mailserver; possible security issue?

Discussion in 'Installation/Configuration' started by Steffan, Jan 25, 2018.

  1. Steffan

    Steffan Member

    we have one customer who was victim of a CEO fraud.
    Some of his employees got a message from the email address of the CEO with the order to send xx money to a specific bank account.
    Now we found out that it is possible to send email with sendmail at centos/blueonyx (also other distributions) from an existing email address to an existing email address.
    telnet 208.77.xx.xx 25
    MAIL FROM:[email protected]
    250 2.1.0 [email protected]... Sender ok
    RCPT TO:
    250 2.1.5 [email protected]... Recipient ok
    Some content for example send money to yx
    250 2.0.0 w0PBbxN1026335 Message accepted for delivery QUIT
    221 2.0.0 closing connection
    Connection closed by foreign host.

    Unfortunately it is not only possible from the same to the same user. It is also possible from an (at the server existing) email address to an (at the server existing) email address.
    Does someone else did see something similar.
    In my opinion in days with CEO fraud it is a security issue.
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Although this is not a real security issue, it is related to the way postfix is configured on your server.
    There is a quite easy way to get rid of this:

    Create a file called /etc/postfix/
    with contents
    user = ispconfig
    password = xxxxxxxxxxxxxx
    dbname = dbispconfig
    hosts =
    query = SELECT 'REJECT' FROM mail_domain WHERE domain = '%d' AND active = 'y'
    require_result_set = no
    take the credentials for the db connection from the other mysql-****.cf files.

    Then add , check_sender_access mysql:/etc/postfix/ directly after permit_sasl_authenticated in your file on the smtpd_sender_restrictions, so the settings looks similar to:
    smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/, check_sender_access mysql:/etc/postfix/
    Then restart postfix and your problem should be solved.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Server security is not affected by this, you can neither gain access to the server nor are you able to elevated user permissions or start programs, so this is not a server security issue. A mail system has to accept emails for local mailboxes and the email service traditionally has no strong verification mechanisms to verify if an email sender is really the person that he claims to be.

    You should use technologies like dkim, spf and dmarc to get a better verification if an email is really sent by an authorized person. And @Croydon posted a snippet above if you want to disallow that an unauthenticated FROM address is a local domain.
  4. Steffan

    Steffan Member

    yes its not a server isue
    but it is a way to sent email to someone looking to be his boss (in this case)

    im using a seperate mailserver, when testing im getting
    Sender address rejected: Access denied
    so it looks like the code @crydon works

    i tested a contactform from a website and that still works
    so it look it is not harming my clients to use it.
    Ore did i miss something.
  5. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    What will no longer work is the following case:
    A contact form on a separate web server that sends out an email with From: and To: both being addresses on the (separate) mail server. This is because the mail is no longer "mynetwork" and in addition not "authenticated".

    Use case: Your client has domain on your mail server and sends out contact form emails (from the webserver) with from [email protected] to recipient [email protected] - won't work anymore unless he uses smtp auth on the contact form.
  6. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    You could of course add the ip of the web server to the "my network" setting in postfix.
  7. Steffan

    Steffan Member

    yes that is wat i have on my network :)
  8. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    So then I would not expect any issue with that config.
    Steffan likes this.

Share This Page