ISPCONFIG3 rc1 postfix question

Discussion in 'Developers' Forum' started by ophthal, Mar 3, 2009.

  1. ophthal

    ophthal New Member

    How do i stop a local mail user from accessing the SMTP queue?
    I set Postfix = n in the database and IMAP / POp checked
    but they still have access?

    True newbie here,

    Ray
     
    Last edited: Mar 5, 2009
  2. ophthal

    ophthal New Member

    A little more info:
    I have Roundcube installed with ISPconfig3 with a sign-up interface for new users. Well, the folks with US$20,000,000 dollars from Nigeria showed up and went nuts...

    I have all the fun stuff on the spam side installed but a valid user... Well there are some holes I need to plug.

    With ISPconfig3, I set the offender to Postfix no, IMAP & POP checked. In the database, Postfix=n, access=n, disableimap=1, disablepop3=1

    These users can still send mail. In postconf -n:

    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    append_dot_mydomain = no
    biff = no
    body_checks = regexp:/etc/postfix/body_checks
    broken_sasl_auth_clients = yes
    config_directory = /etc/postfix
    content_filter = amavis:[127.0.0.1]:10024
    disable_vrfy_command = yes
    header_checks = regexp:/etc/postfix/header_checks
    home_mailbox = Maildir/
    html_directory = /usr/share/doc/postfix/html
    inet_interfaces = all
    inet_protocols = all
    invalid_hostname_reject_code = 554
    mailbox_command = /usr/bin/maildrop
    mailbox_size_limit = 50485760
    message_size_limit = 10000000
    mime_header_checks = regexp:/etc/postfix/mime_header_checks
    multi_recipient_bounce_reject_code = 554
    mydestination = mail.mymail.com, localhost, localhost.localdomain
    myhostname = mail.t-mail.com
    mynetworks = 127.0.0.0/8
    myorigin = /etc/mailname
    nested_header_checks = regexp:/etc/postfix/nested_header_checks
    non_fqdn_reject_code = 554
    proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
    readme_directory = /usr/share/doc/postfix
    receive_override_options = no_address_mappings
    recipient_delimiter = +
    relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
    relay_domains_reject_code = 554
    relayhost =
    smtp_destination_recipient_limit = 25
    smtp_tls_note_starttls_offer = yes
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtp_use_tls = yes
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf,
    smtpd_error_sleep_time = 5s
    smtpd_hard_error_limit = 20
    smtpd_helo_required = yes
    smtpd_recipient_limit = 5
    smtpd_recipient_restrictions = reject_invalid_hostname, reject_unknown_recipient_domain, reject_unauth_pipelining,permit_sasl_authenticated,reject_unauth_destination,reject_rbl_client multi.uribl.com,reject_rbl_client zen.spamhaus.org,reject_rbl_client dnsbl.njabl.org,reject_rbl_client whois.rfc-ignorant.org,reject_rbl_client combined.rbl.msrbl.net,check_policy_service inet:127.0.0.1:60000,reject_rhsbl_sender dsn.rfc-ignorant.org,permit
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = yes
    smtpd_sasl_local_domain =
    smtpd_sasl_security_options = noanonymous
    smtpd_sender_login_maps = mysql:/etc/postfix/mysql-virtual_sender_ban.cf
    smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf,
    smtpd_soft_error_limit = 10
    smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /etc/postfix/smtpd.cert
    smtpd_tls_key_file = /etc/postfix/smtpd.key
    smtpd_tls_loglevel = 1
    smtpd_tls_received_header = yes
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_use_tls = yes
    strict_rfc821_envelopes = yes
    tls_random_source = dev:/dev/urandom
    transport_maps = proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    unknown_local_recipient_reject_code = 554
    unknown_relay_recipient_reject_code = 554
    unknown_virtual_alias_reject_code = 554
    unknown_virtual_mailbox_reject_code = 554
    unverified_recipient_reject_code = 554
    unverified_sender_reject_code = 554
    virtual_alias_domains =
    virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, mysql:/etc/postfix/mysql-virtual_email2email.cf
    virtual_gid_maps = static:5000
    virtual_mailbox_base = /var/vmail
    virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
    virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
    virtual_transport = maildrop
    virtual_uid_maps = static:5000


    and /etc/postfix/mysql-virtual_sender_ban.cf

    user = XXXXXX
    password = XXXXXX
    dbname = dbispconfig
    table = mail_user
    select_field = email
    where_field = email
    additional_conditions = and postfix ='n'
    hosts = 127.0.0.1

    Thanks for your help.

    Ray
     
    Last edited: Mar 5, 2009
  3. till

    till Super Moderator

    First you should update your installation to the latest ispconfig 3 release.
     
  4. ophthal

    ophthal New Member

    Sorry 'bout that. It is 3.0.0.9 RC2.


    Ray
     
  5. falko

    falko Super Moderator

    Do you maybe have vulnerable web applications on your server that can be abused by spammers?
     
  6. ophthal

    ophthal New Member

    Roundcube webmail linked to ISPconfig. Roundcube login depends on IMAP. With IMAP disabled through ISPconfig, the user authenticates OK but then the session disconnects.

    telnet mymail.com 143
    Trying 10.10.10.10...
    Connected to mymail.com.
    Escape character is '^]'.
    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
    . login user1@mymail.com XXXXXX
    . OK LOGIN Ok.
    * BYE IMAP access disabled for this account.
    Connection closed by foreign host.

    User is in though and can send e-mail. If disableimap stopped OK login, then user would not authenticate. Does this makes sense?
    Something like the following in postfix/main.cf would block sending mail I think:

    smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf, check_sender_access mysql:/etc/postfix/mysql-virtual_sender_ban.cf

    where mysql:/etc/postfix/mysql-virtual_sender.cf blocks blacklisted spamfilters from ISPconfig and
    /etc/postfix/mysql-virtual_sender_ban.cf contains:

    user = XXXXX
    password = XXXXX
    dbname = dbispconfig
    table = mail_user
    select_field = email
    where_field = email
    additional_conditions = and (postfix ='n' OR disableimap ='1')
    hosts = 127.0.0.1

    Should this block an ISPconfig user from sending? Does it makes sense?

    I will investigate Roundcube and try to find out why the user is allowed access but from a pure ISPconfig point, is there a way to shut them out so setting postfix ='n' or disableimap='1' results in:

    telnet mymail.com 143
    Trying 10.10.10.10...
    Connected to mymail.com.
    Escape character is '^]'.
    * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2008 Double Precision, Inc. See COPYING for distribution information.
    . login user1@mymail.com XXXXXX
    . NO Login failed.
    * BYE IMAP access disabled for this account.
    Connection closed by foreign host.

    Thanks again for your patience and for not jumping all over me for my ignorance. I have found these forums very useful and appreciate your willingness to help us, the dimmer bulbs in the chandelier.

    Ray
     
  7. falko

    falko Super Moderator

    I'm not sure if this is possible...
     

Share This Page