How to restrict imposters

classic Classic list List threaded Threaded
6 messages Options
a-2
Reply | Threaded
Open this post in threaded view
|

How to restrict imposters

a-2
I looked around online to try to see examples to stop this but haven't found any yet.  Maybe I'm missing something simple.

My postfix server does allow incoming connections from the outside world to deliver mail to mailboxes on my server which is what I want.  And it does restrict relaying from outside networks to other email addresses and that's how I need it to work.  It's great postfix is set to do this by default.  However, an outside network can still identify as a local email account to send into my network, making imposters possible.

Is there a flag I can use to stop this?

Thank you for your help.
Reply | Threaded
Open this post in threaded view
|

Re: How to restrict imposters

@lbutlr
On 18 Feb 2020, at 13:48, a <[hidden email]> wrote:
> I looked around online to try to see examples to stop this but haven't found any yet.  Maybe I'm missing something simple.
>
> My postfix server does allow incoming connections from the outside world to deliver mail to mailboxes on my server which is what I want.  And it does restrict relaying from outside networks to other email addresses and that's how I need it to work.  It's great postfix is set to do this by default.  However, an outside network can still identify as a local email account to send into my network, making imposters possible.

Do not allow connections on port 25 that claim to be from your domains.

(I think this works still):

smtpd_helo_restrictions = reject_invalid_helo_hostname
    check_helo_access pcre:/etc/postfix/helo_checks.pcre
    permit

helo_checks.pcre:
/kreme\.com$/ REJECT helo Mail to AND from local domains not allowed from external servers.

Or setup spf, which is what I’ve done.

--
It was long ago and it was far away / And it was so much better than
        it is today


Reply | Threaded
Open this post in threaded view
|

Re: How to restrict imposters

Bob Proulx
@lbutlr wrote:
> a wrote:
> > However, an outside network can still identify as a local email
> > account to send into my network, making imposters possible.
>
> Do not allow connections on port 25 that claim to be from your domains.
>
> (I think this works still):

Yes.  It works.

> smtpd_helo_restrictions = reject_invalid_helo_hostname
>     check_helo_access pcre:/etc/postfix/helo_checks.pcre
>     permit
>
> helo_checks.pcre:
> /kreme\.com$/ REJECT helo Mail to AND from local domains not allowed from external servers.

I do a slight variation on this that I think is slightly better.
Instead of pcre tables I use hash tables.  Which should be slightly more
efficient.  And won't suffer from common substring matches such as
hitting by accident on goodkreme.com or otherkreme.com or
krispykreme.com and so forth. :-)

My /etc/postfix/helo-access file:
    # Reject anybody that HELO's as being in our own domains.
    # Since this occurs after permit_mynetworks this does not
    # reject local clients.
    proulx.com      REJECT  You are not proulx.com.

    # Somebody HELO'ing as 'localhost'?  Won't hit because localhost is not a FQDN.
    # Should not hit here but if that is allowed then it will be rejected here.
    localhost       REJECT  You are not localhost.

    # Somebody HELO'ing as our IP address?  Yes those occur too.
    96.88.95.61   REJECT  You are not 96.88.95.61
    # IPv6 address too.  Although IPv6 is otherwise blocked here.
    2601:1:9c81:cd00:3a60:77ff:fecd:b399   REJECT  You are not 2601:1:9c81:cd00:3a60:77ff:fecd:b399

Then the usual "postmap helo-access" to create the "helo-access.db" file.

A snippet of my config:
    smtpd_recipient_restrictions =
        ...
        check_helo_access hash:/etc/postfix/helo-access,
        ...

The entire list of smtpd recipient restrictions is all part of a good
anti-spam configuration.  If you are interested in that list ask again
and I am sure there will be many suggestions for a good setup.

> Or setup spf, which is what I’ve done.

Usually SPF protects other people from forgeries of your own network.
But unless you are hard blocking on SPF of your own domain then this
will not block forgery attacks spoofing your own network.  And hard
blocking on SPF is problematic due to the nature of often broken
systems which would cause loss of mail.  Better to use SPF as part of
a scoring system.  Then by itself it is unlikely to be a problem at
the inevitiable cases where things are broken.

HTH!
Bob
Reply | Threaded
Open this post in threaded view
|

Re: How to restrict imposters

allenc


On 20/02/2020 03:39, Bob Proulx wrote:

> I do a slight variation on this that I think is slightly better.
> Instead of pcre tables I use hash tables.  Which should be slightly more
> efficient.  And won't suffer from common substring matches such as
> hitting by accident on goodkreme.com or otherkreme.com or
> krispykreme.com and so forth. :-)
>
> My /etc/postfix/helo-access file:
>     # Reject anybody that HELO's as being in our own domains.
>     # Since this occurs after permit_mynetworks this does not
>     # reject local clients.
>     proulx.com      REJECT  You are not proulx.com.


I receive quite a few messages claiming to be from "accounts", "helpdesk", or
"personnel", so I have a very similar clause in my /etc/postfix/sender-access
file.  Again, it is after permit_mynetworks so it does not reject local clients.

Allen C
a-2
Reply | Threaded
Open this post in threaded view
|

Re: How to restrict imposters

a-2
In reply to this post by Bob Proulx

@lbutlr wrote:
> a wrote:
> > However, an outside network can still identify as a local email
> > account to send into my network, making imposters possible.
>
> Do not allow connections on port 25 that claim to be from your domains.
>
> (I think this works still):

Yes.  It works.

> smtpd_helo_restrictions = reject_invalid_helo_hostname
>     check_helo_access pcre:/etc/postfix/helo_checks.pcre
>     permit
>
> helo_checks.pcre:
> /kreme\.com$/ REJECT helo Mail to AND from local domains not allowed from external servers.

I do a slight variation on this that I think is slightly better.
Instead of pcre tables I use hash tables.  Which should be slightly more
efficient.  And won't suffer from common substring matches such as
hitting by accident on goodkreme.com or otherkreme.com or
krispykreme.com and so forth. :-)

My /etc/postfix/helo-access file:
    # Reject anybody that HELO's as being in our own domains.
    # Since this occurs after permit_mynetworks this does not
    # reject local clients.
    proulx.com      REJECT  You are not proulx.com.

    # Somebody HELO'ing as 'localhost'?  Won't hit because localhost is not a FQDN.
    # Should not hit here but if that is allowed then it will be rejected here.
    localhost       REJECT  You are not localhost.

    # Somebody HELO'ing as our IP address?  Yes those occur too.
    96.88.95.61   REJECT  You are not 96.88.95.61
    # IPv6 address too.  Although IPv6 is otherwise blocked here.
    2601:1:9c81:cd00:3a60:77ff:fecd:b399   REJECT  You are not 2601:1:9c81:cd00:3a60:77ff:fecd:b399

Then the usual "postmap helo-access" to create the "helo-access.db" file.

A snippet of my config:
    smtpd_recipient_restrictions =
        ...
        check_helo_access hash:/etc/postfix/helo-access,
        ...

The entire list of smtpd recipient restrictions is all part of a good
anti-spam configuration.  If you are interested in that list ask again
and I am sure there will be many suggestions for a good setup.

> Or setup spf, which is what I’ve done.

Usually SPF protects other people from forgeries of your own network.
But unless you are hard blocking on SPF of your own domain then this
will not block forgery attacks spoofing your own network.  And hard
blocking on SPF is problematic due to the nature of often broken
systems which would cause loss of mail.  Better to use SPF as part of
a scoring system.  Then by itself it is unlikely to be a problem at
the inevitiable cases where things are broken.

HTH!
Bob

Thank you Bob & @lbutlr, worked perfectly!

I did the hash method.

This line worked with the hash db populated to suite my domain per what Bob said:

smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo-access permit
a-2
Reply | Threaded
Open this post in threaded view
|

Re: How to restrict imposters

a-2

@lbutlr wrote:
> a wrote:
> > However, an outside network can still identify as a local email
> > account to send into my network, making imposters possible.
>
> Do not allow connections on port 25 that claim to be from your domains.
>
> (I think this works still):

Yes.  It works.

> smtpd_helo_restrictions = reject_invalid_helo_hostname
>     check_helo_access pcre:/etc/postfix/helo_checks.pcre
>     permit
>
> helo_checks.pcre:
> /kreme\.com$/ REJECT helo Mail to AND from local domains not allowed from external servers.

I do a slight variation on this that I think is slightly better.
Instead of pcre tables I use hash tables.  Which should be slightly more
efficient.  And won't suffer from common substring matches such as
hitting by accident on goodkreme.com or otherkreme.com or
krispykreme.com and so forth. :-)

My /etc/postfix/helo-access file:
    # Reject anybody that HELO's as being in our own domains.
    # Since this occurs after permit_mynetworks this does not
    # reject local clients.
    proulx.com      REJECT  You are not proulx.com.

    # Somebody HELO'ing as 'localhost'?  Won't hit because localhost is not a FQDN.
    # Should not hit here but if that is allowed then it will be rejected here.
    localhost       REJECT  You are not localhost.

    # Somebody HELO'ing as our IP address?  Yes those occur too.
    96.88.95.61   REJECT  You are not 96.88.95.61
    # IPv6 address too.  Although IPv6 is otherwise blocked here.
    2601:1:9c81:cd00:3a60:77ff:fecd:b399   REJECT  You are not 2601:1:9c81:cd00:3a60:77ff:fecd:b399

Then the usual "postmap helo-access" to create the "helo-access.db" file.

A snippet of my config:
    smtpd_recipient_restrictions =
        ...
        check_helo_access hash:/etc/postfix/helo-access,
        ...

The entire list of smtpd recipient restrictions is all part of a good
anti-spam configuration.  If you are interested in that list ask again
and I am sure there will be many suggestions for a good setup.

> Or setup spf, which is what I’ve done.

Usually SPF protects other people from forgeries of your own network.
But unless you are hard blocking on SPF of your own domain then this
will not block forgery attacks spoofing your own network.  And hard
blocking on SPF is problematic due to the nature of often broken
systems which would cause loss of mail.  Better to use SPF as part of
a scoring system.  Then by itself it is unlikely to be a problem at
the inevitiable cases where things are broken.

HTH!
Bob

Thank you Bob & @lbutlr, worked perfectly!

I did the hash method.

This line worked with the hash db populated to suite my domain per what Bob said:

smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo-access permit

phishing and fraudulent usage of domain - method to prevent some masking

Sorry, I forgot to put in here for a search term for others looking for this in the future that it could be a good tool to prevent phishing and other fraudulent usage of domain.  I did eventually find something on some forums online, but these user groups are great.  Thanks everyone again!