smtp_sender_restrictions

2020-09-18 Thread Janis 

Hello,

This is my first question to mailing list, so i hope i get this right.

I think it is better to describe general architecture first and then 
what i am trying to achieve.


This Postfix instance is configured to use Dovecot SASL for LOGIN 
function and permissions. That part works. SASL auth is configured so 
that username is an email address. Only virtual mailboxes are used, but 
in this instance it is not that important, since the question is only 
about outgoing mail restrictions.


The problem is that authenticated senders can send "mail from" from 
whatever they please if i do not place any restrictions. Thus i decided 
to use:

smtp_sender_restrictions = reject_sender_login_mismatch

It limits "mail from" as expected, but the problem is that i must 
"duplicate" kind of what i already have in Dovecot user database in 
$smtpd_sender_login_maps file. I am using hash type for 
$smtpd_sender_login_maps. It works very well with allowing to use "alias 
e-mail" address as "mail from" as well.


What i would like to achieve is to permit sender to set "mail from" the 
same value as his SASL auth username or some specially allowed "alias 
e-mail" addresses that are defined somewhere. For example, if user1 is 
allowed to respond for his company, he would authenticate as 
us...@domain.tld and could set "mail from" 1) us...@domain.tld or 2) 
i...@domain.tld.


I can achieve this at the moment by writing both lines in login_maps 
file, but it feels kind of wrong way to do things. Is there a way not to 
duplicate Dovecot usernames and permit 1st case restriction in "mail 
from" something like permit_sasl_username_as_mail_from?


I was looking directly at 
http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions, but 
none of the options seemed right for this use case. Maybe if i scratched 
my head a bit, i could come up with some "tricky" SQL query as a 
workaround and use reject_sender_login_mismatch, but maybe i have just 
overlooked some simple setting, thus i ask for any input.


Thank you!

Best wishes,
Janis

Postfix users receive spam pretending to be sent from their accounts.

2019-04-08 Thread Janis 
Postfix users receive spam pretending to be sent from their accounts.

in main.cf I have put:
smtpd_sender_login_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf,
mysql:/etc/postfix/mysql_virtual_alias_maps.cf

smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_sender_login_mismatch,

I also have extensive rbl and other spam checks in main.cf which work, but
this slips through it anyway (see msg source)
*If I test it from my other server *

root@othermail:~# mail -s test1 -a "From: us...@mydomain.tld"
us...@mydomain.tld < /dev/null

*The message gets rejected in log with*
NOQUEUE: reject: RCPT from myother.server.tld[192.168.7.229]: 553 5.7.1
: Sender address rejected: not logged in;
from= to=

I have DKIM which works and validates. IN main.cf
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock

But the spamers somehow trick it by using DKIM? or other means.
Somehow after milter OpenDKIM there are no sender_login_mismatch checks.
Should I install amavis? It seems so trivial to block spam which pretend to
be sent as a spoofed message from oneself but yet I can't block it. Any
suggestions? Thanks.


*Message source looks like this:*
Return-Path: 
X-Original-To: us...@mydomain.tld
Delivered-To: us...@mydomain.tld
Received: from mail.mydomain.tld (localhost [127.0.0.1])
by mail.mydomain.tld (Postfix) with ESMTP id 73A553008B0
for ; Fri,  5 Apr 2019 17:16:49 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=mydomain.tld;
s=201902;
t=1554473809; bh=MjZrE+ZNsa79fhqHRgjB41LtBj2nZeIT/I8ZyQz4lvI=;
h=Date:Subject:To:From:List-Help:From;
b=ajW/fpbQ9R/wu2ztE6OJecLpcUqvqENooIo6PW1V5GU0oAc/VqhvxuGPIc89t9n49
 6pcXOw4knfTpp9lwoaHqUJ8lM2KpesQTSgLHzvfC74u8wi9CB6+cHpS42rT35bW5wx
 LvdO7mLT9GEhrPAVeoI21yk2pCAEhBQaXLAFDsmY=
Received: from orange-leopard-671e4d6e5ce74ab6.znlc.jp
(orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45])
by mail.mydomain.tld (Postfix) with ESMTPS id 36A99300704
for ; Fri,  5 Apr 2019 17:16:47 +0300 (EEST)
Received: from [corporativo.static.gvt.net.br]
(170.83.215.114-static.host.megalink.net.br [170.83.215.114])
by orange-leopard-671e4d6e5ce74ab6.znlc.jp (Postfix) with ESMTPSA id
1C8A2BDEE
for ; Fri,  5 Apr 2019 22:12:20 +0900 (JST)
Date: Fri, 5 Apr 2019 15:12:18 +0200
Abuse-Reports-To: 
X-Complaints-To: ab...@mail.kousaikan.com
Subject: [SPAM] user1
Message-ID: 
To: us...@mydomain.tld
Content-Type: multipart/related;
 boundary="--_com.android.email_86436944273605"
MIME-Version: 1.0
X-Mailer: Summer Cart 4.0
From: 
User-Agent: Roundcube Webmail/0.6
List-Help: 


X-Antivirus: Dr.Web (R) for Unix mail servers drweb plugin ver.6.0.2.8
X-Antivirus-Code: 0x10
X-Drweb-SpamState: yes
X-Drweb-SpamScore: 315
X-DrWeb-SpamReason:
gggruggvucftvghtrhhoucdtuddrgeduuddrtdeiucetufdoteggodetrfcurfhrohhfihhlvgemuceonhhonhgvqeenuceurghilhhouhhtmecupfdsteenucgoteeftdduqddtudculdduhedmnegoufhprghmsghotheuvfevqdfggedutddqvdekucdlfedttddm
X-AV-Checked: ClamAV using ClamSMTP

*Log file:*
 Apr  5 17:16:45 mydomain.tld postfix/smtpd[11659]: connect from
orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr  5 17:16:46 mydomain.tld postfix/smtpd[11659]: Anonymous TLS connection
established from orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]:
TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Apr  5 17:16:47 mydomain.tld postfix/smtpd[11659]: 36A99300704:
client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr  5 17:16:47 mydomain.tld postfix/cleanup[11826]: 36A99300704:
message-id=
Apr  5 17:16:49 mydomain.tld opendkim[539]: 36A99300704:
orange-leopard-671e4d6e5ce74ab6.znlc.jp [154.34.23.45] not internal
Apr  5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: not authenticated
Apr  5 17:16:49 mydomain.tld opendkim[539]: 36A99300704: no signature data
Apr  5 17:16:49 mydomain.tld postfix/qmgr[11471]: 36A99300704:
from=, size=257396, nrcpt=1 (queue active)
Apr  5 17:16:49 mydomain.tld clamsmtpd: 1009A6: accepted connection from:
127.0.0.1
Apr  5 17:16:49 mydomain.tld postfix/smtpd[11829]: connect from
localhost[127.0.0.1]
Apr  5 17:16:49 mydomain.tld postfix/smtpd[11829]: 73A553008B0:
client=localhost[127.0.0.1], orig_queue_id=36A99300704,
orig_client=orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45]
Apr  5 17:16:49 mydomain.tld postfix/smtpd[11659]: disconnect from
orange-leopard-671e4d6e5ce74ab6.znlc.jp[154.34.23.45] ehlo=2 starttls=1
mail=1 rcpt=1 data=1 quit=1 commands=7
Apr  5 17:16:49 mydomain.tld postfix/cleanup[11826]: 73A553008B0:
message-id=
Apr  5 17:16:49 mydomain.tld postfix/qmgr[11471]: 73A553008B0:
from=, size=257617, nrcpt=1 (queue active)
Apr  5 17:16:49 mydomain.tld postfix/smtp[11827]: 36A99300704:
to=, relay=127.0.0.1[127.0.0.

Re: Postfix users receive spam pretending to be sent from their accounts.

2019-04-08 Thread Ntek, SIA Janis 

Thank you for quick responses!

Dominic Raferd's reply was the most helpful and a good how-to :)

Just to summarize, how many From sender spoofing methods are there?
1) envelope-sender (What Viktor said)
2) Header From  sender  (What Dominic said)
3) Privileged domain in text sender (What Dominic said)

I used
root@othermail:~# mail -s test1 -a "From: us...@mydomain.tld" 
us...@mydomain.tld  < /dev/null


Which, judging by man mail, spoofs Header From, which was blocked with 
"reject_sender_login_mismatch", as Viktor said my spam attacker used 
Header sender (Is it the same as spoofing Header From or is it something 
else)


How do I test against these all 3 (4?) spoofing methods? Against which 
does my method test?

Thanks.


On 08.04.19 18:56, Dominic Raferd wrote:
On Mon, 8 Apr 2019 at 16:22, Ralph Seichter <mailto:ab...@monksofcool.net>> wrote:


* Janis:

> Should I install amavis? It seems so trivial to block spam which
> pretend to be sent as a spoofed message from oneself but yet I can't
> block it.

Postfix's check_sender_access suffices to block forged envelope (!)
sender addresses:

  # pcre:/etc/postfix/sender_access
  /\bi(yourdomain|yourotherdomain)\.tld$/ REJECT

That should be combined with only allowing authenticated email via
port
587 (submission).

While this does not prevent somebody forging the "From" header, an
adversary won't be able to forge a DKIM signature for said header.


Regarding forging of 'From' header: using DKIM with an enforced 
(p=reject) DMARC policy is a way of tackling this effectively. It has 
the advantage that it will also stop most third parties from receiving 
fake emails that purport to be sent from your domain(s). But it is a 
big hammer.


Alternatively block unauthenticated emails that purport to come from 
your domain by using a header_checks test that runs for 
unauthenticated emails - by allowing authenticated emails only on 
different port(s) (587 and/or 465) and having a different 
cleanup_service_name for unauthenticated emails (i.e. emails sent to 
port 25). For instance:


/etc/postfix/master.cf <http://master.cf> (extract):
smtp inet  n   -   y   -   -   smtpd
  -o cleanup_service_name=cleanup_wild
cleanup_wild unix  n   -   y   -   0 cleanup
  -o header_checks=pcre:/etc/postfix/check_headers_wild.pcre

/etc/postfix/check_headers_wild.pcre (extract):
if /^From:/
# Fake domain in the actual address e.g. From: Fake Sender 

/(mydomain1\.tld|mydomain2\.tld)>?\s*$/ REJECT From header 
impersonation (privileged domain in address)
# Fake domain in text preceding the address e.g. From: 
domi...@mydomain1.tld 
/(mydomain1\.tld|mydomain2\.tld)[>"]*? <.*$/ REJECT From header 
impersonation (privileged domain in text)

endif

This will block own mails to mailing lists (such as this when) when 
they are repeated back to you (or another using your domain), but this 
is unlikely to cause problems in practice.
The second regex blocks a type of fake that you did not mention, but 
is seen in the wild.

Re: OpenDKIM not signing

2019-04-09 Thread Ntek, SIA Janis 

Why do use

inet:localhost:8891

Instead of a socket?
I conf'ed it using this tutorial:
https://www.linode.com/docs/email/postfix/configure-spf-and-dkim-in-postfix-on-debian-8/

smtpd_milters = local:opendkim/opendkim.sock
non_smtpd_milters = local:opendkim/opendkim.sock
The sockets are relative path as postfix is chrooted. The absolute path 
is /var/spool/postfix/opendkim/opendkim.sock (Use the relative though!)


Also check the syntax in tables. I was pulling my hair out and it turned 
out my syntax was off. Refer to the tutorial!

Especially:
KeyTable  /etc/opendkim/KeyTable
mydomaintld 
mydomain.tld:201904:/etc/opendkim/keys/mydomain.tld/mydomaintld.private


SigningTable refile:/etc/opendkim/SigningTable
*@mydomain.tld mydomaintld

ExternalIgnoreList    /etc/opendkim/TrustedHosts
InternalHosts /etc/opendkim/TrustedHosts

What does the log file say?
search for opendkim
$ tail -n 500 /var/log/mail.log | grep opendkim  # Or wherever your mail 
log file is located.


Also check online Opendkim testers. There are many of them, try a few. 
Helped me a lot.

https://www.mail-tester.com/spf-dkim-check

Remember that your DNS TXT records may take an hour to update and should 
be submitted BEFORE you try signing anything. dig is your friend. Check 
that your server and your work PC can read the recrods.


$ dig TXT 201904._domainkey.mydomain.tld
Should contain something like:
;; ANSWER SECTION:
201902._domainkey.mydomain.tld. 21599 IN    TXT    "v=DKIM1; h=sha256; 
k=rsa; s=email; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GN...


Remeber that 201904._domainkey is what you choose it to be when you 
generate the public key you put in DNS TXT records!


Re-read tutorial! Remember that if you think that you don't understand 
something, then the config error is probably because of that. Don't just 
copy paste, think along every step.


On 09.04.19 11:22, Laura Smith wrote:

Based on the responses to my previous question about using OpenDKIM (quite what 
"standards have not changed" has to do with software bugs makes no sense to me 
!). However, having been told I'm stupid not to continue using software many years old I 
thought I would suck it up and continue with OpenDKIM.

OpenDKIM is not signing my mails.

Postfix main.cf is calling as follows:
milter_protocol = 6    # I have also tried this with 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891
milter_mail_macros = i {mail_addr} {daemon_addr} {client_name} {auth_authen}

netstat -an  shows openDKIM as running and listening on 8891.

My opendkim.conf is as follows:
BaseDirectory   /run/opendkim
PidFile /run/opendkim/opendkim.pid
UserID  opendkim:opendkim
Syslog  yes
SyslogSuccess   yes
LogWhy  yes
Canonicalization    relaxed/relaxed
Socket  inet:8891@localhost
SendReports no
SoftwareHeader  no
MinimumKeyBits  1024
KeyTable    /etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
InternalHosts   refile:/etc/opendkim/TrustedHosts

Re: OpenDKIM not signing

2019-04-09 Thread Ntek, SIA Janis 

What's your key-size?
My DNS provider does not support 2048, I found it out the hard way. 1024 
seems to be the most popular size and google demands at least 1024. 
Ounce you get the signing working you can regen a 2048 and check if you 
can feed it in DNS TXT, but for first testing stick to 1024

Re: OpenDKIM not signing

2019-04-09 Thread Ntek, SIA Janis 

Apr  9 09:40:14 rx200 mail.info opendkim[4396]: C03DE1014429: 
foobar.example.com [192.0.2.10] not internal



It seems that the domain you want to sign is not in the KeyTable or 
SigningTable! Note that if you put "refile:" before config file path in 
/etc/opendkim.conf the syntax changes!

If
SigningTable refile:/etc/opendkim/SigningTable
then
*@mydomain.tld   mydomaintld

If
SigningTable /etc/opendkim/SigningTable
then
mydomain.tld mydomaintld

Note that the dot (.) must not be in the second column. For me the 
refile works better.