Fixing open relay problem

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Fixing open relay problem

Stephen McHenry
I've been running Postfix for many years now (so thanks to Wietse and all the others who have put in hard work to make it such a great mail system) and recently I built a new mail server and copied most of the config files from the old one. 

After a couple of months, I began to notice that it appeared to be getting used (infrequently) as an open relay, despite my attempts to lock it down so that couldn't happen. Then, the problem got worse. The one pattern I noticed was that all the messages had forged senders that were from my domain (e.g., [hidden email]).

I've poured through the documentation, and a couple of times thought I found the answer, only to make a change and have it not work. My band-aid (while researching the real solution) has been to firewall off access from IP address ranges that were the sources of the email. But to be clear, that's only a band-aid until a real solution is in place. 

The two config parameters that seem most relevant to the problem are listed below:
(from postconf -n)

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_auth_destination, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, reject_unauth_destination check_recipient_access regexp:/etc/postfix/recipient_checks.regexp, check_recipient_access hash:/etc/postfix/recipient_checks, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_rbl_client domain-name, permit


(and from postconf -d)

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination


What's really confounding me is that it seems to be (properly) rejecting all relay email except those that have mydomain.com in their from address. Adding to that confusion is that this same set of config parameters used to work fine on the old system, so I've also been looking at relevant defaults that changed. Unfortunately, I'm coming up dry at this point.

Any help or pointers would be greatly appreciated. 

Thanks.


--

Stephen

Stephen McHenry
Reply | Threaded
Open this post in threaded view
|

Re: Fixing open relay problem

Dominic Raferd


On Tue, 22 Jan 2019 at 06:22, Stephen McHenry <[hidden email]> wrote:
I've been running Postfix for many years now (so thanks to Wietse and all the others who have put in hard work to make it such a great mail system) and recently I built a new mail server and copied most of the config files from the old one. 

After a couple of months, I began to notice that it appeared to be getting used (infrequently) as an open relay, despite my attempts to lock it down so that couldn't happen. Then, the problem got worse. The one pattern I noticed was that all the messages had forged senders that were from my domain (e.g., [hidden email]).

I've poured through the documentation, and a couple of times thought I found the answer, only to make a change and have it not work. My band-aid (while researching the real solution) has been to firewall off access from IP address ranges that were the sources of the email. But to be clear, that's only a band-aid until a real solution is in place. 

The two config parameters that seem most relevant to the problem are listed below:
(from postconf -n)

smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_auth_destination, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, reject_unauth_destination check_recipient_access regexp:/etc/postfix/recipient_checks.regexp, check_recipient_access hash:/etc/postfix/recipient_checks, reject_unauth_pipelining, reject_invalid_hostname, reject_non_fqdn_hostname, reject_rbl_client domain-name, permit


(and from postconf -d)

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination


What's really confounding me is that it seems to be (properly) rejecting all relay email except those that have mydomain.com in their from address. Adding to that confusion is that this same set of config parameters used to work fine on the old system, so I've also been looking at relevant defaults that changed. Unfortunately, I'm coming up dry at this point.

Any help or pointers would be greatly appreciated. 

I think you are just lucky that this didn't happen till now. Note that postconf -d just shows the defaults, not what you are using.

My approach (a typical one I think) is to block all emails with envelope sender @mydomain.com unless the client has authenticated via port 465 or 587:

#note - smtps is port 465
465       inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_authenticated
#submission=port 587
587        inet  n       -       y       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o syslog_name=postfix/submission
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=$smtpd_recipient_restrictions_authenticated

...
# for authenticated senders only
smtpd_recipient_restrictions_authenticated =
    # make the implicit permit explicit
    permit
# for all others
smtpd_recipient_restrictions =
    ...
    check_sender_access hash:/etc/postfix/sender_access
    ...
...

sender_access:
...
mydomain.com REJECT privileged domain without authentication
...

Note: this stops fake envelope sender using domain.com, but does not stop fake 'From:' header using domain.com; for the latter I use DMARC. I also use header_checks to detect fakes such as From: [hidden email] <[hidden email]>.
Reply | Threaded
Open this post in threaded view
|

Re: Fixing open relay problem

Larry Stone
On Jan 22, 2019, at 1:30 AM, Dominic Raferd <[hidden email]> wrote:
>
> On Tue, 22 Jan 2019 at 06:22, Stephen McHenry <[hidden email]> wrote:
>> (and from postconf -d)
>> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
>>
>>
> I think you are just lucky that this didn't happen till now. Note that postconf -d just shows the defaults, not what you are using.
>

Yes. Please shows us the postconf -n value of smtpd_relay_restrictions

> My approach (a typical one I think) is to block all emails with envelope sender @mydomain.com unless the client has authenticated via port 465 or 587:

Not so typical IMHO. And probably unneeded to solve the OP’s problem. Once we see what he really had in smtp_relay_restrictions, we are likely to find a simple issue there that he can easily fix.

--
Larry Stone
[hidden email]



Reply | Threaded
Open this post in threaded view
|

Re: Fixing open relay problem

Viktor Dukhovni
In reply to this post by Stephen McHenry
On Mon, Jan 21, 2019 at 10:21:07PM -0800, Stephen McHenry wrote:

> The two config parameters that seem most relevant to the problem are listed
> below:
> (from postconf -n)
>
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> permit_auth_destination,

Though it does not explain the purported open relay issue,
"permit_auth_destination" here makes no sense.  I think you should
delete it.  Anything it does not permit is sure to be blocked below,
so it is simpler to just move "reject_unauth_destination" here
(multiple back-to-back conditional rejects "commute" and a conditional
permit followed by the opposite reject is equivalent to that permit
followed by an unconditional "reject").  So this is effectively your
last rule.

> reject_non_fqdn_sender,
> reject_non_fqdn_recipient,
> reject_unknown_sender_domain,
> reject_unknown_recipient_domain,
> reject_unauth_destination,

With the "permit_auth_destination" above, nothing ever gets past
this point.  So all the rules below are then pointless.

> reject_unlisted_recipient,
> reject_unauth_destination,
> check_recipient_access regexp:/etc/postfix/recipient_checks.regexp,
> check_recipient_access hash:/etc/postfix/recipient_checks,
> reject_unauth_pipelining,
> reject_invalid_hostname,
> reject_non_fqdn_hostname,
> reject_rbl_client domain-name,
> permit

> (and from postconf -d)
>
> smtpd_relay_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> defer_unauth_destination

I charitably assume you're posting "postconf -d" because you don't
specify this at all in main.cf.  It is best to not let the default
stand in this case, and to replace "defer_unauth_destination" with
"reject_unauth_destination".

With that default in place, relaying can only happen:

    1.  From clients in "mynetworks"
    2.  From SASL authenticated accounts
    3.  To domains listed in mydestination, relay_domains,
        virtual_mailbox_domains, virtual_alias_domains.

So if mail from 3rd parties is being routed to 3rd parties, one of
these three is the problem.  The 3rd can be an issue if something
in your system is resending mail based on "To/Cc" headers, rather
than the message envelope.  Check for misconfigured message processing
code.

Finally, make sure that the "open relay" messages are actually coming
in via SMTP.  There's always web forms, and the like.

> What's really confounding me is that it seems to be (properly) rejecting
> all relay email except those that have mydomain.com in their from address.
> Adding to that confusion is that this same set of config parameters used to
> work fine on the old system, so I've also been looking at relevant defaults
> that changed. Unfortunately, I'm coming up dry at this point.
>
> Any help or pointers would be greatly appreciated.

    1.  You should check master.cf, and especially its "submission" entry
        for any poorly configured rules.

    2.  You should post the *full* output of "postconf -nf" with
        no reformatting of the output even to change line breaks.

    3.  You should post logs that show Postfix accepting and
        delivering an instance of unauthorized relaying.

    4.  Make sure you don't have any compromised SASL accounts

    5.  Make sure that "mynetworks" is not misconfigured.

    6.  Make sure that master.cf overrides (postconf -Mf?) are
        not breaking relay control for either port 25, or submission,
        ...

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Fixing open relay problem

Stephen McHenry
On Tue, Jan 22, 2019 at 6:49 AM Viktor Dukhovni <[hidden email]> wrote:
On Mon, Jan 21, 2019 at 10:21:07PM -0800, Stephen McHenry wrote:

> The two config parameters that seem most relevant to the problem are listed
> below:
> (from postconf -n)
>
> smtpd_recipient_restrictions =
>       permit_mynetworks,
>       permit_sasl_authenticated,
>       permit_auth_destination,

Though it does not explain the purported open relay issue,
"permit_auth_destination" here makes no sense.  I think you should
delete it.  Anything it does not permit is sure to be blocked below,
so it is simpler to just move "reject_unauth_destination" here
(multiple back-to-back conditional rejects "commute" and a conditional
permit followed by the opposite reject is equivalent to that permit
followed by an unconditional "reject").  So this is effectively your
last rule.

>       reject_non_fqdn_sender,
>       reject_non_fqdn_recipient,
>       reject_unknown_sender_domain,
>       reject_unknown_recipient_domain,
>       reject_unauth_destination,

With the "permit_auth_destination" above, nothing ever gets past
this point.  So all the rules below are then pointless.

>       reject_unlisted_recipient,
>       reject_unauth_destination,
>       check_recipient_access regexp:/etc/postfix/recipient_checks.regexp,
>       check_recipient_access hash:/etc/postfix/recipient_checks,
>       reject_unauth_pipelining,
>       reject_invalid_hostname,
>       reject_non_fqdn_hostname,
>       reject_rbl_client domain-name,
>       permit

Good suggestions. I will make this change. 

> (and from postconf -d)
>
> smtpd_relay_restrictions =
>       permit_mynetworks,
>       permit_sasl_authenticated,
>       defer_unauth_destination

I charitably assume you're posting "postconf -d" because you don't
specify this at all in main.cf

Yes, that was why.
 
It is best to not let the default
stand in this case, and to replace "defer_unauth_destination" with
"reject_unauth_destination".

Will make this change too. 

I wonder if it would make sense to do some sort of a "postlint" to check for configuration problems - at least the obvious ones. Maybe there are too many variations in how servers need to be configured to be practical. Dunno.

With that default in place, relaying can only happen:

    1.  From clients in "mynetworks"
    2.  From SASL authenticated accounts
    3.  To domains listed in mydestination, relay_domains,
        virtual_mailbox_domains, virtual_alias_domains.

So if mail from 3rd parties is being routed to 3rd parties, one of
these three is the problem.  The 3rd can be an issue if something
in your system is resending mail based on "To/Cc" headers, rather
than the message envelope.  Check for misconfigured message processing
code.

Finally, make sure that the "open relay" messages are actually coming
in via SMTP.  There's always web forms, and the like.

> What's really confounding me is that it seems to be (properly) rejecting
> all relay email except those that have mydomain.com in their from address.
> Adding to that confusion is that this same set of config parameters used to
> work fine on the old system, so I've also been looking at relevant defaults
> that changed. Unfortunately, I'm coming up dry at this point.
>
> Any help or pointers would be greatly appreciated.

    1.  You should check master.cf, and especially its "submission" entry
        for any poorly configured rules.

    2.  You should post the *full* output of "postconf -nf" with
        no reformatting of the output even to change line breaks.

    3.  You should post logs that show Postfix accepting and
        delivering an instance of unauthorized relaying.

While I was distilling some log records for #3, I discovered that #4 looked like it was the problem. I guess I'm so conditioned to thinking that a problem is due to something I did (e.g., misconfig), that I started diving into config files without stopping to think of this (obvious) one. 

I changed the password on the account that looked to be compromised, unblocked the firewall rules for "the world", and all has been quiet on the western front - in terms of actual relaying, that is... I've had 1487 attempts from 77 different hosts since I made these changes. The reason for my delayed response is that I wanted to gather some data to verify that the fix worked. Appears it did.

Thanks for the pointer.

Lastly, I'd just like to give a broader thanks to you for your tireless contributions to this forum. I've been running Postfix since the early 2000's, and yours is one of names that seems to have been around since forever. (There are some others too, and thanks to those as well)

    4.  Make sure you don't have any compromised SASL accounts

    5.  Make sure that "mynetworks" is not misconfigured.

    6.  Make sure that master.cf overrides (postconf -Mf?) are
        not breaking relay control for either port 25, or submission,
        ...

--
        Viktor.


--

Stephen

Stephen McHenry