1 Topic by cdnt

  • cdnt
  • Member
  • Offline
  • Registered: 2015-03-10
  • Posts: 5

Topic: Spammers sending from my domain to my domain

======== Required information ====
- iRedMail version: 0.9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Linux/BSD distribution name and version: Ubuntu 14.04
- Related log if you're reporting an issue: See below
====

I have a problem with spammers sending email apparently from my email addresses to the same address.

I have a catch-all address set up and am using the iredapd reject_sender_login_mismatch plugin.  However, it seems that a remote sender can send email, eg from info@mydomain.com to info@mydomain.com and it gets through.  Surely, senders using mydomain.com should still need to authenticate, even if sending to mydomain.com?  Otherwise, what's to stop rod@mydomain.com pretending to be jane@mydomain.com when he sends email to freddie@mydomain.com?

Example logs are below.  In this case, a third party uses info@mydomain.com to send email to info@mydomain.com and this is then accepted and delivered to catchall-address@mydomain.com.

Is this something that the reject_sender_login_mismatch plugin is (or should be) designed to deal with or should I attempt to write a new plugin that checks for a local from address and requires SASL authentication?

Thanks in advance for any help!

postfix log:

Mar  9 05:42:14 mail postfix/smtpd[8218]: connect from unknown[121.169.78.237]
Mar  9 05:42:14 mail postfix/smtpd[8218]: D0EC1CC258F: client=unknown[121.169.78.237]
Mar  9 05:42:16 mail postfix/cleanup[8226]: D0EC1CC258F: message-id=<002b01d05a77$06425008$852f0db5$@mydomain.com>
Mar  9 05:42:16 mail postfix/qmgr[1484]: D0EC1CC258F: from=<info@mydomain.com>, size=1805, nrcpt=1 (queue active)
Mar  9 05:42:16 mail postfix/smtpd[8218]: disconnect from unknown[121.169.78.237]
Mar  9 05:42:17 mail postfix/smtpd[8235]: connect from mail.mydomain.com[127.0.0.1]
Mar  9 05:42:17 mail postfix/smtpd[8235]: 147BECC2594: client=mail.mydomain.com[127.0.0.1]
Mar  9 05:42:17 mail postfix/cleanup[8226]: 147BECC2594: message-id=<002b01d05a77$06425008$852f0db5$@mydomain.com>
Mar  9 05:42:17 mail postfix/qmgr[1484]: 147BECC2594: from=<info@mydomain.com>, size=2909, nrcpt=1 (queue active)
Mar  9 05:42:17 mail postfix/smtpd[8235]: disconnect from mail.mydomain.com[127.0.0.1]
Mar  9 05:42:17 mail amavis[5060]: (05060-05) Passed SPAM {RelayedTaggedInternal}, MYUSERS LOCAL [121.169.78.237]:34166 [121.169.78.237] <info@mydomain.com> -> <catchall-address@mydomain.com>, Queue-ID: D0EC1CC258F, Message-ID: <002b01d05a77$06425008$852f0db5$@mydomain.com>, mail_id: ApLJO2FtGGTK, Hits: 16.993, size: 1804, queued_as: 147BECC2594, 644 ms
Mar  9 05:42:17 mail postfix/smtp[8230]: D0EC1CC258F: to=<catchall-address@mydomain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.3, delays=1.7/0.01/0/0.67, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 147BECC2594)
Mar  9 05:42:17 mail postfix/qmgr[1484]: D0EC1CC258F: removed
Mar  9 05:42:17 mail postfix/pipe[8237]: 147BECC2594: to=<catchall-address@mydomain.com>, relay=dovecot, delay=0.14, delays=0.01/0.06/0/0.07, dsn=2.0.0, status=sent (delivered via dovecot service)
Mar  9 05:42:17 mail postfix/qmgr[1484]: 147BECC2594: removed

iredapd debug log:

2015-03-09 05:42:14 DEBUG Connect from 127.0.0.1, port 41997.
2015-03-09 05:42:14 DEBUG smtp session: request=smtpd_access_policy
2015-03-09 05:42:14 DEBUG smtp session: protocol_state=RCPT
2015-03-09 05:42:14 DEBUG smtp session: protocol_name=ESMTP
2015-03-09 05:42:14 DEBUG smtp session: client_address=121.169.78.237
2015-03-09 05:42:14 DEBUG smtp session: client_name=unknown
2015-03-09 05:42:14 DEBUG smtp session: reverse_client_name=unknown
2015-03-09 05:42:14 DEBUG smtp session: helo_name=[121.169.78.237]
2015-03-09 05:42:14 DEBUG smtp session: sender=info@mydomain.com
2015-03-09 05:42:14 DEBUG smtp session: recipient=info@mydomain.com
2015-03-09 05:42:14 DEBUG smtp session: recipient_count=0
2015-03-09 05:42:14 DEBUG smtp session: queue_id=
2015-03-09 05:42:14 DEBUG smtp session: instance=201a.54fd32b6.bdafa.0
2015-03-09 05:42:14 DEBUG smtp session: size=0
2015-03-09 05:42:14 DEBUG smtp session: etrn_domain=
2015-03-09 05:42:14 DEBUG smtp session: stress=
2015-03-09 05:42:14 DEBUG smtp session: sasl_method=
2015-03-09 05:42:14 DEBUG smtp session: sasl_username=
2015-03-09 05:42:14 DEBUG smtp session: sasl_sender=
2015-03-09 05:42:14 DEBUG smtp session: ccert_subject=
2015-03-09 05:42:14 DEBUG smtp session: ccert_issuer=
2015-03-09 05:42:14 DEBUG smtp session: ccert_fingerprint=
2015-03-09 05:42:14 DEBUG smtp session: ccert_pubkey_fingerprint=
2015-03-09 05:42:14 DEBUG smtp session: encryption_protocol=
2015-03-09 05:42:14 DEBUG smtp session: encryption_cipher=
2015-03-09 05:42:14 DEBUG smtp session: encryption_keysize=0
2015-03-09 05:42:14 DEBUG LDAP connection initialied success.
2015-03-09 05:42:14 DEBUG LDAP bind success.
2015-03-09 05:42:14 DEBUG --> Apply plugin: reject_null_sender
2015-03-09 05:42:14 DEBUG <-- Result: DUNNO
2015-03-09 05:42:14 DEBUG Skip plugin: amavisd_message_size_limit (protocol_state != RCPT)
2015-03-09 05:42:14 DEBUG Creating Amavisd database connection.
2015-03-09 05:42:14 DEBUG Got db cursor.
2015-03-09 05:42:14 DEBUG --> Apply plugin: amavisd_wblist
2015-03-09 05:42:14 DEBUG Sender is same as recipient, bypassed.
2015-03-09 05:42:14 DEBUG <-- Result: DUNNO
2015-03-09 05:42:14 DEBUG --> Apply plugin: reject_sender_login_mismatch
2015-03-09 05:42:14 DEBUG SKIP: No SASL username.
2015-03-09 05:42:14 DEBUG <-- Result: DUNNO
2015-03-09 05:42:14 DEBUG [+] Getting LDIF data of account: info@mydomain.com
2015-03-09 05:42:14 DEBUG search base dn: o=domains,dc=mydomain,dc=com
2015-03-09 05:42:14 DEBUG search filter: (&(|(mail=info@mydomain.com)(shadowAddress=info@mydomain.com))(|(objectClass=mailUser)(objectClass=mailList)(objectClass=mailAlias)))
2015-03-09 05:42:14 DEBUG search attributes: ['objectClass', 'listAllowedUser', 'accessPolicy']
2015-03-09 05:42:14 DEBUG No such account.
2015-03-09 05:42:14 DEBUG --> Apply plugin: ldap_maillist_access_policy
2015-03-09 05:42:14 DEBUG <-- Result: DUNNO (No recipient LDIF data)
2015-03-09 05:42:14 DEBUG Closed Amavisd database connection.
2015-03-09 05:42:14 INFO [121.169.78.237] info@mydomain.com -> info@mydomain.com, DUNNO
2015-03-09 05:42:14 DEBUG Session ended
2015-03-09 05:42:14 DEBUG Close LDAP connection.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by 7t3chguy

  • 7t3chguy
  • 7t3chguy
  • Forum Moderator
  • Offline
  • From: United Kingdom
  • Registered: 2015-01-08
  • Posts: 713

Re: Spammers sending from my domain to my domain

See my similar post, showing more detail http://www.iredmail.org/forum/topic8814 … ofing.html
The iRedAPD Plugin you mentioned gets skipped for incoming mail otherwise all incoming mail would fail:

2015-03-09 05:42:14 DEBUG --> Apply plugin: reject_sender_login_mismatch
2015-03-09 05:42:14 DEBUG SKIP: No SASL username.

Incoming mail doesn't have SASL, so cannot be verified this way. My Server isn't checking SPF or DKIM properly, [not noticing missing DKIM Signatures and even signing the mail before delivery itself]
We need something that checks whether the account is properly SASLd if its domain exists on the local server, I could write a plugin for iRedAPD to do this but its not going to be the best of ideas. We need to see what Zhang has to say on this matter.

7t3chguy's Website

3 Reply by 7t3chguy

  • 7t3chguy
  • 7t3chguy
  • Forum Moderator
  • Offline
  • From: United Kingdom
  • Registered: 2015-01-08
  • Posts: 713

Re: Spammers sending from my domain to my domain

Check out my latest response on my thread, I've got SPF Working Properly. With the 3 line changes I've made it'll move Mail into the Junk box and prepend its subject with `[JUNK]`, because it failed its SPF Checks [requires your domain's SPF to be valid]

I think this is a good enough solution.

7t3chguy's Website

4 Reply by cdnt

  • cdnt
  • Member
  • Offline
  • Registered: 2015-03-10
  • Posts: 5

Re: Spammers sending from my domain to my domain

Thanks - glad it's not just me!

Personally I would rather that the messages were rejected rather than marked as spam.  I may see if I can come up with a small plugin to force SASL if the sender domain is local.  Why don't you think it's the best of ideas?

Obviously if you have any better ideas, I'm happy to hear them...

5 Reply by 7t3chguy

  • 7t3chguy
  • 7t3chguy
  • Forum Moderator
  • Offline
  • From: United Kingdom
  • Registered: 2015-01-08
  • Posts: 713

Re: Spammers sending from my domain to my domain

How would you go about getting the list of local domains, fetch from LDAP/PgSQL and MySQL?

7t3chguy's Website

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Spammers sending from my domain to my domain

Please show us output of command "postconf -n" to help troubleshoot.

With default iRedMail setting, hosted mail user is forced to send email with smtp authentication. There's no need to write a new iRedAPD plugin to do this.

7 Reply by cdnt

  • cdnt
  • Member
  • Offline
  • Registered: 2015-03-10
  • Posts: 5

Re: Spammers sending from my domain to my domain

ZhangHuangbin wrote:

Please show us output of command "postconf -n" to help troubleshoot.

With default iRedMail setting, hosted mail user is forced to send email with smtp authentication. There's no need to write a new iRedAPD plugin to do this.

I'm using your reject_sender_login_mismatch plugin rather than the postfix reject_sender_login_mismatch configuration.  Is this what's causing the issue?  As far as I'm aware, I've not made any other pertinent changes.  Might it be a better idea to use the smtpd_sender_login_maps configuration option instead of the iredapd plugin?

root@mail:~# postconf -n
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
allow_min_user = no
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 4h
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
delay_warning_time = 0h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_original_recipient = no
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
maximal_backoff_time = 4000s
maximal_queue_lifetime = 4h
message_size_limit = 52428800
minimal_backoff_time = 300s
mydestination = $myhostname, localhost, localhost.localdomain, localhost.$myhostname
mydomain = mydomain.com
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8
mynetworks_style = host
myorigin = mail.mydomain.com
proxy_read_maps = $canonical_maps $lmtp_generic_maps $local_recipient_maps $mydestination $mynetworks $recipient_bcc_maps $recipient_canonical_maps $relay_domains $relay_recipient_maps $relocated_maps $sender_bcc_maps $sender_canonical_maps $smtp_generic_maps $smtpd_sender_login_maps $transport_maps $virtual_alias_domains $virtual_alias_maps $virtual_mailbox_domains $virtual_mailbox_maps $smtpd_sender_restrictions
queue_run_delay = 300s
readme_directory = no
recipient_bcc_maps = proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/recipient_bcc_maps_domain.cf
recipient_delimiter = +
relay_domains = $mydestination, proxy:ldap:/etc/postfix/ldap/relay_domains.cf
relayhost =
sender_bcc_maps = proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf, proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_domain.cf
smtp-amavis_destination_recipient_limit = 1
smtp_data_init_timeout = 240s
smtp_data_xfer_timeout = 600s
smtp_tls_CAfile = $smtpd_tls_CAfile
smtp_tls_loglevel = 0
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031,
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_recipient, check_policy_service inet:127.0.0.1:7777, check_policy_service inet:127.0.0.1:10031, permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap/sender_login_maps.cf
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_tls_CAfile = /etc/ssl/certs/mail.mydomain.com.ca-bundle
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.mydomain.com.crt
smtpd_tls_key_file = /etc/ssl/private/mail.mydomain.com.key
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = proxy:ldap:/etc/postfix/ldap/transport_maps_user.cf, proxy:ldap:/etc/postfix/ldap/transport_maps_domain.cf
virtual_alias_domains =
virtual_alias_maps = proxy:ldap:/etc/postfix/ldap/virtual_alias_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_maps.cf, proxy:ldap:/etc/postfix/ldap/virtual_group_members_maps.cf, proxy:ldap:/etc/postfix/ldap/catchall_maps.cf
virtual_gid_maps = static:2000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_domains.cf
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap/virtual_mailbox_maps.cf
virtual_minimum_uid = 2000
virtual_transport = dovecot
virtual_uid_maps = static:2000

8 Reply by cdnt

  • cdnt
  • Member
  • Offline
  • Registered: 2015-03-10
  • Posts: 5

Re: Spammers sending from my domain to my domain

So it looks like the culprit is the reject_sender_login_mismatch iredapd plugin.  When I disable that and use postfix's reject_sender_login_mismatch option, spoofed address spam disappears.  I think the plugin needs to check the sender domain if there's no sasl login and disallow mail from local domains.

9 Reply by 7t3chguy

  • 7t3chguy
  • 7t3chguy
  • Forum Moderator
  • Offline
  • From: United Kingdom
  • Registered: 2015-01-08
  • Posts: 713

Re: Spammers sending from my domain to my domain

I was able to spoof even with the postfix option on and the iredapd one off

7t3chguy's Website

10 Reply by cdnt

  • cdnt
  • Member
  • Offline
  • Registered: 2015-03-10
  • Posts: 5

Re: Spammers sending from my domain to my domain

7t3chguy wrote:

I was able to spoof even with the postfix option on and the iredapd one off

Did you change anything else? If I try it now I get 

553 5.7.1 <user@domain.net>: Sender address rejected: not logged in

...when previously it just let it through.

11 Reply by 7t3chguy

  • 7t3chguy
  • 7t3chguy
  • Forum Moderator
  • Offline
  • From: United Kingdom
  • Registered: 2015-01-08
  • Posts: 713

Re: Spammers sending from my domain to my domain

Only other thing I had set was sender_dependent_transport_maps for Mutliple IPs

7t3chguy's Website

12 Reply by 7t3chguy

  • 7t3chguy
  • 7t3chguy
  • Forum Moderator
  • Offline
  • From: United Kingdom
  • Registered: 2015-01-08
  • Posts: 713

Re: Spammers sending from my domain to my domain

Only thing I'm wondering is what if a service such as MailGun or even PayPal send en e-mail to my domain, with the FROM as my domain, does it check the FROM Header or the Envelope From?

7t3chguy's Website

13 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Spammers sending from my domain to my domain

cdnt wrote:

So it looks like the culprit is the reject_sender_login_mismatch iredapd plugin.  When I disable that and use postfix's reject_sender_login_mismatch option, spoofed address spam disappears.

Could you please help confirm this? If you're sure, i will fix it immediately.

14 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Spammers sending from my domain to my domain

Dear all,

It's confirmed that this is a bug in iRedAPD plugin 'reject_sender_login_mismatch.py'.
If you're running the latest iRedAPD-1.4.4, you can download this plugin and override the one on your server (/opt/iredapd/plugins/reject_sender_login_mismatch.py) directly:
https://bitbucket.org/zhb/iredapd/src/d … at=default

Thanks for reporting issue. And thanks @7t3chguy for helping producing this issue on his servers and help test.