with the ldap backend. I then set up postfix to have this on port 465 in master.cf: smtps inet n - n - - smtpd -v -o syslog_name=postfix/smtps -o smtpd_sasl_auth_enable=yes but when I try to connect: root@sys:~# telnet localhost 465 Trying ::1... Connected to localhost.localdomain. Escape character is '^]'. 220 "sys.nsd.org This SMTP for internal outbound relay NSD only" ehlo ski 250-sys.nsd.org 250-PIPELINING 250-SIZE 1024 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8 AUTH LOGIN 334 VXNlcm5hbWU6 bWV0YXN5cweR 334 UGFzc3dvcmQ6 cGFzc3dvcmhQ 535 5.7.8 Error: authentication failed: authentication failure and in the logs I see: Feb 20 15:06:10 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 220 "sys.nsd.org This SMTP for internal outbound relay NSD only" Feb 20 15:06:10 sys postfix/smtps/smtpd[4861]: xsasl_cyrus_server_create: SASL service=smtp, realm=nsd.org Feb 20 15:06:10 sys postfix/smtps/smtpd[4861]: name_mask: noanonymous Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: < localhost6.localdomain6[::1]: ehlo ski Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: match_list_match: localhost6.localdomain6: no match Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: match_list_match: ::1: no match Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 250-sys.nsd.org Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 250-PIPELINING Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 250-SIZE 1024 Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 250-VRFY Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 250-ETRN Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 250-STARTTLS Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 250-AUTH DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 250-AUTH=DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 250-ENHANCEDSTATUSCODES Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 250-8BITMIME Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 250-DSN Feb 20 15:06:17 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 250 SMTPUTF8 Feb 20 15:09:49 sys postfix/smtps/smtpd[4861]: < localhost6.localdomain6[::1]: AUTH LOGIN Feb 20 15:09:49 sys postfix/smtps/smtpd[4861]: xsasl_cyrus_server_create: SASL service=smtp, realm=nsd.org Feb 20 15:09:49 sys postfix/smtps/smtpd[4861]: name_mask: noanonymous Feb 20 15:09:49 sys postfix/smtps/smtpd[4861]: xsasl_cyrus_server_first: sasl_method LOGIN Feb 20 15:09:49 sys postfix/smtps/smtpd[4861]: xsasl_cyrus_server_auth_response: uncoded server challenge: Username: Feb 20 15:09:49 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 334 VXNlcm5hbWU6 Feb 20 15:09:57 sys postfix/smtps/smtpd[4861]: < localhost6.localdomain6[::1]: bWV0YXN5cweR Feb 20 15:09:57 sys postfix/smtps/smtpd[4861]: xsasl_cyrus_server_next: decoded response: * Feb 20 15:09:57 sys postfix/smtps/smtpd[4861]: xsasl_cyrus_server_auth_response: uncoded server challenge: Password: Feb 20 15:09:57 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 334 UGFzc3dvcmQ6 Feb 20 15:10:04 sys postfix/smtps/smtpd[4861]: < localhost6.localdomain6[::1]: cGFzc3dvcmhQ Feb 20 15:10:04 sys postfix/smtps/smtpd[4861]: xsasl_cyrus_server_next: decoded response: * Feb 20 15:10:04 sys postfix/smtps/smtpd[4861]: warning: localhost6.localdomain6[::1]: SASL LOGIN authentication failed: authentication failure Feb 20 15:10:04 sys postfix/smtps/smtpd[4861]: > localhost6.localdomain6[::1]: 535 5.7.8 Error: authentication failed: authentication failure Any ideas on what I am missing. The decoded user and password in the log are correct so the problem seems to be between postfix and saslauth. I need this for an old HVAC controller that either uses this or no authentication at all to connect to the mail server. Thanks very much for your help. cheers, ski -- "When we try to pick out anything by itself, we find it connected to the entire universe"John Muir Chris "Ski" Kacoroski, kacoro...@gmail.com, 206-501-9803
Re: How to protect against compromised email account password
Matus UHLAR - fantomas skrev den 2019-02-20 10:59: Christos Chatzaras skrev den 2019-02-19 12:23: Also we use Postfix relays with Rspamd checking the From header (we don't allow users to spoof From address) and doing rate limits (500 e-mails / hour). If someones tries to send more e-mails then the extra e-mails go to queue for later delivery. So we have some time to manually check. On 19.02.19 14:02, Benny Pedersen wrote: you have users that can write 500 emails in one hour ? yes, bigger companies that send newsletters or notifications to even their users. wow, rspamd cant solve that ? above says users, not newsletters with 500+ recipients
Re: Cannot get sasl auth working on ubuntu 18.04
Ski Kacoroski: > Hi, > > I have installed the sasl packages and configured sasl so testsaslauthd > works perfectly with the ldap backend. I then set up postfix to have > this on port 465 in master.cf: > > smtps inet n - n - - smtpd -v > -o syslog_name=postfix/smtps > -o smtpd_sasl_auth_enable=yes > > but when I try to connect: > > root@sys:~# telnet localhost 465 > Trying ::1... > Connected to localhost.localdomain. > Escape character is '^]'. > 220 "sys.nsd.org This SMTP for internal outbound relay NSD only" > ehlo ski > 250-sys.nsd.org > 250-PIPELINING > 250-SIZE 1024 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250-AUTH DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250-DSN > 250 SMTPUTF8 > AUTH LOGIN > 334 VXNlcm5hbWU6 > bWV0YXN5cweR > 334 UGFzc3dvcmQ6 > cGFzc3dvcmhQ > 535 5.7.8 Error: authentication failed: authentication failure % echo -n bWV0YXN5cweR|mmencode -u|od -cb 000m e t a s y s \a 221 155 145 164 141 163 171 163 007 221 Does your login name really end in the Control-G plus some character with the 8th bit turned on? % echo -n cGFzc3dvcmhQ | mmencode -u | od -cb oopsa. If that is your encoded password, better change it now. Wietse
Re: Cannot get sasl auth working on ubuntu 18.04
Ski Kacoroski skrev den 2019-02-21 00:34: root@sys:~# telnet localhost 465 telnet is not a very good tool to test ssl use openssl s_client instaed
Assistance with doveadm backup...
I am having trouble locating examples of how to use doveadm backup. All the examples I see are for sync. I simply want to create a backup to a network volume of the email server's vmail folders. The goal here is to have a reasonably current backup should the main drive on the email server go south. We currently authenticate our users from a mysql database. User’s mailboxes are stored as domainname/username/Maildir I assume what I will wind up on the network volume is a duplicate directory structure as the vmail folder on the email server? Can someone help get me started here? Jeff
Re: Assistance with doveadm backup...
Hi Jeff,
This should be better off to dovecot's mailing list.
But just to get you started, this is the first thing that came to mind:
example:
for users in `doveadm user "*"`; do
LOCALPART=${users%%@*}
dsync -v -f -u $users backup maildir:/tmp/backup/$LOCALPART
echo "Backup done for user: $users ..."
done
HTH
On Thu, Feb 21, 2019 at 9:55 AM SH Development
wrote:
> I am having trouble locating examples of how to use doveadm backup. All
> the examples I see are for sync. I simply want to create a backup to a
> network volume of the email server's vmail folders. The goal here is to
> have a reasonably current backup should the main drive on the email server
> go south.
>
> We currently authenticate our users from a mysql database. User’s
> mailboxes are stored as domainname/username/Maildir
>
> I assume what I will wind up on the network volume is a duplicate
> directory structure as the vmail folder on the email server?
>
> Can someone help get me started here?
>
> Jeff
Re: Assistance with doveadm backup...
My apologies, you are absolutely right. Will post this in the correct forum.
Spent the last couple of hours poring through the postfix list and just forgot
where I was at.
Jeff
> On Feb 20, 2019, at 8:55 PM, Kenren Taisho wrote:
>
> Hi Jeff,
>
> This should be better off to dovecot's mailing list.
> But just to get you started, this is the first thing that came to mind:
>
> example:
>
> for users in `doveadm user "*"`; do
> LOCALPART=${users%%@*}
> dsync -v -f -u $users backup maildir:/tmp/backup/$LOCALPART
> echo "Backup done for user: $users ..."
> done
>
> HTH
>
>
> On Thu, Feb 21, 2019 at 9:55 AM SH Development > wrote:
> I am having trouble locating examples of how to use doveadm backup. All the
> examples I see are for sync. I simply want to create a backup to a network
> volume of the email server's vmail folders. The goal here is to have a
> reasonably current backup should the main drive on the email server go south.
>
> We currently authenticate our users from a mysql database. User’s mailboxes
> are stored as domainname/username/Maildir
>
> I assume what I will wind up on the network volume is a duplicate directory
> structure as the vmail folder on the email server?
>
> Can someone help get me started here?
>
> Jeff
