Restricting From:

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Restricting From:

Micah Anderson-2

ehlo,

tl;dr: Is there really no way in postfix to restrict what "From" headers
a user may specify?

For outgoing mail, we would like to restrict the "From" header to match
the address users SASL authenticate with, or is configured as an alias
in their account. We have setup smtpd_sender_login_maps to use a SQL map
and configured smtpd_sender_restrictions to have the configuration
option reject_authenticated_sender_login_mismatch before
permit_sasl_authenticated. This works as expected.

However the problem is that the envelope "From" is being restricted, not
the header "From". Users must specify the correct SMTP "MAIL FROM:" but
are still able to provide a different "From:" value in the header of the
message provided in the DATA stage of the SMTP discussion. The postfix
option "reject_authenticated_sender_login_mismatch" only enforces the
envelope sender to be correct.

It doesn't appear that there is a postfix config option that will take
care of this. The only method of restricting the "From" header we have
found is through a milter (eg. https://github.com/magcks/milterfrom.git)
which compares the envelope sender with the sender specified in the mail
header for authenticated users, thus ensuring that the sender specified
in the header matches the envelope sender.

It strikes me as odd that there is no way to do this in postfix, and
that the only solution seems to be a milter that someone wrote only a
couple months ago. I would have expected people to have solved this
problem a long time ago, which makes me wonder -- am I doing this right,
or missing something? In particular, it doesn't make sense to enable
DKIM signing of the "From" header without strongly verifying that the
user has permission to use that address.

On a related note, because I am specifying a SQL table for the
smtpd_sender_login_maps, I configured it using proxy:mysql, which meant
I had to override proxy_read_maps to allow that. It is unclear to me the
risks of adding something to proxy_read_maps and am looking for more
clarity on what exactly this does. Documentation simply states, "The
lookup tables that the proxymap(8) server is allowed to access for the
read-only service", are there security concerns or other trade-offs with
adding lookup tables to do this?

thanks,
micah
Reply | Threaded
Open this post in threaded view
|

Re: Restricting From:

Richard James Salts
On Monday, 30 October 2017 7:52:05 PM AEDT micah anderson wrote:

> ehlo,
>
> tl;dr: Is there really no way in postfix to restrict what "From" headers
> a user may specify?
>
> For outgoing mail, we would like to restrict the "From" header to match
> the address users SASL authenticate with, or is configured as an alias
> in their account. We have setup smtpd_sender_login_maps to use a SQL map
> and configured smtpd_sender_restrictions to have the configuration
> option reject_authenticated_sender_login_mismatch before
> permit_sasl_authenticated. This works as expected.
>
> However the problem is that the envelope "From" is being restricted, not
> the header "From". Users must specify the correct SMTP "MAIL FROM:" but
> are still able to provide a different "From:" value in the header of the
> message provided in the DATA stage of the SMTP discussion. The postfix
> option "reject_authenticated_sender_login_mismatch" only enforces the
> envelope sender to be correct.
>
> It doesn't appear that there is a postfix config option that will take
> care of this. The only method of restricting the "From" header we have
> found is through a milter (eg. https://github.com/magcks/milterfrom.git)
> which compares the envelope sender with the sender specified in the mail
> header for authenticated users, thus ensuring that the sender specified
> in the header matches the envelope sender.
>
> It strikes me as odd that there is no way to do this in postfix, and
> that the only solution seems to be a milter that someone wrote only a
> couple months ago. I would have expected people to have solved this
> problem a long time ago, which makes me wonder -- am I doing this right,
> or missing something? In particular, it doesn't make sense to enable
> DKIM signing of the "From" header without strongly verifying that the
> user has permission to use that address.

A milter is the right way. Postfix does implement header_checks which can
inspect the From header, however it looks like they only support the regexp
and pcre table types, so might not be useful. It's also inconvenient because
these checks won't deal with multiple forms such as different encodings and
can only process one header at a time.

>
> On a related note, because I am specifying a SQL table for the
> smtpd_sender_login_maps, I configured it using proxy:mysql, which meant
> I had to override proxy_read_maps to allow that. It is unclear to me the
> risks of adding something to proxy_read_maps and am looking for more
> clarity on what exactly this does. Documentation simply states, "The
> lookup tables that the proxymap(8) server is allowed to access for the
> read-only service", are there security concerns or other trade-offs with
> adding lookup tables to do this?
>
> thanks,
> micah


Reply | Threaded
Open this post in threaded view
|

Re: Restricting From:

Wietse Venema
> On a related note, because I am specifying a SQL table for the
> smtpd_sender_login_maps, I configured it using proxy:mysql, which meant
> I had to override proxy_read_maps to allow that. It is unclear to me the
> risks of adding something to proxy_read_maps and am looking for more
> clarity on what exactly this does. Documentation simply states, "The
> lookup tables that the proxymap(8) server is allowed to access for the
> read-only service", are there security concerns or other trade-offs with
> adding lookup tables to do this?

I think that addding smtpd_sender_login_maps should be safe.
Unfortunately there is no 'allow only maps specified in main.cf or
master.cf' feature (it would be incomplete, just like the default
proxymap setting is incomplete today).

        Wietse