sendmail "from:" spoofing

Discussion in 'General' started by trogper, Jul 11, 2019.

  1. trogper

    trogper New Member

    Hi

    I have a (formerly?) clean installation of ISPConfig 2.9 on Debian 8 upgraded to 3.1 on 9.9
    How do I prevent web users (php scripts) from spoofing email "from" addresses?
    I want to limit web users to send only email "originating" from their domains, now they are able to use sendmail with any "from" address.
    I don't want to disable sendmail for users as I feel it is too restrictive and easily circumventable.
    I have already configured something like this for SMTP sending using reject_sender_login_mismatch.
     
  2. trogper

    trogper New Member

    Replication steps:
    1. create two separate ispc users
    2. create a domain, web and email for each of them (dom1.com, dom2.com)
    3. create file named index.php in dom1.com webroot with content-php
    4. execute index.php
    5. see that the email is delivered and is signed with dkim
    content-php
    <?php
    shell_exec("echo hello | mail [email protected] -a 'From: <[email protected]>' -a 'To: <[email protected]>' -a 'Subject: ahoj' ");​
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The easiest way is probably to run a separate server for web and email, and require websites to send using authentication to your mail server (port 465 or 587). You would need to block all outgoing port 25 connections (except maybe to your own server to receive system mail from your web server), configure the web server's mail system to not accept mail from users other than root and a few system accounts like www-data (use the 'authorized_submit_users' setting in main.cf for that), and set it (the web server) to relay all mail through your mail server. Make sure your mail server is on a current ISPConfig version, with reject sender login mismatch enabled. (And while you're at it, you might want to secure your php config/setup to disable functions like shell_exec, set open_basedir, and even switch to chroot mode php-fpm for your websites, so they have less ways to generate/inject mail.)

    You could try doing most of the above on a single server (web and email), but by default the localhost addr is in mynetworks, which has very few restrictions, so you'd need to remove that and then test/fix anything in the system which doesn't work (ie. mail which originates from the system that relied on the previous "allow all from localhost" policy). It actually might not be that much which would need fixed, I've not tried that setup offhand. When it comes to blocking outbound port 25 in this setup, I believe there is a way to do that using netfilter based on user id - you would want to allow root and the 'smtp' user to make outbound port 25 connections at a minimum, and block most all others (certainly www-data and all the web* users).
     
  4. trogper

    trogper New Member

    I feel like this should be addressed by ISPconfig, not left to the users and not even tell them.
    I have an idea how to solve the issue. Postdrop/pickup adds UID of process, which created the mail. Perhaps we could create a mail filter which checks whether the source email domain belongs to the same ispconfig user as website.
     
    niemand-glaumy likes this.
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Other users have issues and are trying to make it easier to send arbitrary mail by default, so hard to please everyone. I'd be up for a discussion of what ISPConfig could do along these lines, though, and if something fairly clear cut and implementable comes of it. Keep in mind you are configuring the mail system of a web server, which don't always run postfix (and in fact I don't think that's even the default mta on debian), and which may or may not be an ispconfig mail server.

    Just use the 'authorized_submit_users' postfix setting, that's exactly what it's for. That does not address direct smtp to 127.0.0.1 (port 25 and often other ports, too) though, so is an incomplete solution on its own.
     
  6. trogper

    trogper New Member

    I mean if we want to allow postdrop, we could do the filtering. IMO postdrop/sendmail is much simpler to use than full SMTP client. Even wordpress uses sendmail and does not support SMTP out of the box.
    I have configured reject_sender_login_mismatch and if I remember correctly, it applies to localhost clients also.
     

Share This Page