Invalid address is accepted by postfix

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Invalid address is accepted by postfix

jcdole
Hello.
After reading it seems that a valid local-part address is :

/The local-part of the email address may use any of these ASCII characters:

    *) uppercase and lowercase Latin letters A to Z and a to z;
       digits 0 to 9;
       special characters !#$%&'*+-/=?^_`{|}~;

    *) dot ., provided that it is not the first or last character unless
quoted, and provided also that it does not appear consecutively unless
quoted (e.g. [hidden email] is not allowed but
"John..Doe"@example.com is allowed);[8]

Note that some mail servers wildcard local parts, typically the characters
following a plus and less often the characters following a minus, so
fred+bah@domain and fred+foo@domain might end up in the same inbox as
fred+@domain or even as fred@domain. This can be useful for tagging emails
for sorting, see below, and for spam control. Braces { and } are also used
in that fashion, although less often.

    *) space and "(),:;<>@[\] characters are allowed with restrictions (they
are only allowed inside a quoted string, as described in the paragraph
below, and in addition, a backslash or double-quote must be preceded by a
backslash);
   
     *) comments are allowed with parentheses at either end of the
local-part; e.g. john.smith(comment)@example.com and
(comment)[hidden email] are both equivalent to
[hidden email].
/

So     *"()<>[]:,;@\\\"!#$%&'-/=?^_`{}| ~.a"@example.org*     is valid
and   *A@b@[hidden email]* (only one @ is allowed outside quotation marks)  
is invalid.

 - - - - - - - - -

During my test I have seen that postfix accepts this sender address :
[hidden email]@exemple.com

So I have add this restriction in main.cf
smtpd_sender_restrictions =
        check_sender_access hash:/etc/postfix/sender_Allowed_Users, reject

And sender_Allowed_Users contains :
[hidden email]  OK
[hidden email]  OK
[hidden email]  OK
#[hidden email] OK

(user4 is forbidden)

But I was surprise that :
[hidden email]@exemple.com  is accepted
[hidden email]@exemple.com  is reject
[hidden email]@exemple2.com  is reject

Normally these three addresses are invalid.

log for case [hidden email]@exemple.com  :
-----------------------------------------------------------
sept. 30 16:49:40 ASUS-G75VW-JC postfix/smtpd[6658]: ctable_locate: install
entry key [hidden email]?[hidden email].@example.com
sept. 30 16:49:40 ASUS-G75VW-JC postfix/smtpd[6658]: maps_find:
hash:/etc/postfix/sender_Allowed_Users:
hash:/etc/postfix/sender_Allowed_Users(0,lock|fold_fix|utf8_request):
[hidden email] = OK
sept. 30 16:49:40 ASUS-G75VW-JC postfix/smtpd[6658]: mail_addr_find:
[hidden email] -> OK
sept. 30 16:49:40 ASUS-G75VW-JC postfix/smtpd[6658]: check_table_result:
hash:/etc/postfix/sender_Allowed_Users OK [hidden email]
sept. 30 16:49:40 ASUS-G75VW-JC postfix/smtpd[6658]: smtpd_acl_permit:
checking smtpd_log_access_permit_actions settings
sept. 30 16:49:40 ASUS-G75VW-JC postfix/smtpd[6658]: match_list_match: OK:
no match
sept. 30 16:49:40 ASUS-G75VW-JC postfix/smtpd[6658]: smtpd_acl_permit:
smtpd_log_access_permit_actions: no match
sept. 30 16:49:40 ASUS-G75VW-JC postfix/smtpd[6658]: generic_checks:
name=check_sender_access status=1
sept. 30 16:49:40 ASUS-G75VW-JC postfix/smtpd[6658]: >>> END Sender address
RESTRICTIONS <<<
 
log for case [hidden email]@exemple.com  :
-------------------------------------------------------------
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: ctable_locate: install
entry key [hidden email]?[hidden email].@troll2-hathor.nwk
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: maps_find:
hash:/etc/postfix/sender_Allowed_Users:
"[hidden email]."@troll2-hathor.nwk: not found
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: maps_find:
hash:/etc/postfix/sender_Allowed_Users:
[hidden email].@troll2-hathor.nwk: not found
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: maps_find:
hash:/etc/postfix/sender_Allowed_Users: troll2-hathor.nwk: not found
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: maps_find:
hash:/etc/postfix/sender_Allowed_Users: nwk: not found
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: maps_find:
hash:/etc/postfix/sender_Allowed_Users: "[hidden email]."@: not found
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: maps_find:
hash:/etc/postfix/sender_Allowed_Users: [hidden email].@: not found
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: mail_addr_find:
[hidden email].@troll2-hathor.nwk -> (not found)
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: generic_checks:
name=check_sender_access status=0
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: generic_checks:
name=reject
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: NOQUEUE: reject: RCPT
from ASUS-G750JZ-JC.example.com[192.168.130.100]: 554 5.7.1
<[hidden email].@troll2-hathor.nwk>: Sender address rejected: Access
denied; from=<[hidden email].@troll2-hathor.nwk> to=<[hidden email]>
proto=ESMTP helo=<ASUS-G750JZ-JC.example.com>
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: generic_checks:
name=reject status=2
sept. 30 16:52:27 ASUS-G75VW-JC postfix/smtpd[6669]: >>> END Sender address
RESTRICTIONS <<<


log for case [hidden email]@exemple2.com  :
------------------------------------------------------------
sept. 30 16:53:59 ASUS-G75VW-JC postfix/smtpd[6669]: ctable_locate: install
entry key [hidden email]?[hidden email].@example.com
sept. 30 16:53:59 ASUS-G75VW-JC postfix/smtpd[6669]: maps_find:
hash:/etc/postfix/sender_Allowed_Users: [hidden email]: not found
sept. 30 16:53:59 ASUS-G75VW-JC postfix/smtpd[6669]: maps_find:
hash:/etc/postfix/sender_Allowed_Users: troll2-hathor.nwk: not found
sept. 30 16:53:59 ASUS-G75VW-JC postfix/smtpd[6669]: maps_find:
hash:/etc/postfix/sender_Allowed_Users: nwk: not found
sept. 30 16:53:59 ASUS-G75VW-JC postfix/smtpd[6669]: maps_find:
hash:/etc/postfix/sender_Allowed_Users: user1@: not found
sept. 30 16:53:59 ASUS-G75VW-JC postfix/smtpd[6669]: mail_addr_find:
[hidden email] -> (not found)
sept. 30 16:53:59 ASUS-G75VW-JC postfix/smtpd[6669]: generic_checks:
name=check_sender_access status=0
sept. 30 16:53:59 ASUS-G75VW-JC postfix/smtpd[6669]: generic_checks:
name=reject
sept. 30 16:53:59 ASUS-G75VW-JC postfix/smtpd[6669]: NOQUEUE: reject: RCPT
from ASUS-G750JZ-JC.example.com[192.168.130.100]: 554 5.7.1
<[hidden email].@example.com>: Sender address rejected: Access
denied; from=<[hidden email].@example.com> to=<[hidden email]>
proto=ESMTP helo=<ASUS-G750JZ-JC.example.com>
sept. 30 16:53:59 ASUS-G75VW-JC postfix/smtpd[6669]: generic_checks:
name=reject status=2
sept. 30 16:53:59 ASUS-G75VW-JC postfix/smtpd[6669]: >>> END Sender address
RESTRICTIONS <<<

Any way none of the tree case have the local-part address include in the
lookup table /etc/postfix/sender_Allowed_Users

Any help is welcome.







-----
Thank you for helping
________
Opensuse Leap 15
--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Thank you for helping
________
Opensuse Leap 15
Reply | Threaded
Open this post in threaded view
|

Re: Invalid address is accepted by postfix

jcdole
From documentation : postconf.5.html#resolve_dequoted_address

/resolve_dequoted_address (default: yes)

    Resolve a recipient address safely instead of correctly, by looking
inside quotes.

    By default, the Postfix address resolver does not quote the address
localpart as per RFC 822, so that additional @ or % or ! operators remain
visible. This behavior is safe but it is also technically incorrect.

    If you specify "resolve_dequoted_address = no", then the Postfix
resolver will not know about additional @ etc. operators in the address
localpart. This opens opportunities for obscure mail relay attacks with
user@domain@domain addresses when Postfix provides backup MX service for
Sendmail systems.
/

Setting resolve_dequoted_address  = no   ==> [hidden email]@example.com
is rejected
Setting resolve_dequoted_address  = yes  ==> [hidden email]@example.com
is accepted

But as said in the doc seems to be a bad idea.

So what to do ?




-----
Thank you for helping
________
Opensuse Leap 15
--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Thank you for helping
________
Opensuse Leap 15
Reply | Threaded
Open this post in threaded view
|

Re: Invalid address is accepted by postfix

Wietse Venema
jcdole:

> >From documentation : postconf.5.html#resolve_dequoted_address
>
> /resolve_dequoted_address (default: yes)
>
>     Resolve a recipient address safely instead of correctly, by looking
> inside quotes.
>
>     By default, the Postfix address resolver does not quote the address
> localpart as per RFC 822, so that additional @ or % or ! operators remain
> visible. This behavior is safe but it is also technically incorrect.
>
>     If you specify "resolve_dequoted_address = no", then the Postfix
> resolver will not know about additional @ etc. operators in the address
> localpart. This opens opportunities for obscure mail relay attacks with
> user@domain@domain addresses when Postfix provides backup MX service for
> Sendmail systems.
> /
>
> Setting resolve_dequoted_address  = no   ==> [hidden email]@example.com
> is rejected
> Setting resolve_dequoted_address  = yes  ==> [hidden email]@example.com
> is accepted
>
> But as said in the doc seems to be a bad idea.
>
> So what to do ?

The main observation that comes to mind:

- No-one uses such addresses. That alone should be sufficient to
stop you from doing so.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Invalid address is accepted by postfix

jcdole
Human guru perhaps not, but programs , spammers, or others may.

So how to reject mail with bad sender addresses that postfix accept.

Any help is welcome.



-----
Thank you for helping
________
Opensuse Leap 15
--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Thank you for helping
________
Opensuse Leap 15
Reply | Threaded
Open this post in threaded view
|

Re: Invalid address is accepted by postfix

Wietse Venema
jcdole:
> Human guru perhaps not, but programs , spammers, or others may.
>
> So how to reject mail with bad sender addresses that postfix accept.
>
> Any help is welcome.

Use check_sender_access with PCRE patterns, to retrict the subset
of address syntax that you want to allow.

http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions
http://www.postfix.org/postconf.5.html#check_sender_access
http://www.postfix.org/access.5.html
http://www.postfix.org/pcre_table.5.html
http://www.postfix.org/DATABASE_README.html

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Invalid address is accepted by postfix

Ralph Seichter
In reply to this post by jcdole
On 01.10.18 12:48, jcdole wrote:

> So how to reject mail with bad sender addresses that postfix accept.

A PCRE-based access restriction "/[@!%].*[@!%]/ REJECT" should do it
(untested).

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Invalid address is accepted by postfix

jcdole
In reply to this post by Wietse Venema
That does not work with the data I have use to make a test.
This is the reason I open a thread.

email-address :: [hidden email]
but if local-part :: [hidden email] ==>
[hidden email]@example.com

Now the lookup table

[hidden email]    OK

*postmap -q "[hidden email]@example.com"
type_of_table:/etc/postfix/lookup_table
return null*

postmap -q "[hidden email]@example.com"
type_of_table:/etc/postfix/lookup_table
return null

postmap -q "[hidden email]@example2.com"
type_of_table:/etc/postfix/lookup_table
return null

but postfix lookup table
*return OK for [hidden email]@example.com*
return not found for [hidden email]@example.com
return not found for [hidden email]@example2.com

I have made 2 other tests

One with :
[hidden email]*.*@example.com ( see the dot before the second @ )
postmap -q return null
but postfix lookup return OK

The second one with :
[hidden email]*.a*@example.com ( see  ".a" before the second @ )
postmap -q return null
and postfix lookup return not found.

During ma test, I noticed that  aaaaa@bbbbb@cccccc (from the sender address)
was tagged  as "aaaaa@bbbbb"@cccccc.

If the `ccccc` part is different from the domain part in the loookup table,
the sender address is rejected
If the `bbbb` part is different from the domain part in the loookup table,
the sender address is rejected

Any help is welcome.




-----
Thank you for helping
________
Opensuse Leap 15
--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Thank you for helping
________
Opensuse Leap 15