1 (edited by svoboda77 2014-11-03 21:52:50)

Topic: Remote senders forging identity as my local users

==== Required information ====
- iRedMail version: 0.8.7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Linux/BSD distribution name and version: Debian wheezy
- Related log if you're reporting an issue: see bellow
====

I am sorry to bring back a topic that has been already closed (http://www.iredmail.org/forum/topic7449 … dress.html) but it seems that there really is a problem with iRedMail default configuration.

As it was discussed in the above linked thread, remote users are not allowed to forge their identity (From: address) without authenticating via SASL first. This works for local mailboxes, as long as the @local_domains_maps variable contains list of your local domains. Such email is rejected:

Nov  3 14:03:05 mail postfix/smtpd[30290]: NOQUEUE: reject: RCPT from unknown[188.190.204.92]: 553 5.7.1 <user.name@mydomain.com>: Sender address rejected: not logged in; from=<user.name@mydomain.com> to=<user.name@mydomain.com> proto=ESMTP helo=<pool.luga.net.ua>

But if the remote sender sets his (forged) From: address as an existing alias, postfix won't reject such email and the message is passed:

Nov  3 14:09:22 mail amavis[30269]: (30269-12) Passed SPAMMY {RelayedTaggedInternal}, MYUSERS LOCAL [186.182.172.72]:29367 [186.182.172.72] <alias@mydomain.com> -> <user.name@mydomain.com>, Queue-ID: 88C92340DAD, Message-ID: <005101cff74e$05ea51c7$afa866a3$@mydomain.com>, mail_id: LXx5kCIweK52, Hits: 15.065, size: 4966, queued_as: 4ABC9340E58, 1191 m

Is there a way to solve this? Can postfix also search aliases for local users? Maybe the SQL querry in /etc/postfix/mysql/sender_login_maps.cf has to be altered?

Or even better, disable aliases in From: completely?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Remote senders forging identity as my local users

Thanks for your report, i didn't realize this issue before.

svoboda77 wrote:

Is there a way to solve this? Can postfix also search aliases for local users? Maybe the SQL querry in /etc/postfix/mysql/sender_login_maps.cf has to be altered?

Of course you can update /etc/postfix/mysql/sender_login_maps.cf to query alias accounts, or, add one more sql query in postfix parameter "smtpd_sender_login_maps".

3 (edited by svoboda77 2014-11-04 18:56:59)

Re: Remote senders forging identity as my local users

Thanks for hint. I tried to update the query to

query       = SELECT mailbox.username FROM alias,mailbox,domain WHERE alias.address='%s' AND TRIM(TRAILING ',' FROM alias.goto)=mailbox.username AND mailbox.domain='%d' AND mailbox.domain=domain.domain AND mailbox.enablesmtp=1 AND mailbox.active=1 AND domain.backupmx=0 AND domain.active=1

which seems to correctly return mailbox.username for given alias:

postmap -q alias@mydomain.com mysql:/etc/postfix/mysql/sender_login_maps.cf.new
login.name@mydomain.com

It works for aliases which only have one member, it returns the real login name of the user. It doesn't return anything for aliases with multiple members. Which is not problem for us, we have all multiple-members aliases set as "Members only" in iRedAdmin-Pro.

Maybe there is another approach how to solve this - how would I disable aliases in From: completely?

4

Re: Remote senders forging identity as my local users

Adding one more SQL query FILE in smtpd_sender_login_maps is better, no more complex SQL statement in sender_login_maps.cf.
Looks like we can use existing SQL query file directly, like below:

smtpd_sender_login_maps =
    proxy:mysql:/etc/postfix/mysql/sender_login_maps.cf,           # <- Existing one
    proxy:mysql:/etc/postfix/mysql/virtual_alias_maps.cf            # <- Add this one

Could you help verify it?

According to Postfix document (http://www.postfix.org/postconf.5.html# … login_maps), we just need to return "a list of SASL login names separated by comma and/or whitespace".

5

Re: Remote senders forging identity as my local users

It looks good. Thank you.