Loading ...
Sorry, an error occurred while loading the content.
 

Only allow specific sasl-authenticated users to relay

Expand Messages
  • Chris Richards
    I ve got a situation where some clients on my network apparently have computers that have been compromised because every time they change their password,
    Message 1 of 7 , Nov 3, 2011
      I've got a situation where some clients on my network apparently have
      computers that have been compromised because every time they change their
      password, spammers on the outside get it and use their email account to
      spam.

      I've got the server right now configured to only allow users within my
      network to send e-mail, so that particular problem is under control, but
      this necessarily means that users OUTSIDE my network cannot relay, even if
      they sasl-auth.

      In looking through the documentation and readmes, I've come across the
      smtpd_client_restrictions setting, and the check_client_access clause.

      Am I right in guessing that if I do something like the following:

      smtpd_sender_restrictions = permit_mynetworks,
      check_sender_access mysql:/etc/postfix/mysql_sender_access.cf,
      permit_sasl_authenticated,
      reject;

      where check_sender_access returns 'dunno' for 'trusted' clients and 'no'
      for 'untrusted' clients, that the result will be to fall through to
      permit_sasl_auth for the 'trusted' clients and fail entirely for the
      'untrusted' clients who are OUTSIDE, but still permit normal relay for
      clients who are INSIDE?

      Thanks in advance for your help.

      Chris
    • Noel Jones
      ... You re talking about trusted clients, but your example above shows checking the sender address (ie. user@example.com). If you want to assign trust using
      Message 2 of 7 , Nov 3, 2011
        On 11/3/2011 10:47 PM, Chris Richards wrote:
        > I've got a situation where some clients on my network apparently have
        > computers that have been compromised because every time they change their
        > password, spammers on the outside get it and use their email account to
        > spam.
        >
        > I've got the server right now configured to only allow users within my
        > network to send e-mail, so that particular problem is under control, but
        > this necessarily means that users OUTSIDE my network cannot relay, even if
        > they sasl-auth.
        >
        > In looking through the documentation and readmes, I've come across the
        > smtpd_client_restrictions setting, and the check_client_access clause.
        >
        > Am I right in guessing that if I do something like the following:
        >
        > smtpd_sender_restrictions = permit_mynetworks,
        > check_sender_access mysql:/etc/postfix/mysql_sender_access.cf,
        > permit_sasl_authenticated,
        > reject;
        >
        > where check_sender_access returns 'dunno' for 'trusted' clients and 'no'
        > for 'untrusted' clients, that the result will be to fall through to
        > permit_sasl_auth for the 'trusted' clients and fail entirely for the
        > 'untrusted' clients who are OUTSIDE, but still permit normal relay for
        > clients who are INSIDE?
        >
        > Thanks in advance for your help.
        >
        > Chris
        >


        You're talking about trusted clients, but your example above shows
        checking the sender address (ie. user@...). If you want to
        assign trust using the client IP, use check_client_access rather
        than check_sender_access. And "no" isn't a valid access table
        result; "REJECT" would seem appropriate.

        Also, if this is your internet MX, it will reject all incoming mail.
        To avoid that problem you can use "permit_auth_destination, reject"
        instead of a plain "reject" at the end of the restriction list.

        Other than that, the general idea is sound. Or maybe just terminate
        abusive accounts.



        -- Noel Jones
      • Reindl Harald
        ... please do not try to solve such major problems on the wrong place if you have compromised machines in your network shutdown them, reinstall them or do
        Message 3 of 7 , Nov 4, 2011
          Am 04.11.2011 04:47, schrieb Chris Richards:
          > I've got a situation where some clients on my network apparently have
          > computers that have been compromised because every time they change their
          > password, spammers on the outside get it and use their email account to
          > spam

          please do not try to solve such major problems on the wrong place

          if you have compromised machines in your network shutdown them,
          reinstall them or do anything to get them clean but do not try
          to solve one single sign of a major problem on the MTA
        • Viktor Dukhovni
          ... If this is an MX host, you need to allow mail to your own domains before you reject to, otherwise only your own users will be able to send you email.
          Message 4 of 7 , Nov 4, 2011
            On Thu, Nov 03, 2011 at 10:47:18PM -0500, Chris Richards wrote:

            > Am I right in guessing that if I do something like the following:
            >
            > smtpd_sender_restrictions = permit_mynetworks,
            > check_sender_access mysql:/etc/postfix/mysql_sender_access.cf,
            > permit_sasl_authenticated,
            > reject;
            >
            > where check_sender_access returns 'dunno' for 'trusted' clients and 'no'
            > for 'untrusted' clients, that the result will be to fall through to
            > permit_sasl_auth for the 'trusted' clients and fail entirely for the
            > 'untrusted' clients who are OUTSIDE, but still permit normal relay for
            > clients who are INSIDE?

            If this is an MX host, you need to allow mail to your own domains
            before you "reject" to, otherwise only your own users will be
            able to send you email.

            Since the sender address and the SASL login account are not
            necessarily the same. You also need to use
            reject_authenticated_sender_login_mismatch. So the whole thing
            boils down to:

            smtpd_sender_restrictions =
            permit_auth_destination,
            permit_mynetworks,
            check_sender_access mysql:/etc/postfix/mysql_sender_access.cf,
            reject_authenticated_sender_login_mismatch,
            permit_sasl_authenticated

            You then also need smtpd_sender_login_maps and each authenticated user
            will be constrained to only use the designated sender addresses. If that's
            too much pain or is overly restrictive, perhaps as others have tried to
            point out you may be solving the wrong problem, just configure the
            authentication layer to lock the abused accounts and work on preventing
            re-compromise of any accounts you plan to re-enable.

            --
            Viktor.
          • Chris Richards
            ... Thanks Victor, Noel, and Reindl, for your responses. Victor, yes I figured out about reject_authenticated_sender_login_mismatch and
            Message 5 of 7 , Nov 5, 2011
              On Fri, November 4, 2011 12:07 pm, Viktor Dukhovni wrote:

              > If this is an MX host, you need to allow mail to your own domains
              > before you "reject" to, otherwise only your own users will be
              > able to send you email.
              >
              > Since the sender address and the SASL login account are not
              > necessarily the same. You also need to use
              > reject_authenticated_sender_login_mismatch. So the whole thing
              > boils down to:
              >
              > smtpd_sender_restrictions =
              > permit_auth_destination,
              > permit_mynetworks,
              > check_sender_access mysql:/etc/postfix/mysql_sender_access.cf,
              > reject_authenticated_sender_login_mismatch,
              > permit_sasl_authenticated
              >
              > You then also need smtpd_sender_login_maps and each authenticated user
              > will be constrained to only use the designated sender addresses. If that's
              > too much pain or is overly restrictive, perhaps as others have tried to
              > point out you may be solving the wrong problem, just configure the
              > authentication layer to lock the abused accounts and work on preventing
              > re-compromise of any accounts you plan to re-enable.

              Thanks Victor, Noel, and Reindl, for your responses.

              Victor, yes I figured out about reject_authenticated_sender_login_mismatch
              and smtpd_sender_login_maps. I'm still working that out, but I don't
              believe that is going to be an issue.

              Yes, I agree that I'm attacking the wrong end of this problem;
              unfortunately that's not my call. Others who 'know more' than me have
              made that decision.

              Thanks again.
            • Reindl Harald
              ... so tell them if they think they know more than you they should make the job themself and disable compromised accounts
              Message 6 of 7 , Nov 5, 2011
                Am 06.11.2011 04:17, schrieb Chris Richards:
                > Yes, I agree that I'm attacking the wrong end of this problem;
                > unfortunately that's not my call. Others who 'know more' than me have
                > made that decision.

                so tell them if they think they know more than you they should
                make the job themself and disable compromised accounts
              • Viktor Dukhovni
                ... On my personal email server, I use non-Postfix means to limit who can use SASL to authenticate to Postfix. In /etc/pam.d/dovecot (Postfix is configured to
                Message 7 of 7 , Nov 5, 2011
                  On Sat, Nov 05, 2011 at 10:17:00PM -0500, Chris Richards wrote:

                  > Victor, yes I figured out about reject_authenticated_sender_login_mismatch
                  > and smtpd_sender_login_maps. I'm still working that out, but I don't
                  > believe that is going to be an issue.

                  On my personal email server, I use non-Postfix means to limit who
                  can use SASL to authenticate to Postfix. In /etc/pam.d/dovecot (Postfix
                  is configured to use dovecot auth) I have:

                  auth required pam_group.so group=pamimap

                  which means that only users in that group can use "PLAIN" auth via PAM. You
                  may be able to use similar means to less intrusively control which users
                  can use authentication to get relay rights. Also rate limits, and other
                  controls may be more effective.

                  Requiring all users to use a fixed sender address may punish too
                  many to solve the problems of a few.

                  --
                  Viktor.
                Your message has been successfully submitted and would be delivered to recipients shortly.