Prevent sender address spoofing

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Prevent sender address spoofing

Hugo Florentino
Hi,

I am using postfix 3.1.12 in a network which does not currently accept
sending mail from outside.

However some spammers change the From header in the data section and
use an internal address.

The problem is that if I use header_checks to reject my domain, it's
applied globally so mail from within the local network is rejected as
well.

Since there is no check_data_access method, I tried to do something
this:

In main.cf :

header_checks =
  pcre:/etc/postfix/header_checks.pcre

smtpd_restriction_classes = anti_spoofing

anti_spoofing =
  check_client_access cidr:/etc/postfix/localnets.cidr

In header_checks.pcre :
/^From:\s*.+\@mydomain\.tld>?$/ anti_spoofing

In localnets.cidr :
127.0.0.0/8 OK
192.168.0.0/24 OK
0.0.0.0/0 REJECT forged address

However, forged addresses still pass, and I am getting this message in
the logs:

Sep 27 06:07:52 server postfix/cleanup[5578]: warning: unknown command
in header_checks map: anti_spoofing

Why isn't this working?

Could you please provide ideas on how to achieve what I want without
using external tools or costly sender verification?

Best regards, Hugo




Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Bill Cole-3
On 27 Sep 2019, at 7:06, Hugo Florentino wrote:

> Hi,
>
> I am using postfix 3.1.12 in a network which does not currently accept
> sending mail from outside.
>
> However some spammers change the From header in the data section and
> use an internal address.
>
> The problem is that if I use header_checks to reject my domain, it's
> applied globally so mail from within the local network is rejected as
> well.

The most important element in doing this is to separate mail submission
from inbound SMTP mail. In 2019 there is no reasonable excuse for
supporting submission via a port 25 SMTP server that also accepts mail
from the Internet in general for local delivery. If you require your
users to use a port 587 or 465 submission service instead, you don't
need to make allowances for local submission on the main port 25
service.

> Since there is no check_data_access method, I tried to do something
> this:
>
[...]
>
> However, forged addresses still pass, and I am getting this message in
> the logs:
>
> Sep 27 06:07:52 server postfix/cleanup[5578]: warning: unknown command
> in header_checks map: anti_spoofing
>
> Why isn't this working?

Because, as documented, header_checks (and the other built-in content
filtering in Postfix) does not support restrictions or restriction
classes as results of a pattern match.

> Could you please provide ideas on how to achieve what I want without
> using external tools or costly sender verification?

As I said above, you can do this by segregating inbound mail on port 25
from mail submission on port 465 and/or 587. Note that "sender
verification" as implemented in Postfix ONLY operates on the envelope
sender address, NOT on the address in the From header and is not
*authentication* so it would not do what you're trying to do.

If you want to allow exceptions to this policy (which some systems learn
that they need after deploying an absolute block) you will need to use a
more sophisticated external content filtering tool.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Hugo Florentino
El vie, 27-09-2019 a las 09:33 -0400, Bill Cole escribió:

> On 27 Sep 2019, at 7:06, Hugo Florentino wrote:
>
> > [...]
>
> The most important element in doing this is to separate mail
> submission
> from inbound SMTP mail. In 2019 there is no reasonable excuse for
> supporting submission via a port 25 SMTP server that also accepts
> mail
> from the Internet in general for local delivery. If you require your
> users to use a port 587 or 465 submission service instead, you don't
> need to make allowances for local submission on the main port 25
> service.

This is one thing I was hopping to avoid, because I intended to enable
authenticated access to port 25 through STARTTLS so that clients who
use portable devices can check mail wherever they are withough having
to change ports constantly.

>
> > Since there is no check_data_access method, I tried to do something
> > this:
> >
> [...]
> >
> > Why isn't this working?
>
> Because, as documented, header_checks (and the other built-in
> content
> filtering in Postfix) does not support restrictions or restriction
> classes as results of a pattern match.
>

I see .. how unfortunate.

Anyway, thank you for your time and patience to explain.

Best regards, Hugo


Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Viktor Dukhovni
On Fri, Sep 27, 2019 at 11:33:56AM -0400, Hugo Florentino wrote:

> > In 2019 there is no reasonable excuse for supporting submission via a port
> > 25 SMTP server that also accepts mail from the Internet in general for
> > local delivery. If you require your users to use a port 587 or 465
> > submission service instead, you don't need to make allowances for local
> > submission on the main port 25 service.
>
> This is one thing I was hopping to avoid, because I intended to enable
> authenticated access to port 25 through STARTTLS so that clients who
> use portable devices can check mail wherever they are withough having
> to change ports constantly.

This makes no sense.  Portable devices use ports 587 or 465 with all
the other providers.  And there's no "change ports constantly", they
just use the same submission port.

Remote MTAs connect to port 25, submission clients (MUAs) connect
to port 587.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Bill Cole-3
In reply to this post by Hugo Florentino
On 27 Sep 2019, at 11:33, Hugo Florentino wrote:

> El vie, 27-09-2019 a las 09:33 -0400, Bill Cole escribió:
>> On 27 Sep 2019, at 7:06, Hugo Florentino wrote:
>>
>>> [...]
>>
>> The most important element in doing this is to separate mail
>> submission
>> from inbound SMTP mail. In 2019 there is no reasonable excuse for
>> supporting submission via a port 25 SMTP server that also accepts
>> mail
>> from the Internet in general for local delivery. If you require your
>> users to use a port 587 or 465 submission service instead, you don't
>> need to make allowances for local submission on the main port 25
>> service.
>
> This is one thing I was hopping to avoid, because I intended to enable
> authenticated access to port 25 through STARTTLS so that clients who
> use portable devices can check mail wherever they are withough having
> to change ports constantly.

That sentence expresses 3 deep misunderstandings:

1. Authentication is not a function of STARTTLS, which is the SMTP
command used to initiate TLS encryption on an existing plaintext
session. The SMTP AUTH command is independent of TLS and is supported in
Postfix via an external SASL implementation (Cyrus or Dovecot.)

2. "Checking" mail is done with IMAP or POP and has nothing to do with
Postfix. As with SASL, the two most common software packages used in
conjunction with Postfix for accessing delivered mail are Cyrus and
Dovecot.

3. Segregating initial message submission (port 465 or 587) from SMTP
for transport (port 25) does not require users to change ports
constantly. If their client software fails to automatically determine
the proper port for submission, they only need to set it once.


--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

@lbutlr
In reply to this post by Hugo Florentino
On Sep 27, 2019, at 9:33 AM, Hugo Florentino <[hidden email]> wrote:
> This is one thing I was hopping to avoid, because I intended to enable
> authenticated access to port 25 through STARTTLS so that clients who
> use portable devices can check mail wherever they are withough having
> to change ports constantly.

Huh?

There is no changing ports constantly, or at all for that matter.

There are experts here with decades of experience telling you not to use port 25 for submission. Listen to them.


--
For my birthday I got a humidifier and a de-humidifier... I put them in the same room and let them fight it out.

Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Hugo Florentino
In reply to this post by Viktor Dukhovni
El vie, 27-09-2019 a las 12:22 -0400, Viktor Dukhovni escribió:
> [...]
>
> This makes no sense.  Portable devices use ports 587 or 465 with all
> the other providers.  And there's no "change ports constantly", they
> just use the same submission port.
>
> Remote MTAs connect to port 25, submission clients (MUAs) connect
> to port 587.
>

Suppose ISP imposes restrictions so the only port open either for SMTP
or submission must be TCP 25. What then?

Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Hugo Florentino
In reply to this post by @lbutlr
El sáb, 28-09-2019 a las 11:38 -0600, @lbutlr escribió:
>
On Sep 27, 2019, at 9:33 AM, Hugo Florentino <[hidden email]>
> [...]
>
> There is no changing ports constantly, or at all for that matter.
>
> There are experts here with decades of experience telling you not to
> use port 25 for submission. Listen to them.
>
>

OK, fair enough. Let's see if the ISP is willing to allow access to
submission port .

I still think it would be good if postfix provided a header_checks
which one could place in a specific order of evaluation within
restriction classes.

Best regards, Hugo

Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Richard Damon
In reply to this post by Hugo Florentino
On 9/29/19 8:04 PM, Hugo Florentino wrote:

> El vie, 27-09-2019 a las 12:22 -0400, Viktor Dukhovni escribió:
>> [...]
>>
>> This makes no sense.  Portable devices use ports 587 or 465 with all
>> the other providers.  And there's no "change ports constantly", they
>> just use the same submission port.
>>
>> Remote MTAs connect to port 25, submission clients (MUAs) connect
>> to port 587.
>>
> Suppose ISP imposes restrictions so the only port open either for SMTP
> or submission must be TCP 25. What then?
>
>
If an ISP allows you to run a mail server but won't allow access to
587/465 then you need a new ISP with a clue.

Some ISPs will block OUTGOING port 25 to prevent you from being a
spammer, requiring you to use their SMTP server for outgoing SMTP
transport, but I haven't heard of one that blocks 587 or 465 unless they
don't allow you to run servers and just block most server ports.

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Hugo Florentino
In reply to this post by Bill Cole-3
El vie, 27-09-2019 a las 09:33 -0400, Bill Cole escribió:
> [...]
>
> Because, as documented, header_checks (and the other built-in
> content
> filtering in Postfix) does not support restrictions or restriction
> classes as results of a pattern match.
>
>

Allow me to pose a slightly different scenario then, but still related
to my original doubt:

I separate smtp and submission, and prevent using my domain through
smtp. However somehow someones's PC gets compromised and sends mail
modifying the From header in the data section.

Even if the envelope-from is not forged (using
reject_sender_login_mismatch and so), email clients often display only
the descriptive From.

Is there a way to prevent this forging of descriptive From using
postfix itself?

Best regards, Hugo


Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

lists@lazygranch.com
In reply to this post by Richard Damon
Port 465 was deprecated for email. Port 587 is the way to go.

The only email port I don't firewall on my server is 25.  On the rest of the email ports, I block all countries that I don't visit. In addition I use my 40k worth of CIDRs that from hosting companies, VSPs, etc. that have hacked my web server. I don't block ISPs, as much as Comcast deserves to be blocked.

Firewalls do chew up RAM, but they use very little CPU. I believe you have a better server by blocking IP space that is just going to waste CPU cycles.





          Original Message  



From: [hidden email]
Sent: September 29, 2019 5:29 PM
To: [hidden email]
Subject: Re: Prevent sender address spoofing


On 9/29/19 8:04 PM, Hugo Florentino wrote:

> El vie, 27-09-2019 a las 12:22 -0400, Viktor Dukhovni escribió:
>> [...]
>>
>> This makes no sense.  Portable devices use ports 587 or 465 with all
>> the other providers.  And there's no "change ports constantly", they
>> just use the same submission port.
>>
>> Remote MTAs connect to port 25, submission clients (MUAs) connect
>> to port 587.
>>
> Suppose ISP imposes restrictions so the only port open either for SMTP
> or submission must be TCP 25. What then?
>
>
If an ISP allows you to run a mail server but won't allow access to
587/465 then you need a new ISP with a clue.

Some ISPs will block OUTGOING port 25 to prevent you from being a
spammer, requiring you to use their SMTP server for outgoing SMTP
transport, but I haven't heard of one that blocks 587 or 465 unless they
don't allow you to run servers and just block most server ports.

--
Richard Damon

Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Benny Pedersen-2
In reply to this post by Hugo Florentino
Hugo Florentino skrev den 2019-09-30 02:04:

> Suppose ISP imposes restrictions so the only port open either for SMTP
> or submission must be TCP 25. What then?

then use gmail, that isp is clueless if thats the case of blocking mua
client ports, i have only seen port 25 been blocked from dynamic ips in
isp firewall, be happy if isp allow it :(
Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Benny Pedersen-2
In reply to this post by lists@lazygranch.com
lists skrev den 2019-09-30 02:52:
> Port 465 was deprecated for email. Port 587 is the way to go.

this is false info
Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Viktor Dukhovni
On Mon, Sep 30, 2019 at 03:03:23AM +0200, Benny Pedersen wrote:

> lists skrev den 2019-09-30 02:52:
> > Port 465 was deprecated for email. Port 587 is the way to go.
>
> this is false info

Only in part.  Though Port 465 was reinstated by a recent RFC,
there's nothing wrong with 587, and it is more widely supported.
So the recommendation is sound, even if the supporting facts have
changed recently.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

@lbutlr
In reply to this post by lists@lazygranch.com
On Sep 29, 2019, at 6:52 PM, lists <[hidden email]> wrote:
> Port 465 was deprecated for email.

Port 465 is defined in RFC 8314

<https://tools.ietf.org/html/rfc8314>

> Port 587 is the way to go.

Either one works, and they are a little different.

587 uses STARTTLS to begin the encrypting and therefore requires

smtpd_tls_security_level=encrypt

While 465 does not, and therefor requires

smtpd_tls_wrappermode=yes

>
> The only email port I don't firewall on my server is 25.  On the rest of the email ports, I block all countries that I don't visit. In addition I use my 40k worth of CIDRs that from hosting companies, VSPs, etc. that have hacked my web server. I don't block ISPs, as much as Comcast deserves to be blocked.

I don’t bother blocking large blocks of Its on port 587 or 465, I let sshgiard or fail2ban handle that.

Well, one exception Is I do firewall on ALL ports (including port 25) all of Russia and China



--
I WILL NOT FAKE RABIES Bart chalkboard Ep. 8F07

Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Christos Chatzaras
In reply to this post by Hugo Florentino
>
> Allow me to pose a slightly different scenario then, but still related
> to my original doubt:
>
> I separate smtp and submission, and prevent using my domain through
> smtp. However somehow someones's PC gets compromised and sends mail
> modifying the From header in the data section.
>
> Even if the envelope-from is not forged (using
> reject_sender_login_mismatch and so), email clients often display only
> the descriptive From.
>
> Is there a way to prevent this forging of descriptive From using
> postfix itself?
>
> Best regards, Hugo
>
>

Add this line to main.cf :

smtpd_sender_login_maps = hash:/usr/local/etc/postfix/smtpd_sender_login_maps

And then add to smtpd_sender_login_maps :

[hidden email] [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Matus UHLAR - fantomas
>> Allow me to pose a slightly different scenario then, but still related
>> to my original doubt:
>>
>> I separate smtp and submission, and prevent using my domain through
>> smtp. However somehow someones's PC gets compromised and sends mail
>> modifying the From header in the data section.
>>
>> Even if the envelope-from is not forged (using
>> reject_sender_login_mismatch and so), email clients often display only
>> the descriptive From.
>>
>> Is there a way to prevent this forging of descriptive From using
>> postfix itself?

No. For checking validity of From: header, you must use external
application.

On 30.09.19 11:40, Christos Chatzaras wrote:
>Add this line to main.cf :
>
>smtpd_sender_login_maps = hash:/usr/local/etc/postfix/smtpd_sender_login_maps
>
>And then add to smtpd_sender_login_maps :
>
>[hidden email] [hidden email]

This only validates envelope from headers according to SASL login names.
It's good to check, though.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Christos Chatzaras

> On 30.09.19 11:40, Christos Chatzaras wrote:
>> Add this line to main.cf :
>>
>> smtpd_sender_login_maps = hash:/usr/local/etc/postfix/smtpd_sender_login_maps
>>
>> And then add to smtpd_sender_login_maps :
>>
>> [hidden email] [hidden email]
>
> This only validates envelope from headers according to SASL login names.
> It's good to check, though.
>

Many spammers using hacked accounts use different "From" than the e-mail address. So it helps in this case.
Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

Matus UHLAR - fantomas
>> On 30.09.19 11:40, Christos Chatzaras wrote:
>>> Add this line to main.cf :
>>>
>>> smtpd_sender_login_maps = hash:/usr/local/etc/postfix/smtpd_sender_login_maps
>>>
>>> And then add to smtpd_sender_login_maps :
>>>
>>> [hidden email] [hidden email]
>>
>> This only validates envelope from headers according to SASL login names.
>> It's good to check, though.

On 30.09.19 14:12, Christos Chatzaras wrote:
>Many spammers using hacked accounts use different "From" than the e-mail address. So it helps in this case.

the problem is, people look on header "From:"
smtpd_sender_login_maps does NOT look at header "From:"

rarely someone notices they are different.
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
Reply | Threaded
Open this post in threaded view
|

Re: Prevent sender address spoofing

@lbutlr
On Sep 30, 2019, at 5:29 AM, Matus UHLAR - fantomas <[hidden email]> wrote:
> rarely someone notices they are different.

And often there are perfectly legitimate reasons for them to be different.


--
showing snuffy is when Sesame Street jumped the shark

12