HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Developers' Forum (http://www.howtoforge.com/forums/forumdisplay.php?f=33)
-   -   ISPCONFIG3 rc1 postfix question (http://www.howtoforge.com/forums/showthread.php?t=32035)

ophthal 3rd March 2009 21:42

ISPCONFIG3 rc1 postfix question
 
How do i stop a local mail user from accessing the SMTP queue?
I set Postfix = n in the database and IMAP / POp checked
but they still have access?

True newbie here,

Ray

ophthal 4th March 2009 03:35

A little more info:
I have Roundcube installed with ISPconfig3 with a sign-up interface for new users. Well, the folks with US$20,000,000 dollars from Nigeria showed up and went nuts...

I have all the fun stuff on the spam side installed but a valid user... Well there are some holes I need to plug.

With ISPconfig3, I set the offender to Postfix no, IMAP & POP checked. In the database, Postfix=n, access=n, disableimap=1, disablepop3=1

These users can still send mail. In postconf -n:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
home_mailbox = Maildir/
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
invalid_hostname_reject_code = 554
mailbox_command = /usr/bin/maildrop
mailbox_size_limit = 50485760
message_size_limit = 10000000
mime_header_checks = regexp:/etc/postfix/mime_header_checks
multi_recipient_bounce_reject_code = 554
mydestination = mail.mymail.com, localhost, localhost.localdomain
myhostname = mail.t-mail.com
mynetworks = 127.0.0.0/8
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
non_fqdn_reject_code = 554
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_domains_reject_code = 554
relayhost =
smtp_destination_recipient_limit = 25
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf,
smtpd_error_sleep_time = 5s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_recipient_limit = 5
smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining,permit_sasl_authenticated ,reject_unauth_destination,reject_rbl_client multi.uribl.com,reject_rbl_client zen.spamhaus.org,reject_rbl_client dnsbl.njabl.org,reject_rbl_client whois.rfc-ignorant.org,reject_rbl_client combined.rbl.msrbl.net,check_policy_service inet:127.0.0.1:60000,reject_rhsbl_sender dsn.rfc-ignorant.org,permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual_sender_ban.cf
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf,
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_random_source = dev:/dev/urandom
transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554
virtual_alias_domains =
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = maildrop
virtual_uid_maps = static:5000


and /etc/postfix/mysql-virtual_sender_ban.cf

user = XXXXXX
password = XXXXXX
dbname = dbispconfig
table = mail_user
select_field = email
where_field = email
additional_conditions = and postfix ='n'
hosts = 127.0.0.1

Thanks for your help.

Ray

till 4th March 2009 11:07

First you should update your installation to the latest ispconfig 3 release.

ophthal 4th March 2009 15:24

Sorry 'bout that. It is 3.0.0.9 RC2.


Ray

falko 5th March 2009 19:00

Do you maybe have vulnerable web applications on your server that can be abused by spammers?

ophthal 5th March 2009 19:22

Roundcube webmail linked to ISPconfig. Roundcube login depends on IMAP. With IMAP disabled through ISPconfig, the user authenticates OK but then the session disconnects.

telnet mymail.com 143
Trying 10.10.10.10...
Connected to mymail.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
. login user1@mymail.com XXXXXX
. OK LOGIN Ok.
* BYE IMAP access disabled for this account.
Connection closed by foreign host.

User is in though and can send e-mail. If disableimap stopped OK login, then user would not authenticate. Does this makes sense?
Something like the following in postfix/main.cf would block sending mail I think:

smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access mysql:/etc/postfix/mysql-virtual_sender_ban.cf

where mysql:/etc/postfix/mysql-virtual_sender.cf blocks blacklisted spamfilters from ISPconfig and
/etc/postfix/mysql-virtual_sender_ban.cf contains:

user = XXXXX
password = XXXXX
dbname = dbispconfig
table = mail_user
select_field = email
where_field = email
additional_conditions = and (postfix ='n' OR disableimap ='1')
hosts = 127.0.0.1

Should this block an ISPconfig user from sending? Does it makes sense?

I will investigate Roundcube and try to find out why the user is allowed access but from a pure ISPconfig point, is there a way to shut them out so setting postfix ='n' or disableimap='1' results in:

telnet mymail.com 143
Trying 10.10.10.10...
Connected to mymail.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
. login user1@mymail.com XXXXXX
. NO Login failed.
* BYE IMAP access disabled for this account.
Connection closed by foreign host.

Thanks again for your patience and for not jumping all over me for my ignorance. I have found these forums very useful and appreciate your willingness to help us, the dimmer bulbs in the chandelier.

Ray

falko 6th March 2009 15:01

Quote:

Originally Posted by ophthal (Post 173535)
but from a pure ISPconfig point, is there a way to shut them out so setting postfix ='n' or disableimap='1' results in:

telnet mymail.com 143
Trying 10.10.10.10...
Connected to mymail.com.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
. login user1@mymail.com XXXXXX
. NO Login failed.
* BYE IMAP access disabled for this account.
Connection closed by foreign host.

I'm not sure if this is possible...


All times are GMT +2. The time now is 23:00.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.