Only allow specific sasl-authenticated users to relay

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Only allow specific sasl-authenticated users to relay

Chris Richards-5
I've got a situation where some clients on my network apparently have
computers that have been compromised because every time they change their
password, spammers on the outside get it and use their email account to
spam.

I've got the server right now configured to only allow users within my
network to send e-mail, so that particular problem is under control, but
this necessarily means that users OUTSIDE my network cannot relay, even if
they sasl-auth.

In looking through the documentation and readmes, I've come across the
smtpd_client_restrictions setting, and the check_client_access clause.

Am I right in guessing that if I do something like the following:

smtpd_sender_restrictions = permit_mynetworks,
  check_sender_access mysql:/etc/postfix/mysql_sender_access.cf,
  permit_sasl_authenticated,
  reject;

where check_sender_access returns 'dunno' for 'trusted' clients and 'no'
for 'untrusted' clients, that the result will be to fall through to
permit_sasl_auth for the 'trusted' clients and fail entirely for the
'untrusted' clients who are OUTSIDE, but still permit normal relay for
clients who are INSIDE?

Thanks in advance for your help.

Chris

Reply | Threaded
Open this post in threaded view
|

Re: Only allow specific sasl-authenticated users to relay

Noel Jones-2
On 11/3/2011 10:47 PM, Chris Richards wrote:

> I've got a situation where some clients on my network apparently have
> computers that have been compromised because every time they change their
> password, spammers on the outside get it and use their email account to
> spam.
>
> I've got the server right now configured to only allow users within my
> network to send e-mail, so that particular problem is under control, but
> this necessarily means that users OUTSIDE my network cannot relay, even if
> they sasl-auth.
>
> In looking through the documentation and readmes, I've come across the
> smtpd_client_restrictions setting, and the check_client_access clause.
>
> Am I right in guessing that if I do something like the following:
>
> smtpd_sender_restrictions = permit_mynetworks,
>   check_sender_access mysql:/etc/postfix/mysql_sender_access.cf,
>   permit_sasl_authenticated,
>   reject;
>
> where check_sender_access returns 'dunno' for 'trusted' clients and 'no'
> for 'untrusted' clients, that the result will be to fall through to
> permit_sasl_auth for the 'trusted' clients and fail entirely for the
> 'untrusted' clients who are OUTSIDE, but still permit normal relay for
> clients who are INSIDE?
>
> Thanks in advance for your help.
>
> Chris
>


You're talking about trusted clients, but your example above shows
checking the sender address (ie. [hidden email]).  If you want to
assign trust using the client IP, use check_client_access rather
than check_sender_access.  And "no" isn't a valid access table
result; "REJECT" would seem appropriate.

Also, if this is your internet MX, it will reject all incoming mail.
 To avoid that problem you can use "permit_auth_destination, reject"
instead of a plain "reject" at the end of the restriction list.

Other than that, the general idea is sound.  Or maybe just terminate
abusive accounts.



  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Only allow specific sasl-authenticated users to relay

Reindl Harald-2
In reply to this post by Chris Richards-5


Am 04.11.2011 04:47, schrieb Chris Richards:
> I've got a situation where some clients on my network apparently have
> computers that have been compromised because every time they change their
> password, spammers on the outside get it and use their email account to
> spam

please do not try to solve such major problems on the wrong place

if you have compromised machines in your network shutdown them,
reinstall them or do anything to get them clean but do not try
to solve one single sign of a major problem on the MTA






signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Only allow specific sasl-authenticated users to relay

Viktor Dukhovni
In reply to this post by Chris Richards-5
On Thu, Nov 03, 2011 at 10:47:18PM -0500, Chris Richards wrote:

> Am I right in guessing that if I do something like the following:
>
> smtpd_sender_restrictions = permit_mynetworks,
>   check_sender_access mysql:/etc/postfix/mysql_sender_access.cf,
>   permit_sasl_authenticated,
>   reject;
>
> where check_sender_access returns 'dunno' for 'trusted' clients and 'no'
> for 'untrusted' clients, that the result will be to fall through to
> permit_sasl_auth for the 'trusted' clients and fail entirely for the
> 'untrusted' clients who are OUTSIDE, but still permit normal relay for
> clients who are INSIDE?

If this is an MX host, you need to allow mail to your own domains
before you "reject" to, otherwise only your own users will be
able to send you email.

Since the sender address and the SASL login account are not
necessarily the same. You also need to use
reject_authenticated_sender_login_mismatch. So the whole thing
boils down to:

    smtpd_sender_restrictions =
       permit_auth_destination,
       permit_mynetworks,
       check_sender_access mysql:/etc/postfix/mysql_sender_access.cf,
       reject_authenticated_sender_login_mismatch,
       permit_sasl_authenticated

You then also need smtpd_sender_login_maps and each authenticated user
will be constrained to only use the designated sender addresses. If that's
too much pain or is overly restrictive, perhaps as others have tried to
point out you may be solving the wrong problem, just configure the
authentication layer to lock the abused accounts and work on preventing
re-compromise of any accounts you plan to re-enable.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Only allow specific sasl-authenticated users to relay

Chris Richards-5


On Fri, November 4, 2011 12:07 pm, Viktor Dukhovni wrote:

> If this is an MX host, you need to allow mail to your own domains
> before you "reject" to, otherwise only your own users will be
> able to send you email.
>
> Since the sender address and the SASL login account are not
> necessarily the same. You also need to use
> reject_authenticated_sender_login_mismatch. So the whole thing
> boils down to:
>
>     smtpd_sender_restrictions =
>        permit_auth_destination,
>        permit_mynetworks,
>        check_sender_access mysql:/etc/postfix/mysql_sender_access.cf,
>        reject_authenticated_sender_login_mismatch,
>        permit_sasl_authenticated
>
> You then also need smtpd_sender_login_maps and each authenticated user
> will be constrained to only use the designated sender addresses. If that's
> too much pain or is overly restrictive, perhaps as others have tried to
> point out you may be solving the wrong problem, just configure the
> authentication layer to lock the abused accounts and work on preventing
> re-compromise of any accounts you plan to re-enable.

Thanks Victor, Noel, and Reindl, for your responses.

Victor, yes I figured out about reject_authenticated_sender_login_mismatch
and smtpd_sender_login_maps.  I'm still working that out, but I don't
believe that is going to be an issue.

Yes, I agree that I'm attacking the wrong end of this problem;
unfortunately that's not my call.  Others who 'know more' than me have
made that decision.

Thanks again.

Reply | Threaded
Open this post in threaded view
|

Re: Only allow specific sasl-authenticated users to relay

Reindl Harald-2


Am 06.11.2011 04:17, schrieb Chris Richards:
> Yes, I agree that I'm attacking the wrong end of this problem;
> unfortunately that's not my call.  Others who 'know more' than me have
> made that decision.

so tell them if they think they know more than you they should
make the job themself and disable compromised accounts


signature.asc (270 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Only allow specific sasl-authenticated users to relay

Viktor Dukhovni
In reply to this post by Chris Richards-5
On Sat, Nov 05, 2011 at 10:17:00PM -0500, Chris Richards wrote:

> Victor, yes I figured out about reject_authenticated_sender_login_mismatch
> and smtpd_sender_login_maps.  I'm still working that out, but I don't
> believe that is going to be an issue.

On my personal email server, I use non-Postfix means to limit who
can use SASL to authenticate to Postfix. In /etc/pam.d/dovecot (Postfix
is configured to use dovecot auth) I have:

        auth            required        pam_group.so            group=pamimap

which means that only users in that group can use "PLAIN" auth via PAM. You
may be able to use similar means to less intrusively control which users
can use authentication to get relay rights. Also rate limits, and other
controls may be more effective.

Requiring all users to use a fixed sender address may punish too
many to solve the problems of a few.

--
        Viktor.