Limit RCPT TO in Postfix

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Limit RCPT TO in Postfix

Claudio Prono
Hello all,

I use Postfix with mysql database for the users lookup. I have recently
found an information leak with the RCPT TO command.

Here is an example:

telnet mailserver 25
Trying XXX.XXX.XXX.XXX...
Connected to mailserver.
Escape character is '^]'.
220 mailserver ESMTP
helo mail
250 mailserver
mail from: [hidden email]
250 2.1.0 Ok
rcpt to: [hidden email]
250 2.1.5 Ok
rcpt to: root
250 2.1.5 Ok
rcpt to: test
550 5.1.1 <test>: Recipient address rejected: User unknown in local
recipient table

How you can see, the rcpt to permit to verify the user, not only virtual
but also real (like root). There is any solution to fix that information
leak on my systems? Something like rcpt deny to some users, or all the
real users....

Here is my postconf -n:

alias_maps = hash:/etc/aliases
biff = no
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
defer_transports =
disable_dns_lookups = no
disable_mime_output_conversion = no
disable_vrfy_command = yes
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = localhost
inet_protocols = ipv4
local_transport = local
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/lib/dovecot/deliver
mailbox_size_limit = 0
mailbox_transport =
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
message_size_limit = 15360000
mydestination = $myhostname, localhost.$mydomain
mydomain = [hidden]
myhostname = [hidden]
mynetworks = [hidden]
mynetworks_style = subnet
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
recipient_delimiter = -
relay_domains = $mydestination
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = no
smtp_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtp_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtp_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtp_tls_loglevel = 1
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions =
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/dspam_learning,         permit_mynetworks,        
permit_sasl_authenticated,         reject_non_fqdn_sender,        
reject_non_fqdn_recipient,        
reject_unknown_recipient_domain,        
reject_unauth_pipelining,         reject_unauth_destination,  
check_policy_service inet:127.0.0.1:10031         check_recipient_access
hash:/etc/postfix/dspam_domains
smtpd_sasl_auth_enable = no
smtpd_sender_restrictions = hash:/etc/postfix/access
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_CApath = /etc/postfix/ssl
smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtpd_use_tls = yes
strict_8bitmime = no
strict_rfc821_envelopes = no
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual
virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:51
virtual_mailbox_base = /var/mail/virtual
virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 524288000
virtual_mailbox_maps = $transport_maps,
mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 51
virtual_transport = dovecot
virtual_uid_maps = static:51

Any hint is well accepted.

Cordially,

Claudio Prono.


--
--------------------------------------------------------------------------------
Claudio Prono                         OPST
System Developer              
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc




Reply | Threaded
Open this post in threaded view
|

Re: Limit RCPT TO in Postfix

Noel Jones-2
On 9/7/2010 5:16 AM, Claudio Prono wrote:
> Hello all,
>
> I use Postfix with mysql database for the users lookup. I have recently
> found an information leak with the RCPT TO command.
>
...
>
> Any hint is well accepted.
>

This is a basic function of the SMTP protocol.


Reply | Threaded
Open this post in threaded view
|

Re: Limit RCPT TO in Postfix

Claudio Prono

Noel Jones ha scritto:

> On 9/7/2010 5:16 AM, Claudio Prono wrote:
>> Hello all,
>>
>> I use Postfix with mysql database for the users lookup. I have recently
>> found an information leak with the RCPT TO command.
>>
> ..
>>
>> Any hint is well accepted.
>>
>
> This is a basic function of the SMTP protocol.
>
>
Ok, this is right, but is also an information leak... with rcpt to i can
enumerate the local users of the system, and for me this is not too
good... No way to fix this?

>
> !DSPAM:1,4c86462d322621763351041!
>
>
>

--
--------------------------------------------------------------------------------
Claudio Prono                         OPST
System Developer              
                                      Gsm: +39-349-54.33.258
@PSS Srl                              Tel: +39-011-32.72.100
Via San Bernardino, 17                Fax: +39-011-32.46.497
10141 Torino - ITALY                  http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc




Reply | Threaded
Open this post in threaded view
|

Re: Limit RCPT TO in Postfix

Noel Jones-2
On 9/7/2010 10:23 AM, Claudio Prono wrote:

>
> Noel Jones ha scritto:
>> On 9/7/2010 5:16 AM, Claudio Prono wrote:
>>> Hello all,
>>>
>>> I use Postfix with mysql database for the users lookup. I have recently
>>> found an information leak with the RCPT TO command.
>>>
>> ..
>>>
>>> Any hint is well accepted.
>>>
>>
>> This is a basic function of the SMTP protocol.
>>
>>
> Ok, this is right, but is also an information leak... with rcpt to i can
> enumerate the local users of the system, and for me this is not too
> good... No way to fix this?

This is part of the design of SMTP.  You can call it a feature
or a flaw or an information leak, but it's still part of the
design.  This is not postfix specific; it is a design feature
of every software that implements SMTP.

I would suggest investing in a few good books on SMTP to
prevent asking further sophomoric questions.


   -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Limit RCPT TO in Postfix

Victor Duchovni
On Tue, Sep 07, 2010 at 10:40:23AM -0500, Noel Jones wrote:

>> Ok, this is right, but is also an information leak... with rcpt to i can
>> enumerate the local users of the system, and for me this is not too
>> good... No way to fix this?
>
> This is part of the design of SMTP.  You can call it a feature or a flaw or
> an information leak, but it's still part of the design.  This is not
> postfix specific; it is a design feature of every software that implements
> SMTP.
>
> I would suggest investing in a few good books on SMTP to prevent asking
> further sophomoric questions.

This said, when the "postscreen" feature of Postfix 2.8 is complete
(includes a mini SMTP engine for envelope logging, ...) it will provide
some protection from directory harvesting, when the agent doing the
harvesting is a bot that fails RBL checks or grey-listing.

This can be done without "postscreen" today, provided that recipient
validation follows RBL checks and call-outs to grey-listing policy
services, ...

No directory harvesting defense is perfect. The "information leakage"
in question is fundamentally unavoidable unless one accepts and bounces
mail to invalid recipients, but this "cure" is worse than the "disease".

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Limit RCPT TO in Postfix

Jasper Jongmans-3
In reply to this post by Claudio Prono
On 2010-09-07 17:23, Claudio Prono wrote:
> Ok, this is right, but is also an information leak... with rcpt to i can
> enumerate the local users of the system, and for me this is not too
> good... No way to fix this?
>  
>
If it is not necessary for those local users to receive mail, you could
alter your local_recipient_maps setting. You should still set up some
aliases to redirect some common system users, especially they might be
used as sender (e.g. [hidden email])
Reply | Threaded
Open this post in threaded view
|

Re: Limit RCPT TO in Postfix

Ralf Hildebrandt
In reply to this post by Claudio Prono
* Claudio Prono <[hidden email]>:

> Ok, this is right, but is also an information leak... with rcpt to i can
> enumerate the local users of the system, and for me this is not too
> good... No way to fix this?

Turn off SMTP :)

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  CharitĂ© - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|

Re: Limit RCPT TO in Postfix

Jeroen Geilman
In reply to this post by Claudio Prono
On 09/07/2010 12:16 PM, Claudio Prono wrote:

> Hello all,
>
> I use Postfix with mysql database for the users lookup. I have recently
> found an information leak with the RCPT TO command.
>
> Here is an example:
>
> telnet mailserver 25
> Trying XXX.XXX.XXX.XXX...
> Connected to mailserver.
> Escape character is '^]'.
> 220 mailserver ESMTP
> helo mail
> 250 mailserver
> mail from: [hidden email]
> 250 2.1.0 Ok
> rcpt to: [hidden email]
> 250 2.1.5 Ok
> rcpt to: root
> 250 2.1.5 Ok
> rcpt to: test
> 550 5.1.1<test>: Recipient address rejected: User unknown in local
> recipient table
>
> How you can see, the rcpt to permit to verify the user,

Indeed it does.
In fact, this forms a vital step in allowing postfix to do remote
verification BEFORE it accepts your message.

Postfix's recipient/sender verification wouldn't work without it.

J.

Reply | Threaded
Open this post in threaded view
|

Re: Limit RCPT TO in Postfix

Terry Carmen
In reply to this post by Claudio Prono
Quoting Claudio Prono <[hidden email]>:

> Hello all,
>
> I use Postfix with mysql database for the users lookup. I have recently
> found an information leak with the RCPT TO command.
>
> Here is an example:
>
> telnet mailserver 25
> Trying XXX.XXX.XXX.XXX...
> Connected to mailserver.
> Escape character is '^]'.
> 220 mailserver ESMTP
> helo mail
> 250 mailserver
> mail from: [hidden email]
> 250 2.1.0 Ok
> rcpt to: [hidden email]
> 250 2.1.5 Ok
> rcpt to: root
> 250 2.1.5 Ok
> rcpt to: test
> 550 5.1.1 <test>: Recipient address rejected: User unknown in local
> recipient table
>
> How you can see, the rcpt to permit to verify the user, not only virtual
> but also real (like root). There is any solution to fix that information
> leak on my systems? Something like rcpt deny to some users, or all the
> real users....

You can use fail2ban to add a firewall DROP rule for any IPs that guess too many (configurable) bad email addresses.

Terry