Question on Relay Host conf

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Question on Relay Host conf

Ozy Mate
Dear Friends,

I have signed up with a 3rd party smtp server as relay host. This server needs the following lines in the main.cf of our server instead of relayhost direction:

smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

This is working fine. However, all the senders/domains not listed in sender_relay file are still able to send emails directly from our email server. How can I block this? I mean sender not listed in sender_relay file should not be able to send any email from our Postfix server.

Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: Question on Relay Host conf

LuKreme


> On 7 Mar 2019, at 20:52, Ozy Mate <[hidden email]> wrote:
>
> Dear Friends,
>
> I have signed up with a 3rd party smtp server as relay host. This server needs the following lines in the main.cf of our server instead of relayhost direction:
>
> smtp_sender_dependent_authentication = yes
> sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
> smtp_sasl_auth_enable = yes
> smtp_sasl_security_options = noanonymous
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>
> This is working fine. However, all the senders/domains not listed in sender_relay file are still able to send emails directly from our email server. How can I block this? I mean sender not listed in sender_relay file should not be able to send any email from our Postfix server.

Nothin that you posted would indicate you're taken steps to prevent this.

sender_dependent_relayhost_maps is just what it says, sender_dependent, so it only applies to the senders you've specified.

What have you done for the rest of the senders?

--
Far away, across the fields, the tolling of the iron bell calls the
faithful to their knees to hear the softly spoken magic spells.

Reply | Threaded
Open this post in threaded view
|

Re: Question on Relay Host conf

Wietse Venema
In reply to this post by Ozy Mate
Ozy Mate:

> Dear Friends,
>
> I have signed up with a 3rd party smtp server as relay host. This server
> needs the following lines in the main.cf of our server instead of relayhost
> direction:
>
> smtp_sender_dependent_authentication = yes
> sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
> smtp_sasl_auth_enable = yes
> smtp_sasl_security_options = noanonymous
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>
> This is working fine. However, all the senders/domains not listed in
> sender_relay file are still able to send emails directly from our email
> server. How can I block this? I mean sender not listed in sender_relay file
> should not be able to send any email from our Postfix server.

That's easy enough, use sender_dependent_default_transport_maps,
and a default transport that returns mail as undeliverable.

/etc/postfix/main.cf:
    sender_dependent_default_transport_maps = hash:/etc/postfix/sender_relay
    default_transport = error:5.7.1 sender is not authorized

/etc/postfix/sender_relay:
    # sender          transport:nexthop
    [hidden email] smtp:relay-for-user-1.example
    [hidden email] smtp:relay-for-user-2.example

        Wietse


Reply | Threaded
Open this post in threaded view
|

Re: Question on Relay Host conf

Ozy Mate
In reply to this post by LuKreme
I haven't taken any step to prevent this as I don't know what to do.
Hence, I am asking about it.

I would appreciate if you direct me in the right direction to prevent
all the others not listed in sender_dependent_relayhost_maps.


On 8.03.2019 15:41, @lbutlr wrote:

>
>> On 7 Mar 2019, at 20:52, Ozy Mate <[hidden email]> wrote:
>>
>> Dear Friends,
>>
>> I have signed up with a 3rd party smtp server as relay host. This server needs the following lines in the main.cf of our server instead of relayhost direction:
>>
>> smtp_sender_dependent_authentication = yes
>> sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
>> smtp_sasl_auth_enable = yes
>> smtp_sasl_security_options = noanonymous
>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>>
>> This is working fine. However, all the senders/domains not listed in sender_relay file are still able to send emails directly from our email server. How can I block this? I mean sender not listed in sender_relay file should not be able to send any email from our Postfix server.
> Nothin that you posted would indicate you're taken steps to prevent this.
>
> sender_dependent_relayhost_maps is just what it says, sender_dependent, so it only applies to the senders you've specified.
>
> What have you done for the rest of the senders?
>
Reply | Threaded
Open this post in threaded view
|

Re: Question on Relay Host conf

Ozy Mate
In reply to this post by Wietse Venema
On 8.03.2019 18:01, Wietse Venema wrote:

> Ozy Mate:
>> Dear Friends,
>>
>> I have signed up with a 3rd party smtp server as relay host. This server
>> needs the following lines in the main.cf of our server instead of relayhost
>> direction:
>>
>> smtp_sender_dependent_authentication = yes
>> sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
>> smtp_sasl_auth_enable = yes
>> smtp_sasl_security_options = noanonymous
>> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
>>
>> This is working fine. However, all the senders/domains not listed in
>> sender_relay file are still able to send emails directly from our email
>> server. How can I block this? I mean sender not listed in sender_relay file
>> should not be able to send any email from our Postfix server.
> That's easy enough, use sender_dependent_default_transport_maps,
> and a default transport that returns mail as undeliverable.
>
> /etc/postfix/main.cf:
>      sender_dependent_default_transport_maps = hash:/etc/postfix/sender_relay
>      default_transport = error:5.7.1 sender is not authorized
>
> /etc/postfix/sender_relay:
>      # sender          transport:nexthop
>      [hidden email] smtp:relay-for-user-1.example
>      [hidden email] smtp:relay-for-user-2.example
>
> Wietse
>
Easy for you, Wietse, not for me. I try and report back.

Thank you very much.

Reply | Threaded
Open this post in threaded view
|

Re: Question on Relay Host conf

Viktor Dukhovni

> That's easy enough, use sender_dependent_default_transport_maps,
> and a default transport that returns mail as undeliverable.
>
> /etc/postfix/main.cf:
>     sender_dependent_default_transport_maps = hash:/etc/postfix/sender_relay
>     default_transport = error:5.7.1 sender is not authorized
>
> /etc/postfix/sender_relay:
>     # sender          transport:nexthop
>     [hidden email] smtp:relay-for-user-1.example
>     [hidden email] smtp:relay-for-user-2.example


This could perhaps need some additional configuration to be able
to send bounces.  Though if the relay has stringent per sender
logins (is really an MSA with sender<->login enforcement, not a
relay MTA), it may not be possible to send bounces.  You may
want to configure working double-bounce delivery, just in case.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Question on Relay Host conf

Wietse Venema
Viktor Dukhovni:

>
> > That's easy enough, use sender_dependent_default_transport_maps,
> > and a default transport that returns mail as undeliverable.
> >
> > /etc/postfix/main.cf:
> >     sender_dependent_default_transport_maps = hash:/etc/postfix/sender_relay
> >     default_transport = error:5.7.1 sender is not authorized
> >
> > /etc/postfix/sender_relay:
> >     # sender          transport:nexthop
> >     [hidden email] smtp:relay-for-user-1.example
> >     [hidden email] smtp:relay-for-user-2.example
>
>
> This could perhaps need some additional configuration to be able
> to send bounces.  Though if the relay has stringent per sender
> logins (is really an MSA with sender<->login enforcement, not a
> relay MTA), it may not be possible to send bounces.  You may
> want to configure working double-bounce delivery, just in case.

Perhaps sender_dependent_default_transport_maps uses the same
null-sender lookup mechanism as other mappings. For example the
transport map has this note:

 Note 1: the null recipient address is looked up as
 $empty_address_recipient@$myhostname (default: mailer-daemon@hostname).

        Wietse

Reply | Threaded
Open this post in threaded view
|

Re: Question on Relay Host conf

Viktor Dukhovni
> On Mar 8, 2019, at 11:02 AM, Wietse Venema <[hidden email]> wrote:
>
> Perhaps sender_dependent_default_transport_maps uses the same
> null-sender lookup mechanism as other mappings. For example the
> transport map has this note:
>
> Note 1: the null recipient address is looked up as
> $empty_address_recipient@$myhostname (default: mailer-daemon@hostname).

Yes, it looks like it is.

My concern was more about the OP's relay, it may simply refuse all bounces.
In which case the OP may want to configure a suitable double-bounce sender,
and test that double-bounce delivery works.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Question on Relay Host conf

Ozy Mate
On 8.03.2019 19:15, Viktor Dukhovni wrote:

>> On Mar 8, 2019, at 11:02 AM, Wietse Venema <[hidden email]> wrote:
>>
>> Perhaps sender_dependent_default_transport_maps uses the same
>> null-sender lookup mechanism as other mappings. For example the
>> transport map has this note:
>>
>> Note 1: the null recipient address is looked up as
>> $empty_address_recipient@$myhostname (default: mailer-daemon@hostname).
> Yes, it looks like it is.
>
> My concern was more about the OP's relay, it may simply refuse all bounces.
> In which case the OP may want to configure a suitable double-bounce sender,
> and test that double-bounce delivery works.
>
Actually, I have a problem which I am trying to solve. I have a server
with Postfix and Apache with a few WordPress websites. The 3rd party
smtp relay provider complains that there are some non-validated emails
coming to their server from my server. I have checked my maillog and
found that every now and then my server is trying to send mail from my
server. This mails originates from Apache through (I think) php mail.
Obviously, my server is compromised. I upgraded all the WordPress
instances and plugins. And removed plugins not needed. But, still my
server sends some mails to relay host.

Hoping to solve this problem, I wanted to block all the sender emails
not defined in sender_relay table. I will do what you advised here. But,
I know that this will also block apache sender eventually. In this case,
I will have another problem in my lap. Contact forms on my websites and
reporting emails generated by the server will stop working.

I don't know what to do. I would appreciate any advise from you.

Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: Question on Relay Host conf

Ralph Seichter-2
* sse:

> Obviously, my server is compromised.

Are you really certain of that? If you are, I suggest you do a full wipe
of your server. Meddling with the Postfix configuration to prevent email
being sent does nothing to address a compromised server.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Question on Relay Host conf

LuKreme
In reply to this post by Ozy Mate
On Mar 8, 2019, at 10:00, sse450 <[hidden email]> wrote:
> This mails originates from Apache through (I think) php mail. Obviously, my server is compromised.

Not obvious at all, no. But the php script to sent mail to users may not be properly configured for your new settings. It should be setup to use submission with authentication.

But that has nothing to do with postfix.

--
My main job is trying to come up with new and innovative and effective ways to reject even more mail. I'm up to about 97% now.

Reply | Threaded
Open this post in threaded view
|

Re: Question on Relay Host conf

Viktor Dukhovni
In reply to this post by Ozy Mate
On Fri, Mar 08, 2019 at 08:00:47PM +0300, sse450 wrote:

> Hoping to solve this problem, I wanted to block all the sender emails
> not defined in sender_relay table. I will do what you advised here. But,
> I know that this will also block apache sender eventually. In this case,
> I will have another problem in my lap. Contact forms on my websites and
> reporting emails generated by the server will stop working.
>
> I don't know what to do. I would appreciate any advise from you.

Perhaps a classic case of "XY Problem".  Compromised PHP scripts
and the like would typically inject email via local submission, and
it is easier to disallow all local submission by the web server
user (wwwdata or similar) than to make ad-hoc work-arounds in how
you forward to your relay.

Something along the lines of:

    authorized_submit_users = !wwwdata, static:all

And of course you need to check your logs to see how the unauthorized
email messages enter the Postfix queue.  It it via "pickup" (local
submission) or SMTP?  In the latter case you could also deny email
from your own IP addresses, including the loopback address.

Since your problem is not trying to squeeze outbound email out
through an MSA, but is instead an issue of unauthorized submission,
(or perhaps a compromised SASL account, ...).  The solution is to
stop it entering the queue, not ad-hoc kludges in the output
processing.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Question on Relay Host conf

Ozy Mate

On 9.03.2019 03:50, Viktor Dukhovni wrote:

> On Fri, Mar 08, 2019 at 08:00:47PM +0300, sse450 wrote:
>
>> Hoping to solve this problem, I wanted to block all the sender emails
>> not defined in sender_relay table. I will do what you advised here. But,
>> I know that this will also block apache sender eventually. In this case,
>> I will have another problem in my lap. Contact forms on my websites and
>> reporting emails generated by the server will stop working.
>>
>> I don't know what to do. I would appreciate any advise from you.
> Perhaps a classic case of "XY Problem".  Compromised PHP scripts
> and the like would typically inject email via local submission, and
> it is easier to disallow all local submission by the web server
> user (wwwdata or similar) than to make ad-hoc work-arounds in how
> you forward to your relay.
>
> Something along the lines of:
>
>      authorized_submit_users = !wwwdata, static:all
>
> And of course you need to check your logs to see how the unauthorized
> email messages enter the Postfix queue.  It it via "pickup" (local
> submission) or SMTP?  In the latter case you could also deny email
> from your own IP addresses, including the loopback address.
>
> Since your problem is not trying to squeeze outbound email out
> through an MSA, but is instead an issue of unauthorized submission,
> (or perhaps a compromised SASL account, ...).  The solution is to
> stop it entering the queue, not ad-hoc kludges in the output
> processing.

I found the culprit. The guy who designed one of the websites left his
own email as recipient of the contact form. Someone legitimete from the
internet who fills the form and sends creates a mess. Destination is an
hotmail address, reply-to is the person who fills the form and our
domain is something else. Then, smtp relay host complains. Corrected and
much relieved now.

Thank you all who helped me and directed to the correct way of problem
finding.

All the best.