Checking from-addresses on outbound mail

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Checking from-addresses on outbound mail

Nick-5
For mail sent via submission it's possible to prevent a forged
mail-from, by using options on the submission service in master.cf.

It's also possible to prevent a forged header-from, by using a
submission-specific cleanup service, as in the BUILTIN_FILTER_README.

But these don't work for mail originating locally via the sendmail
command.  What does work for that?

Thanks
--
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Ansgar Wiechers
On 2020-08-09 Nick wrote:
> For mail sent via submission it's possible to prevent a forged
> mail-from, by using options on the submission service in master.cf.
>
> It's also possible to prevent a forged header-from, by using a
> submission-specific cleanup service, as in the BUILTIN_FILTER_README.
>
> But these don't work for mail originating locally via the sendmail
> command.  What does work for that?

Nothing. The sendmail command submits mail via pickup, i.e. puts it as a
file into a particular directory from which the pickup daemon then reads
the file. The usual filters don't apply to that.

What you can do is disable pickup entirely so that even local users are
required to submit mail via SMTP (on localhost).

Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Nick-5
On 2020-08-09 21:52 BST, Ansgar Wiechers wrote:

> On 2020-08-09 Nick wrote:
> > For mail sent via submission it's possible to prevent a forged
> > mail-from, by using options on the submission service in master.cf.
> >
> > It's also possible to prevent a forged header-from, by using a
> > submission-specific cleanup service, as in the BUILTIN_FILTER_README.
> >
> > But these don't work for mail originating locally via the sendmail
> > command.  What does work for that?
>
> Nothing. The sendmail command submits mail via pickup, i.e. puts it as a
> file into a particular directory from which the pickup daemon then reads
> the file. The usual filters don't apply to that.
>
> What you can do is disable pickup entirely so that even local users are
> required to submit mail via SMTP (on localhost).

Thanks.  I have an idea which is probably infeasible...

In the OVERVIEW document, the path for local sendmail is shown as

  sendmail(1) -> postdrop(1) -> maildrop -> pickup(8) -> cleanup(8) ->
  incoming

I would like to have a postconf(5) parameter such as
"local_via_submission = yes" which changes that path to something like

  sendmail(1) -> postdrop(1) -> maildrop -> pickup(8) -> smtpd(8) ->
  cleanup(8) -> incoming

where the smtpd(8) process is the submission service.  Since postfix
already knows who submitted the mail, smtpd regards it as already
authenticated in this case.  The locally submitted mail now has the
benefit of all the usual filters available to smtpd.

Perhaps I could have that in time for Christmas?

Thanks,
--
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Wietse Venema
Nick:
> I would like to have a postconf(5) parameter such as
> "local_via_submission = yes" which changes that path to something like
>
>   sendmail(1) -> postdrop(1) -> maildrop -> pickup(8) -> smtpd(8) ->
>   cleanup(8) -> incoming

And HOW THE HELL is that supposed to work when Postfix is not up
(not yet started, down for maintenance, or whatever).

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Nick-5
On 2020-08-30 21:30 BST, Wietse Venema wrote:
> Nick:
> > I would like to have a postconf(5) parameter such as
> > "local_via_submission = yes" which changes that path to something like
> >
> >   sendmail(1) -> postdrop(1) -> maildrop -> pickup(8) -> smtpd(8) ->
> >   cleanup(8) -> incoming
>
> And HOW THE HELL is that supposed to work when Postfix is not up
> (not yet started, down for maintenance, or whatever).

I'm sensing a slight reluctance but will plough on...

In that case pickup is also not running, so the mail stays in maildrop.
Isn't that what happens now?
--
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Wietse Venema
Nick:

> On 2020-08-30 21:30 BST, Wietse Venema wrote:
> > Nick:
> > > I would like to have a postconf(5) parameter such as
> > > "local_via_submission = yes" which changes that path to something like
> > >
> > >   sendmail(1) -> postdrop(1) -> maildrop -> pickup(8) -> smtpd(8) ->
> > >   cleanup(8) -> incoming
> >
> > And HOW THE HELL is that supposed to work when Postfix is not up
> > (not yet started, down for maintenance, or whatever).
>
> I'm sensing a slight reluctance but will plough on...
>
> In that case pickup is also not running, so the mail stays in maildrop.
> Isn't that what happens now?

An SMTP client in the pickup daemon? How shall the pickup daemon
send a non-delivery notification to the sender?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Peter Ajamian
In reply to this post by Nick-5
On 31/08/20 4:58 am, Nick wrote:

> On 2020-08-09 21:52 BST, Ansgar Wiechers wrote:
>> On 2020-08-09 Nick wrote:
>>> For mail sent via submission it's possible to prevent a forged
>>> mail-from, by using options on the submission service in master.cf.
>>>
>>> It's also possible to prevent a forged header-from, by using a
>>> submission-specific cleanup service, as in the BUILTIN_FILTER_README.
>>>
>>> But these don't work for mail originating locally via the sendmail
>>> command.  What does work for that?
>>
>> Nothing. The sendmail command submits mail via pickup, i.e. puts it as a
>> file into a particular directory from which the pickup daemon then reads
>> the file. The usual filters don't apply to that.
>>
>> What you can do is disable pickup entirely so that even local users are
>> required to submit mail via SMTP (on localhost).
>
> Thanks.  I have an idea which is probably infeasible...
>
> In the OVERVIEW document, the path for local sendmail is shown as
>
>    sendmail(1) -> postdrop(1) -> maildrop -> pickup(8) -> cleanup(8) ->
>    incoming
>
> I would like to have a postconf(5) parameter such as
> "local_via_submission = yes" which changes that path to something like

Just grab a copy of msmtp and have it submit to the localhost submission
service.  Use the sendmail binary from msmtp instead of postfix's
sendmail binary.


Peter
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Viktor Dukhovni
In reply to this post by Nick-5
On Sun, Aug 30, 2020 at 05:58:01PM +0100, Nick wrote:

> I would like to have a postconf(5) parameter such as
> "local_via_submission = yes" which changes that path to something like
>
>   sendmail(1) -> postdrop(1) -> maildrop -> pickup(8) -> smtpd(8) ->
>   cleanup(8) -> incoming

Sorry, that's not possible, but see:

    http://www.postfix.org/MULTI_INSTANCE_README.html
    http://www.postfix.org/MULTI_INSTANCE_README.html#split

for a way to separate local submission from outbound mail processing,
even on an SMTP relay.  Keep in mind however, that SASL authentication
of each user will not be possible, the user is long gone by the time
the null-client instance is using SMTP to forward the mail.

All you can do is parse the "uid" out of the "Received:" header added by
"pickup", and apply whatever policy is appropriate to the rest of the
message.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Nick-5
In reply to this post by Wietse Venema
On 2020-08-30 21:55 BST, Wietse Venema wrote:
> An SMTP client in the pickup daemon? How shall the pickup daemon send
> a non-delivery notification to the sender?

It looks like we're one objection down!  Can I make it two...

The pickup daemon doesn't, the mail goes into the hold queue.  It's then
for the postmaster to check what's going on.  If the mail's from-address
is forged, which is my concern in this thread, then it's better that no
non-delivery notification is attempted.

Thank you for your attention to my question, this is more than I had
expected.
--
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Wietse Venema
In reply to this post by Wietse Venema
Wietse Venema:

> Nick:
> > On 2020-08-30 21:30 BST, Wietse Venema wrote:
> > > Nick:
> > > > I would like to have a postconf(5) parameter such as
> > > > "local_via_submission = yes" which changes that path to something like
> > > >
> > > >   sendmail(1) -> postdrop(1) -> maildrop -> pickup(8) -> smtpd(8) ->
> > > >   cleanup(8) -> incoming
> > >
> > > And HOW THE HELL is that supposed to work when Postfix is not up
> > > (not yet started, down for maintenance, or whatever).
> >
> > I'm sensing a slight reluctance but will plough on...
> >
> > In that case pickup is also not running, so the mail stays in maildrop.
> > Isn't that what happens now?
>
> An SMTP client in the pickup daemon? How shall the pickup daemon
> send a non-delivery notification to the sender?

Answer: don't change the pickup daemon, but do this instead:

/etc/postfix/master.cf:
    pickup unix .. .. .. .. .. pickup
        -o content_filter=smtp:[localhost]:25

- Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Wietse Venema
Wietse Venema:

> Wietse Venema:
> > Nick:
> > > On 2020-08-30 21:30 BST, Wietse Venema wrote:
> > > > Nick:
> > > > > I would like to have a postconf(5) parameter such as
> > > > > "local_via_submission = yes" which changes that path to something like
> > > > >
> > > > >   sendmail(1) -> postdrop(1) -> maildrop -> pickup(8) -> smtpd(8) ->
> > > > >   cleanup(8) -> incoming
> > > >
> > > > And HOW THE HELL is that supposed to work when Postfix is not up
> > > > (not yet started, down for maintenance, or whatever).
> > >
> > > I'm sensing a slight reluctance but will plough on...
> > >
> > > In that case pickup is also not running, so the mail stays in maildrop.
> > > Isn't that what happens now?
> >
> > An SMTP client in the pickup daemon? How shall the pickup daemon
> > send a non-delivery notification to the sender?
>
> Answer: don't change the pickup daemon, but do this instead:
>
> /etc/postfix/master.cf:
>     pickup unix .. .. .. .. .. pickup
> -o content_filter=smtp:[localhost]:25

Well almost: it needs a custom SMTP client to avoid loop detection.

/etc/postfix/master.cf:
     pickup unix .. .. .. .. .. pickup
        -o { content_filter = local-smtp:[localhost]:25 }

     local-smtp unix  .. .. .. .. .. smtp
        -o { inet_interfaces = }
        -o { myhostname = localhost }

Let me know if that does the job.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Viktor Dukhovni
On Sun, Aug 30, 2020 at 05:33:51PM -0400, Wietse Venema wrote:

> Well almost: it needs a custom SMTP client to avoid loop detection.
>
> /etc/postfix/master.cf:
>      pickup unix .. .. .. .. .. pickup
>         -o { content_filter = local-smtp:[localhost]:25 }
>
>      local-smtp unix  .. .. .. .. .. smtp
>         -o { inet_interfaces = }
>         -o { myhostname = localhost }
>
> Let me know if that does the job.

Looks about right, perhaps a final note that with this one MUST NOT then
use "simple" content filters that resubit mail back into Postfix via
sendmail(1) (i.e. ultimately pickup).

Another thing to keep in mind with trying to prevent address forgery, is
that it can break various ways in which messages are forwarded (via e.g.
procmail) or "Resent" (via mail user agents), e.g. "mutt" can "bounce"
(really resend) a message, but it is polite and adds "Resent-From"
headers.

Also vacation message envelope sender addresses should be the null
sender address to avoid loops (see also RFC3834).

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Nick-5
In reply to this post by Wietse Venema
On 2020-08-30 22:33 BST, Wietse Venema wrote:

> Well almost: it needs a custom SMTP client to avoid loop detection.
>
> /etc/postfix/master.cf:
>      pickup unix .. .. .. .. .. pickup
>         -o { content_filter = local-smtp:[localhost]:25 }
>
>      local-smtp unix  .. .. .. .. .. smtp
>         -o { inet_interfaces = }
>         -o { myhostname = localhost }
>
> Let me know if that does the job.

Yes I believe it does, thank you.  Though I have used a new smtpd
service because the one on port 25 checks mail from the internet but I
want one that checks mail from the mail server.

*** additions to master.cf
localhost:2525
          inet  n       -       y       -       -       smtpd
   -o cleanup_service_name=cleanup-outbound
   -o syslog_name=smtpd-sndmail
   # This is duplicated from part of the submission service:
   -o { smtpd_sender_restrictions =
          check_sender_access regexp:/etc/postfix/check-sender-access-outbound,
          reject_unverified_sender
      }

pickup    unix  n       -       y       60      1       pickup
   -o  { content_filter = smtp-sndmail:[localhost]:2525 }

smtp-sndmail
          unix -       -       y       -       -       smtp
   -o { inet_interfaces = }
   -o { myhostname = smtp-sndmail }
   -o { bounce_service_name = bounce-discard }

# This is shared with the submission service.
cleanup-outbound
          unix  n       -       y       -       0       cleanup
   -o header_checks=regexp:/etc/postfix/header-checks-outbound
   -o mime_header_checks=
   -o nested_header_checks=
   -o syslog_name=smtp-sndmaild
   -o bounce_service_name=bounce-discard

# Discards non-delivery notifications so they can't go to forged addresses.
bounce-discard
          unix  -       -       y       -       0       discard
   -o syslog_name=bounce-discard

*** Response to forged envelope-from
Sep  1 10:35:36 rolly postfix/pickup[7666]: 69CB9A0C16: uid=1000 from=<badaddress@forged>
Sep  1 10:35:36 rolly postfix/cleanup[11375]: 69CB9A0C16: message-id=<[hidden email]>
Sep  1 10:35:36 rolly postfix/qmgr[25533]: 69CB9A0C16: from=<badaddress@forged>, size=472, nrcpt=1 (queue active)
Sep  1 10:35:36 rolly smtpd-sndmail/smtpd[11386]: connect from localhost[::1]
Sep  1 10:35:36 rolly smtpd-sndmail/smtpd[11386]: NOQUEUE: reject: RCPT from localhost[::1]: 554 5.7.1 <badaddress@forged>: Sender address rejected: bogus domain; from=<badaddress@forged> to=<badaddress@forged> proto=ESMTP helo=<smtp-sndmail>
Sep  1 10:35:36 rolly postfix/smtp[11382]: 69CB9A0C16: to=<badaddress@forged>, relay=localhost[::1]:2525, delay=0.12, delays=0.05/0.02/0.02/0.03, dsn=5.7.1, status=bounced (host localhost[::1] said: 554 5.7.1 <badaddress@forged>: Sender address rejected: bogus domain (in reply to RCPT TO command))
Sep  1 10:35:36 rolly postfix/qmgr[25533]: 69CB9A0C16: removed
Sep  1 10:35:36 rolly bounce-discard/discard[11387]: warning: unexpected attribute nrequest from bounce-discard socket (expecting: flags)
Sep  1 10:35:36 rolly bounce-discard/discard[11387]: warning: deliver_request_get: error receiving common attributes
Sep  1 10:35:36 rolly smtp-sndmaild/cleanup[11388]: 84FB4A0C08: message-id=<[hidden email]>
Sep  1 10:35:36 rolly postfix/qmgr[25533]: 84FB4A0C08: from=<[hidden email]>, size=1077, nrcpt=1 (queue active)
Sep  1 10:35:36 rolly smtpd-sndmail/smtpd[11386]: disconnect from localhost[::1] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6
[dovecot lines snipped]
Sep  1 10:35:36 rolly postfix/lmtp[11389]: 84FB4A0C08: to=<[hidden email]>, orig_to=<postmaster>, relay=mail.acrasis.net[private/dovecot-lmtp], delay=0.09, delays=0.01/0.01/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 <[hidden email]> Y5j2IegVTl9+LAAAjtsq0A Saved)
Sep  1 10:35:36 rolly postfix/qmgr[25533]: 84FB4A0C08: removed

which I interpret as: smtpd-sndmail rejected the mail.  smtp-sndmail
sent a non-delivery notification which was discarded by bounce-discard
(with warnings that I assume do not matter).  smtp-sndmail also
notified the postmaster.

*** Response to good envelope-from but forged header-from
Sep  1 10:40:41 rolly postfix/pickup[7666]: 23E73A0C18: uid=1000 from=<[hidden email]>
Sep  1 10:40:41 rolly postfix/cleanup[13599]: 23E73A0C18: message-id=<[hidden email]>
Sep  1 10:40:41 rolly postfix/qmgr[25533]: 23E73A0C18: from=<[hidden email]>, size=581, nrcpt=1 (queue active)
Sep  1 10:40:41 rolly smtpd-sndmail/smtpd[13605]: connect from localhost[::1]
Sep  1 10:40:41 rolly smtpd-sndmail/smtpd[13605]: 3B7C3A0BAB: client=localhost[::1]
Sep  1 10:40:41 rolly smtp-sndmaild/cleanup[13606]: 3B7C3A0BAB: hold: header From: badaddress@forged from localhost[::1]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<smtp-sndmail>: Header-from is spoofed.
Sep  1 10:40:41 rolly smtp-sndmaild/cleanup[13606]: 3B7C3A0BAB: message-id=<[hidden email]>
Sep  1 10:40:41 rolly postfix/smtp[13604]: 23E73A0C18: to=<[hidden email]>, orig_to=<[hidden email]>, relay=localhost[::1]:2525, delay=0.13, delays=0.06/0.03/0.02/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 3B7C3A0BAB)
Sep  1 10:40:41 rolly postfix/qmgr[25533]: 23E73A0C18: removed
Sep  1 10:40:41 rolly smtpd-sndmail/smtpd[13605]: disconnect from localhost[::1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

which I interpret as: smtpd-sndmail accepted the mail, then
cleanup-sndmail placed the mail into the hold queue.  Nothing was
sent.

It's now impossible, I think, for either a local or a submission user
to send mail without a valid address in $mydomain in both the
envelope- and header-from.  Thanks, comments welcome.
--
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Viktor Dukhovni
On Tue, Sep 01, 2020 at 12:28:33PM +0100, Nick wrote:

> On 2020-08-30 22:33 BST, Wietse Venema wrote:
> > Well almost: it needs a custom SMTP client to avoid loop detection.
> >
> > /etc/postfix/master.cf:
> >      pickup unix .. .. .. .. .. pickup
> >         -o { content_filter = local-smtp:[localhost]:25 }
> >
> >      local-smtp unix  .. .. .. .. .. smtp
> >         -o { inet_interfaces = }
> >         -o { myhostname = localhost }
> >
> > Let me know if that does the job.
>
> Yes I believe it does, thank you.  Though I have used a new smtpd
> service because the one on port 25 checks mail from the internet but I
> want one that checks mail from the mail server.

I hope you also saw my note re various legitimate use-cases for
"unexpected" "From:" addresses in local submission.

> smtp-sndmail
>           unix -       -       y       -       -       smtp
>    -o { inet_interfaces = }
>    -o { myhostname = smtp-sndmail }
>    -o { bounce_service_name = bounce-discard }

Setting the bounce service here does not work the way you'd expect.
Delivery agents append messages to the bounce log, but it is the queue
manager that ultimately requests for the failed recipients (from
multiple delivery attempts by one or more delivery agents) to be
bounced.

> # This is shared with the submission service.
> cleanup-outbound
>           unix  n       -       y       -       0       cleanup
>    -o header_checks=regexp:/etc/postfix/header-checks-outbound
>    -o mime_header_checks=
>    -o nested_header_checks=
>    -o syslog_name=smtp-sndmaild
>    -o bounce_service_name=bounce-discard

See above, this does not work.

> # Discards non-delivery notifications so they can't go to forged addresses.
> bounce-discard
>           unix  -       -       y       -       0       discard
>    -o syslog_name=bounce-discard

This is really broken.  The bounce(8) service is an internal component
that is NOT a delivery agent.  It does not speak the same protocol as
discard(8) which is a delivery agent.

> Sep  1 10:35:36 rolly bounce-discard/discard[11387]: warning: unexpected attribute nrequest from bounce-discard socket (expecting: flags)
> Sep  1 10:35:36 rolly bounce-discard/discard[11387]: warning: deliver_request_get: error receiving common attributes

These are symptoms of the breakage.  If you want to prevent bounces from
leaking out to forged sender addresses you need to accept and discard
messages, rather than reject them.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Viktor Dukhovni
On Tue, Sep 01, 2020 at 02:45:50PM -0400, Viktor Dukhovni wrote:

> > smtp-sndmail
> >           unix -       -       y       -       -       smtp
> >    -o { inet_interfaces = }
> >    -o { myhostname = smtp-sndmail }
> >    -o { bounce_service_name = bounce-discard }
>
> Setting the bounce service here does not work the way you'd expect.
> Delivery agents append messages to the bounce log, but it is the queue
> manager that ultimately requests for the failed recipients (from
> multiple delivery attempts by one or more delivery agents) to be
> bounced.

FWIW, the following is not explained as clearly in the Postfix
documentation as one might wish, and it would be good to have better
coverage of this topic in the docs (in the appropriate places):

    - What is a delivery agent?
    - How are they related to transports?
    - Which Postfix components are delivery agents?

    - What is an internal service (that is not a delivery agent)?
    - What are the various internal services?

    - What are the "..._service" parameters, and in what context
      can they be used (correctly)?

Some of this is in http://www.postfix.org/OVERVIEW.html, but the
taxonomy of internal services is not explicitly presented.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Nick-5
In reply to this post by Viktor Dukhovni
On 2020-09-01 19:45 BST, Viktor Dukhovni wrote:

> I hope you also saw my note re various legitimate use-cases for
> "unexpected" "From:" addresses in local submission.

I did, thank you.  I don't think those cases apply to me (no vacation
replies and no forwarding here).

> > smtp-sndmail
> >           unix -       -       y       -       -       smtp
> >    -o { inet_interfaces = }
> >    -o { myhostname = smtp-sndmail }
> >    -o { bounce_service_name = bounce-discard }
>
> Setting the bounce service here does not work the way you'd expect.

But - it does!  It stops the bounce going out.  Is there some bad
consequence lurking that will later bring me trouble?

> > # This is shared with the submission service.
> > cleanup-outbound
> >           unix  n       -       y       -       0       cleanup
> >    -o header_checks=regexp:/etc/postfix/header-checks-outbound
> >    -o mime_header_checks=
> >    -o nested_header_checks=
> >    -o syslog_name=smtp-sndmaild
> >    -o bounce_service_name=bounce-discard
>
> See above, this does not work.

(I've since removed '-o bounce_service_name=...', it doesn't seem to
matter here.)  Again, it works well enough for me - a mail with a forged
header-from goes into the hold queue and nowhere else.

> > # Discards non-delivery notifications so they can't go to forged addresses.
> > bounce-discard
> >           unix  -       -       y       -       0       discard
> >    -o syslog_name=bounce-discard
>
> This is really broken.  The bounce(8) service is an internal component
> that is NOT a delivery agent.  It does not speak the same protocol as
> discard(8) which is a delivery agent.
>
> > Sep  1 10:35:36 rolly bounce-discard/discard[11387]: warning: unexpected attribute nrequest from bounce-discard socket (expecting: flags)
> > Sep  1 10:35:36 rolly bounce-discard/discard[11387]: warning: deliver_request_get: error receiving common attributes
>
> These are symptoms of the breakage.

Breakage is kind of what I want, in that it prevents bounces to forged
sender addresses (and assuming it isn't storing up trouble I'm not yet
aware of).

> If you want to prevent bounces from leaking out to forged sender
> addresses you need to accept and discard messages, rather than reject
> them.

I have to ask the stupid question - why?  Since "bounce-discard" is
working for me in practise, so far, and rejection triggers a
notification to postmaster.  Please elaborate?  Thank you for your
comments.
--
Nick
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Wietse Venema
In reply to this post by Viktor Dukhovni
Viktor Dukhovni:

> On Tue, Sep 01, 2020 at 02:45:50PM -0400, Viktor Dukhovni wrote:
>
> > > smtp-sndmail
> > >           unix -       -       y       -       -       smtp
> > >    -o { inet_interfaces = }
> > >    -o { myhostname = smtp-sndmail }
> > >    -o { bounce_service_name = bounce-discard }
> >
> > Setting the bounce service here does not work the way you'd expect.
> > Delivery agents append messages to the bounce log, but it is the queue
> > manager that ultimately requests for the failed recipients (from
> > multiple delivery attempts by one or more delivery agents) to be
> > bounced.
>
> FWIW, the following is not explained as clearly in the Postfix
> documentation as one might wish, and it would be good to have better
> coverage of this topic in the docs (in the appropriate places):
>
>     - What is a delivery agent?
>     - How are they related to transports?
>     - Which Postfix components are delivery agents?
>
>     - What is an internal service (that is not a delivery agent)?
>     - What are the various internal services?
>
>     - What are the "..._service" parameters, and in what context
>       can they be used (correctly)?
>
> Some of this is in http://www.postfix.org/OVERVIEW.html, but the
> taxonomy of internal services is not explicitly presented.

OVERVIEW.html would be the right place for such information; it is
the only document that shows each component in context, and it would
not make sense to have the taxonomy separate from the overview.

There is no good reason to cover detail of services that are not
already covered in configuration examples.

In particular, internal services do not feature in Postfix configuration
examples, such as bounce, anvil, dnsblog, and trivial-rewrite. This
is for a reason. The only sensible guidance for these is to leave
them alone or risk breaking Postfix.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Viktor Dukhovni
In reply to this post by Nick-5
On Tue, Sep 01, 2020 at 08:59:19PM +0100, Nick wrote:

> > See above, this does not work.
>
> (I've since removed '-o bounce_service_name=...', it doesn't seem to
> matter here.)  Again, it works well enough for me - a mail with a forged
> header-from goes into the hold queue and nowhere else.

It does not work, because the queue manager is unable to contact the
bounce service, and so I would expect that the bounce logs are not
deleted, and perhaps even the queue file persists to retry the
bounce...  I don't recall the details, but replacing the bounce
service with a delivery agent breaks trace probes, breaks sender
and recipient verification (probes) and probably prevents proper
message cleanup.

> > This is really broken.  The bounce(8) service is an internal component
> > that is NOT a delivery agent.  It does not speak the same protocol as
> > discard(8) which is a delivery agent.
> >
> > > Sep  1 10:35:36 rolly bounce-discard/discard[11387]: warning: unexpected attribute nrequest from bounce-discard socket (expecting: flags)
> > > Sep  1 10:35:36 rolly bounce-discard/discard[11387]: warning: deliver_request_get: error receiving common attributes
> >
> > These are symptoms of the breakage.
>
> Breakage is kind of what I want, in that it prevents bounces to forged
> sender addresses (and assuming it isn't storing up trouble I'm not yet
> aware of).

No, I am not talking about mail not being delivered, I am talking
about Postfix no longer working properly.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Viktor Dukhovni
In reply to this post by Wietse Venema
On Tue, Sep 01, 2020 at 05:22:30PM -0400, Wietse Venema wrote:

> > FWIW, the following is not explained as clearly in the Postfix
> > documentation as one might wish, and it would be good to have better
> > coverage of this topic in the docs (in the appropriate places):
> >
> >     - What is a delivery agent?
> >     - How are they related to transports?
> >     - Which Postfix components are delivery agents?
> >
> >     - What is an internal service (that is not a delivery agent)?
> >     - What are the various internal services?
> >
> >     - What are the "..._service" parameters, and in what context
> >       can they be used (correctly)?
> >
> > Some of this is in http://www.postfix.org/OVERVIEW.html, but the
> > taxonomy of internal services is not explicitly presented.
>
> OVERVIEW.html would be the right place for such information; it is
> the only document that shows each component in context, and it would
> not make sense to have the taxonomy separate from the overview.
>
> There is no good reason to cover detail of services that are not
> already covered in configuration examples.
>
> In particular, internal services do not feature in Postfix configuration
> examples, such as bounce, anvil, dnsblog, and trivial-rewrite. This
> is for a reason. The only sensible guidance for these is to leave
> them alone or risk breaking Postfix.

We're pretty much on the same page here, but I do see users from time to
time thinking that all the various services are interchangeable and that
one could use bounce(8) as a delivery agent, or discard as a bounce(8)
service, ...

It would be nice to have some text that briefly draws a distinction
between the delivery agents:

    - smtp, lmtp
    - local
    - virtual
    - pipe
    - discard
    - error, retry

and all the other (internal services) that users cannot repurpose for
some other task, as though they're delivery agents.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Checking from-addresses on outbound mail

Nick-5
In reply to this post by Viktor Dukhovni
On 2020-09-02 01:02 BST, Viktor Dukhovni wrote:
> No, I am not talking about mail not being delivered, I am talking
> about Postfix no longer working properly.

Thanks.  Could you please expand on (from your earlier mail) how to do
this -

> If you want to prevent bounces from leaking out to forged sender
> addresses you need to accept and discard messages, rather than reject
> them.

instead of this -

  -o { smtpd_sender_restrictions =
         check_sender_access
            regexp:/etc/postfix/check-sender-access-outbound,
         reject_unverified_sender
     }

?  For check_sender_access I can use the DISCARD action instead of
REJECT, but what should replace reject_unverified_sender?

Thanks,
--
Nick
12