spoofing - postfix check the From address field matches the authenticated username or other valid aliases in LDAP -


we have internet facing mx server whereby users authenticate outgoing connection submit emails via port 587. mx server routes incoming mail our domain internal postfix smtp server delivers mail local imap servers.

the internal postfix smtp server users ldap alias_maps = ldap:/etc/postfix/ldap-aliases.cf, lookup imap server users mailbox resides on.

there postfix option... reject_sender_login_mismatch can mapped... smtpd_sender_login_maps = ldap:/etc/postfix/smtpd_sender_login.cf

however - following error

jul 4 11:23:26 smtp-1.domain1.com postfix/smtpd[31530]: warning: restriction `reject_authenticated_sender_login_mismatch' ignored: no sasl support

no users authenticate internal postfix smtp server - route emails mx server. believe reason see warning "no sasl support" because postfix doesn't handle authentication it's taken care of mx server.

postconf -n

alias_database = hash:/etc/aliases alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 51200000 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,  mx3.$mydomain, mx1.$mydomain, mx2.$mydomain mydomain = domain1.com myhostname = smtp-1.domain1.com mynetworks = xxx.xxx.192.0/21, xxx.62.52.0/22, 10.0.0.0/8, xxx.16.0.0/12, xxx.168.0.0/16 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/readme_files sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_sender_login_maps = ldap:/etc/postfix/ldap-senders.cf smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch unknown_local_recipient_reject_code = 550

however, different config "smtpd_sender_restrictions = reject_unverified_sender"

if "envelope field" contains invalid forged address following logged - great stop unknown email address being forged - doesn't if it's forged known email address.

noqueue: reject: rcpt mx.domain1.com[xxx.xxx.192.130]: 450 4.1.7 : sender address rejected: unverified address: unknown user: "hejem"; from= to= proto=esmtp helo=

-bash-4.1$ postconf -n alias_database = hash:/etc/aliases alias_maps = ldap:/etc/postfix/ldap-aliases.cf, hash:/etc/aliases command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 html_directory = no inet_interfaces = inet_protocols = ipv4 mail_owner = postfix mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man message_size_limit = 51200000 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,        mx3.$mydomain, mx1.$mydomain, mx2.$mydomain mydomain = domain1.com myhostname = smtp-1.domain1.com mynetworks = xxx.xxx.xxx.0/21, xxx.xxx.xxx.0/22, xxx.0.0.0/xxx, xxx.xxx.0.0/12, xxx.xxx.0.0/16 myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix-2.6.6/readme_files sample_directory = /usr/share/doc/postfix-2.6.6/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtpd_sender_restrictions = reject_unverified_sender"

what want achieve local internal postfix check "envelope field" ensure it's not been spoofed knowing sending user's username , looking it's assigned "from" aliases in ldap if doesn't match i.e. they're spoofing reject mail.

any advice how implement check in postfix?

thanks

firstly, not considered practice activate reject_unverified_sender in postfix services. if want prevent mails being sent non-existing addresses in domain, should prefer reject_unlisted_sender.

you can not sure of spoofing of existing mail addresses without activating authentication (sasl) mechanism on postfix service. thus, prevent spoofing of existing addresses:

  • make sure smtpd_sender_login_maps configured.
  • activate sasl authentication on postfix
  • configure reject_authenticated_sender_login_mismatch or reject_sender_login_mismatch depending on preference.

further reading (from postfix sasl documentation)

envelope sender address authorization

by default smtp client may specify envelope sender address in mail command. because postfix smtp server knows remote smtp client hostname , ip address, not user controls remote smtp client.

this changes moment smtp client uses sasl authentication. now, postfix smtp server knows sender is. given table of envelope sender addresses , sasl login names, postfix smtp server can decide if sasl authenticated client allowed use particular envelope sender address:

/etc/postfix/main.cf: smtpd_sender_login_maps = hash:/etc/postfix/controlled_envelope_senders

smtpd_recipient_restrictions =     ...     reject_sender_login_mismatch     permit_sasl_authenticated

Comments

Post a Comment

Popular posts from this blog

jOOQ update returning clause with Oracle -

according http://www.jooq.org/doc/3.8/manual/sql-building/sql-statements/update-statement/ jooq doesn't support returning clause in update statements databases except firebird , postgres. does know, still correct oracle jooq? according oracle's documentation, oracle db supports returning clase delete, insert, or update statements. incorrect manual you're right - manual wrong , should fixed: https://github.com/jooq/jooq/issues/5470 single row update returning jooq 3.8 added support single row update .. returning statements. internally, uses callablestatement , pl/sql block of form: begin update "my_table" set "my_table"."column" = 'xyz' "my_table"."id" = 1 returning "my_table"."id", "my_table"."column" ?, ?; ? := sql%rowcount; end; the relevant issue is: https://github.com/jooq/jooq/issues/5190 multi row update returning a...
Read more

java - Warning equals/hashCode on @Data annotation lombok with inheritance -

i have entity inherits other. on other hand, i'm using lombok project reduce boilerplate code, put @data annotation. annotation @data inheritance produces next warning: generating equals/hashcode implementation without call superclass, though class not extend java.lang.object. if intentional, add '@equalsandhashcode(callsuper=false)' type. is advisable add annotation @equalsandhashcode (callsuper = true) or @equalsandhashcode (callsuper = false) ? if not added, 1 callsuper=false or callsuper=true ? the default value false . 1 if don't specify , ignore warning. yes, recommended add @equalsandhashcode annotation on @data annotated classes extend else object. cannot tell if need true or false , depends on class hierarchy, , need examined on case-by-case basis. however, project or package, can configure in lombok.config call super methods if not direct subclass of object. lombok.equalsandhashcode.callsuper = call for configuration system ...
Read more

java - BasicPathUsageException: Cannot join to attribute of basic type -

i using java 8 jpa (hibernate 5.2.1). have clause works perfectly, until introduce clause make use foreign key table values too. i getting following error: basicpathusageexception: cannot join attribute of basic type i think problem related fact have join table, , not sure how create join using join table. employee - employee_category - category model (employee.java): @manytomany(cascade = cascadetype.all, fetch=fetchtype.eager) @jointable ( name="employee_category", joincolumns={ @joincolumn(name="emp_id", referencedcolumnname="id") }, inversejoincolumns={ @joincolumn(name="cat_id", referencedcolumnname="id") } ) private set<category> categories; model (category.java): @id private string id; jpa when introduce following code, fails error above (i think problem new piece of code): join<t, category> category = from.join("id"); predicates.add(criteriabuilder.like(category....
Read more