How can I prevent that an user sends mail like another user on Postfix?

Discussion in 'Installation/Configuration' started by Yavuz Can, Feb 12, 2020.

  1. Yavuz Can

    Yavuz Can New Member

    [​IMG]

    I am running a ispconfig programs and system are up to date.



    THE PROBLEM
    Whether a malicious user get access to an account, for instance. He can send messages as if him were Ana, Bob and so on. How can I prevent it?

    THE GOAL
    In other words, I want the message be sent if and only if the user authenticated is the same in sender header. Exists any tool for it?

    Sorry I don't know enough English.

    Why User name can be changed from my wordpress site and mail can be sent.
    He wants to set up a security measure. Why can he send an email with no account? and can add accounts in raouncube.

    In short, what I want is: no other mail account other than orjinal user is defined. (roundcube)
     

    Attached Files:

    • why.jpg
      why.jpg
      File size:
      233.7 KB
      Views:
      4
    Last edited: Feb 12, 2020
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You could have turned your Roundcube to English user interface for taking the screenshot. What field is it that is modified in that screenshot?
    I'm not sure what exactly you wanted to accomplish, but perhaps using Internet Search Engines with
    Code:
    prevent spoofing e-mail sender site:howtoforge.com
    would help?
     
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Using those Search Engines I found "Reject sender and login mismatch" in ISPConfig System | Server Config | Mail. Unfortunately my ISPConfig 3.1 manual does not explain how that setting works.
     
  4. Steini86

    Steini86 Active Member

    The option basically sets reject_sender_login_mismatch in postfix main.cf: http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
    So this tests if the sending user (which has authentificated via SASL) is the owner of the sender address. Should be exactly what @Yavuz Can wants.
     
  5. Yavuz Can

    Yavuz Can New Member

    I'm still working on it. I will share it with you if I solve it. Thank you for your help.
     
  6. Steini86

    Steini86 Active Member

    ? You just have to tick this one option in the config?
    ISPConfig System -> Server Config -> Mail -> "Reject sender and login mismatch"
     
  7. Yavuz Can

    Yavuz Can New Member

    I activated it after seeing your message. But nothing has changed.


    Code:
    Feb 13 01:13:36 yawuzcan dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=193.109.134.58, lip=127.0.0.1, mpid=1380, secured, session=<DwqoSGie+I3BbYY6>
    Feb 13 01:13:36 yawuzcan dovecot: imap-login: Login: user=<[email protected]>, method=PLAIN, rip=193.109.134.58, lip=127.0.0.1, mpid=1383, secured, session=<1X6pSGie/I3BbYY6>
    Feb 13 01:13:36 yawuzcan dovecot: imap([email protected]): Logged out in=233 out=1028
    Feb 13 01:13:36 yawuzcan dovecot: imap([email protected]): Logged out in=320 out=9965
    Feb 13 01:13:39 yawuzcan postfix/smtpd[1385]: connect from localhost[127.0.0.1]
    Feb 13 01:13:39 yawuzcan postfix/smtpd[1385]: 120CE6279E: client=localhost[127.0.0.1]
    Feb 13 01:13:39 yawuzcan postfix/cleanup[1363]: 120CE6279E: message-id=<[email protected]>
    Feb 13 01:13:39 yawuzcan postfix/qmgr[1044]: 120CE6279E: from=<[email protected]>, size=1055, nrcpt=1 (queue active)
    Feb 13 01:13:39 yawuzcan amavis[1235]: (01235-01) Passed CLEAN {RelayedOutbound}, LOCAL [127.0.0.1] <[email protected]> -> <[email protected]>, Message-ID: <[email protected]>, mail_id: Xh-3gKTJE3Vx, Hits: 2.201, size: 531, queued_as: 120CE6279E, 5144 ms
    Feb 13 01:13:39 yawuzcan postfix/smtp[1242]: A556A627A2: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.5, delays=0.06/0/0.55/4.9, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 120CE6279E)
    Feb 13 01:13:39 yawuzcan postfix/qmgr[1044]: A556A627A2: removed
    Feb 13 01:13:39 yawuzcan postfix/smtp[1367]: 120CE6279E: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[74.125.133.26]:25, delay=0.54, delays=0.02/0/0.27/0.25, dsn=2.0.0, status=sent (250 2.0.0 OK  1581545619 r6si200350wmg.5 - gsmtp)
    Feb 13 01:13:39 yawuzcan postfix/qmgr[1044]: 120CE6279E: removed
    

    Orjinal mail login : info
    I add fake mail : evrenbuyurgan
    But again mail was sent. :(
     
  8. Jesse Norell

    Jesse Norell Well-Known Member

    Try reject_unlisted_sender (ie. add that to your smtpd_sender_restrictions before permit_mynetworks):

    reject_unlisted_sender

    Reject the request when the MAIL FROM address is not listed in the list of valid recipients for its domain class. See the smtpd_reject_unlisted_sender parameter description for details. This feature is available in Postfix 2.1 and later.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    As far as I can see, he is not connecting with smtp-auth, which means the sender can not ve restricted by postfix as the valid sender is unknown. You must connect by smtp-auth to be able to restrict the from address to the authenticated address. Change your roundcube config to use smtp-auth for sending.
     
  10. Jesse Norell

    Jesse Norell Well-Known Member

    For roundcube, definitely; but the original post also mentioned websites (eg. wordpress) sending.

    By default I believe any sender address will be accepted when sent from localhost on port 25; to change that you will have to change your smtpd_sender_restrictions (search the forum for how to create a conf-custom file base on the upstream conf file).

    To start, ensure reject_sender_login_mismatch is enabled (Server Config > Mail > Reject sender and login mismatch) to address authenticated users, and add reject_unlisted_sender (or set 'smtpd_reject_unlisted_sender = yes' in /etc/postfix/main.cf) to block unknown sender addresses from domains where you know what addresses are valid.

    Then you have to change/rearrange smtpd_sender_restrictions a little. In your case, it sounds like you want to remove permit_mynetworks entirely, so everything will need to either be sent authenticated. You can start with this, but definitely test it, as there could well be various system emails or such that start to be affected (eg. say ISPConfig's own emails, if it isn't set to send with authentication, may hereafter not work). I believe anything sent from other paths (like /usr/sbin/sendmail) will still function, and only mail sent via smtpd will be affected, but as I said, test this, and don't be surprised to find a few things blocked that you probably want.
    Code:
    smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/tag_as_originating.re, reject_sender_login_mismatch, reject_unknown_sender_domain, reject_unlisted_sender, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, permit_sasl_authenticated, check_sender_access regexp:/etc/postfix/tag_as_foreign.re
    
    An additional caveat, I don't know if anything differs there (specifically the tag_as_*.re maps) if you're using rspamd.

    And now the bad news.... that might be sufficient to appease your client who wants his own tests to fail when he uses bogus address combinations, and it will also help with unconfigured sites that send using php's mail() or other interfaces to /usr/bin/sendmail; however if a spammer has control of a site and bothers to dig around a few minutes, they will quickly find other ports listening on localhost which readily accept any email sent there (I believe 10025 and 10027, maybe others).

    The only real solution for that (in a few seconds of thought :)) is to separate your mail server from your web server. You can enable reject_sender_login_mismatch on your mail server and require authentication for your web users to be able to send, with no backdoor access to open ports on localhost. Ensure system mail from your web server is making it to you via your mail server, then block outgoing port 25/465/587 connections from your webserver.
     
    Last edited: Feb 13, 2020
  11. nhybgtvfr

    nhybgtvfr Active Member

    hmm... wouldn't you only block outgoing port 25 connections from the webserver?
    anything accepting connections on ports 465 or 587 should only accept authenticated mail.
    blocking those would block sites on your server using legitimate, authenticated email accounts on eg gmail, office365 etc
     
  12. Jesse Norell

    Jesse Norell Well-Known Member

    Mea culpa, good point. 465 used to accept unauthenticated mail quite often, but is probably pretty safe now, and 587 always has been.
     

Share This Page