Restricting submission to legitimate account name only

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Restricting submission to legitimate account name only

Alex Regan
Hi,
I have a postfix-3.1.4 system with a few hundred people using the
submission service. One of the accounts was recently compromised, and
started sending mail as fake users in the same domain. How can I
prevent this?

In other words, if the sasl_username is alice, I'd like to restrict
the envelope sender and From address to only legitimate accounts
belonging to that sasl user.

Feb 18 03:50:12 email1 postfix/submission/smtpd[16511]: 2B76FA3D19CBD:
client=unknown[195.228.173.187], sasl_method=PLAIN, sasl_username=ali
ce
Feb 18 03:50:12 email1 postfix/qmgr[5576]: 2B76FA3D19CBD:
from=<[hidden email]>, size=836, nrcpt=2 (queue active)
Feb 18 03:50:12 email1 postfix/cleanup[13987]: 2B76FA3D19CBD:
message-id=<[hidden email]>
Feb 18 03:50:13 email1 postfix/smtp[16254]: 2B76FA3D19CBD:
to=<[hidden email]>,
relay=aspmx.l.google.com[74.125.29.27]:25, delay=1.2,
delays=0.47/0/0.24/0.49, dsn=2.0.0, status=sent (250 2.0.0 OK
1518943813 o21si7120882qtc.256 - gsmtp)

I have the following configuration relating to submission:

submission_overrides = no_unknown_recipient_checks, no_header_body_checks

submission inet n       -       n       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o receive_override_options=$submission_overrides
  -o syslog_name=postfix/submission

Are there other changes I should make to limit or prevent this type of
account abuse?
Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Wietse Venema
Alex:
> Hi,
> I have a postfix-3.1.4 system with a few hundred people using the
> submission service. One of the accounts was recently compromised, and
> started sending mail as fake users in the same domain. How can I
> prevent this?

See:
http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

And use one of:
http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch
http://www.postfix.org/postconf.5.html#reject_unauthenticated_sender_login_mismatch
http://www.postfix.org/postconf.5.html#reject_known_sender_login_mismatch

Features like this multiply like rabbits.

To rate-limit a compromised client, see http://www.postfwd.org.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Alex Regan
HI,

On Mon, Feb 19, 2018 at 11:42 AM, Wietse Venema <[hidden email]> wrote:

> Alex:
>> Hi,
>> I have a postfix-3.1.4 system with a few hundred people using the
>> submission service. One of the accounts was recently compromised, and
>> started sending mail as fake users in the same domain. How can I
>> prevent this?
>
> See:
> http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
>
> And use one of:
> http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
> http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch
> http://www.postfix.org/postconf.5.html#reject_unauthenticated_sender_login_mismatch
> http://www.postfix.org/postconf.5.html#reject_known_sender_login_mismatch

Is an unauthenticated client one that simply has not logged in successfully?

Would I be safest by just starting with reject_sender_login_mismatch?
Guidance on which restriction should be used would be appreciated.

I was thinking I would just modify the script that is used to add new
users to also now add to this smtpd_sender_login_maps then rebuild the
hash. Does that sound correct?

smtpd_sender_restrictions = reject_sender_login_mismatch
smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps

/etc/postfix/sender_login_maps
[hidden email], [hidden email], [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Alex Regan
HI,

On Mon, Feb 19, 2018 at 12:08 PM, Alex <[hidden email]> wrote:

> HI,
>
> On Mon, Feb 19, 2018 at 11:42 AM, Wietse Venema <[hidden email]> wrote:
>> Alex:
>>> Hi,
>>> I have a postfix-3.1.4 system with a few hundred people using the
>>> submission service. One of the accounts was recently compromised, and
>>> started sending mail as fake users in the same domain. How can I
>>> prevent this?
>>
>> See:
>> http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
>>
>> And use one of:
>> http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
>> http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch
>> http://www.postfix.org/postconf.5.html#reject_unauthenticated_sender_login_mismatch
>> http://www.postfix.org/postconf.5.html#reject_known_sender_login_mismatch
>
> Is an unauthenticated client one that simply has not logged in successfully?
>
> Would I be safest by just starting with reject_sender_login_mismatch?
> Guidance on which restriction should be used would be appreciated.
>
> I was thinking I would just modify the script that is used to add new
> users to also now add to this smtpd_sender_login_maps then rebuild the
> hash. Does that sound correct?
>
> smtpd_sender_restrictions = reject_sender_login_mismatch
> smtpd_sender_login_maps = hash:/etc/postfix/sender_login_maps
>
> /etc/postfix/sender_login_maps
> [hidden email], [hidden email], [hidden email]

I've done a test using the settings provided above and realized some
authenticated users are using their gmail account to send mail through
this system

Feb 19 12:45:34 email1 postfix/submission/smtpd[2257]: NOQUEUE:
reject: RCPT from unknown[65.158.206.234]: 553 5.7.1
<[hidden email]>: Sender address rejected: not owned by user
user1; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<Frontdesk>

I also tried a test with a list of every account from /etc/passwd with
the domain added as a comma-separated list in a hash of
/etc/postfix/sender_login_maps:

Feb 19 12:35:59 email1 postfix/submission/smtpd[29141]: NOQUEUE:
reject: RCPT from
107-131-33-27.lightspeed.sntcca.sbcglobal.net[107.131.33.27]: 553
5.7.1 <[hidden email]>: Sender address rejected: not owned by
user user1; from=<[hidden email]> to=<[hidden email]>
proto=ESMTP helo=<server>
Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Wietse Venema
Alex:

> HI,
>
> On Mon, Feb 19, 2018 at 12:08 PM, Alex <[hidden email]> wrote:
> > HI,
> >
> > On Mon, Feb 19, 2018 at 11:42 AM, Wietse Venema <[hidden email]> wrote:
> >> Alex:
> >>> Hi,
> >>> I have a postfix-3.1.4 system with a few hundred people using the
> >>> submission service. One of the accounts was recently compromised, and
> >>> started sending mail as fake users in the same domain. How can I
> >>> prevent this?
> >>
> >> See:
> >> http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps
> >>
> >> And use one of:
> >> http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
> >> http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch

Maybe try the second one instead of the first one?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Viktor Dukhovni
In reply to this post by Alex Regan


> On Feb 19, 2018, at 11:35 AM, Alex <[hidden email]> wrote:
>
> In other words, if the sasl_username is alice, I'd like to restrict
> the envelope sender and From address to only legitimate accounts
> belonging to that sasl user.

If the account is compromised, you really should deny access until
the password is changed.  That said, you can use:

 main.cf:
   indexed = ${default_database_type}:${config_directory}/
   smtpd_restriction_classes = enforce_login
   enforce_login =
        reject_authenticated_sender_login_mismatch,
        permit_sasl_authenticated,
        reject
   smtpd_sender_restrictions =
        check_sasl_access ${indexed}sasl-access

 sasl-access:
   # The lookup key is the SASL login name, which may be "user@realm",
   # rather than just "user", specify accordingly.
   #
   alice   enforce_login

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

@lbutlr
In reply to this post by Alex Regan
On 2018-02-19 (09:35 MST), Alex <[hidden email]> wrote:
>
> In other words, if the sasl_username is alice, I'd like to restrict the envelope sender and From address to only legitimate accounts belonging to that sasl user.

This may break many people's workflows.

For example, most people have many email addresses, and rather than try to manage many different servers, they will pick their "best" server to send their email through.

So, when I send an email to someone from my google account, it probably doesn't go through google's submission servers.

Now, you might not care, but you might be prepared for the complaints.

A better choice is to rate limit users.

You can also check if the sender@yourdomain is a valid account, but then again, there are reasons someone (a company, especially) might want an invalid sender.

And you'll break mailing lists if you aren't careful.

--
"It's unacceptable to think" - George W Bush 15/Sep/2006

Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Karol Augustin
On 2018-02-19 23:13, @lbutlr wrote:
> On 2018-02-19 (09:35 MST), Alex <[hidden email]> wrote:
>>
>> In other words, if the sasl_username is alice, I'd like to restrict the envelope sender and From address to only legitimate accounts belonging to that sasl user.
>
> This may break many people's workflows.
>
> For example, most people have many email addresses, and rather than
> try to manage many different servers, they will pick their "best"
> server to send their email through.

Any modern email client uses autoconfiguration this days and it is
actually very hard to set things up as you describe (using identities
etc.) in comparison to proper setup with one submission server per
account.

>
> So, when I send an email to someone from my google account, it
> probably doesn't go through google's submission servers.

This might have been the case a decade ago but now doing this will most
probably put that e-mail in spam. Sending e-mails on behalf of other
domains breaks SPF, DKIM, DMARC and is in general considered spoofing.
You should be prepared for complaints if you ARE allowing this.

Try to send email from non-gmail address using gmail account.

>
> Now, you might not care, but you might be prepared for the complaints.
>
> A better choice is to rate limit users.
>
> You can also check if the sender@yourdomain is a valid account, but
> then again, there are reasons someone (a company, especially) might
> want an invalid sender.
>
> And you'll break mailing lists if you aren't careful.

How? What restricting users to send mail only from addresses they own
has to do with mailing lists?


k.

--
Karol Augustin
[hidden email]
http://karolaugustin.pl/
+353 85 775 5312
Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Ralph Seichter
On 20.02.2018 10:35, Karol Augustin wrote:

> On 2018-02-19 23:13, @lbutlr wrote:
>
> > For example, most people have many email addresses, and rather than
> > try to manage many different servers, they will pick their "best"
> > server to send their email through.
>
> Any modern email client uses autoconfiguration this days and it is
> actually very hard to set things up as you describe (using identities
> etc.) in comparison to proper setup with one submission server per
> account.

Multiple identities are "proper" and very useful, especially when it
comes to using different addresses for different mailing lists or when
sub-addressing is unavailable. Also, people can have different roles
with different email addresses in an organisation. Arbitrarily enforcing
a one-to-one-relationship between email addresses and email accounts is,
in my experience, often unnecessary and counterproductive.

It can indeed be hard to set this up on the client side, due to the
aforementioned restrictions of MTAs and for lack of support in MUAs.
Mozilla Thunderbird may be dying a slow death, but I keep using it for
its good multi-identity-support. I've asked Apple several times over the
years why both their macOS and iOS mail clients don't support it, but
apparently this does not even deserve an answer.

> Sending e-mails on behalf of other domains breaks SPF, DKIM, DMARC and
> is in general considered spoofing. You should be prepared for complaints
> if you ARE allowing this.

I run servers for myself and for customers that send email for various
domains, with the proper config for SPF, DKIM, DMARC, DANE -- you name
it -- and support multiple identities. It takes a bit more effort on the
server side, but the users are happy, and I think that's worth the extra
thought spent on the server setup.

I'm not saying everybody needs multiple identities, but I know enough
people who consider it important, including myself.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Petri Riihikallio
Ralph Seichter <[hidden email]> wrote on 20.02.2018 at 13:07:

> I've asked Apple several times over the years why both their macOS and iOS mail clients don't support it, but apparently this does not even deserve an answer.

This is going OT regarding Postfix, but both in Mail.app and iOS built-in mail you can assign multiple e-mail addresses to an account. I am using both and I have nothing to complain about.

The only grievance I have is that in iOS you can have only one S/MIME certificate active at a time. The app will try to sign everything with that certificate and fails for all but one sender address. macOS Mail.app handles it properly. Of course, no PGP support in either.

br, Petri


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Karol Augustin
In reply to this post by Ralph Seichter
On 2018-02-20 11:07, Ralph Seichter wrote:

> On 20.02.2018 10:35, Karol Augustin wrote:
>
>> On 2018-02-19 23:13, @lbutlr wrote:
>>
>> > For example, most people have many email addresses, and rather than
>> > try to manage many different servers, they will pick their "best"
>> > server to send their email through.
>>
>> Any modern email client uses autoconfiguration this days and it is
>> actually very hard to set things up as you describe (using identities
>> etc.) in comparison to proper setup with one submission server per
>> account.
>
> Multiple identities are "proper" and very useful, especially when it
> comes to using different addresses for different mailing lists or when
> sub-addressing is unavailable. Also, people can have different roles
> with different email addresses in an organisation. Arbitrarily enforcing
> a one-to-one-relationship between email addresses and email accounts is,
> in my experience, often unnecessary and counterproductive.
>
> It can indeed be hard to set this up on the client side, due to the
> aforementioned restrictions of MTAs and for lack of support in MUAs.
> Mozilla Thunderbird may be dying a slow death, but I keep using it for
> its good multi-identity-support. I've asked Apple several times over the
> years why both their macOS and iOS mail clients don't support it, but
> apparently this does not even deserve an answer.
>
>> Sending e-mails on behalf of other domains breaks SPF, DKIM, DMARC and
>> is in general considered spoofing. You should be prepared for complaints
>> if you ARE allowing this.
>
> I run servers for myself and for customers that send email for various
> domains, with the proper config for SPF, DKIM, DMARC, DANE -- you name
> it -- and support multiple identities. It takes a bit more effort on the
> server side, but the users are happy, and I think that's worth the extra
> thought spent on the server setup.
>
> I'm not saying everybody needs multiple identities, but I know enough
> people who consider it important, including myself.
>
> -Ralph

Ok, so I think I misunderstood you.

I agree that multiple identities are useful and should be used. I use
them myself. I just don't agree that any user should be allowed to send
email from arbitrary domains using your e-mail server. For example my
users can't send e-mails From: gmail address using my server. They are
only allowed to send e-mail using addresses that they "own", which I
have configured using this ugly query (sender_login_maps):

query = select email from ((select email from virtual_users where
email='%s') union (select destination from virtual_users,
virtual_aliases where virtual_users.email = virtual_aliases.destination
and virtual_aliases.source='%s')) as adr \
join virtual_domains where SUBSTRING_INDEX(adr.email, '@', -1) =
virtual_domains.name

So if there is alias configured to deliver to particular user than user
can send e-mail from this address, but not from any address (gmail.com),
and not from his colleague's address, even if it is in the same domain.

So I agree, 1-to-1 mapping is bad but I disagree that complete freedom
for authenticated users is good.


k.


--
Karol Augustin
[hidden email]
http://karolaugustin.pl/
+353 85 775 5312
Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Petri Riihikallio
Karol Augustin <[hidden email]> wrote on 20.02.2018 at 13:26:
> So if there is alias configured to deliver to particular user than user
> can send e-mail from this address, but not from any address (gmail.com),
> and not from his colleague's address, even if it is in the same domain.
>
> So I agree, 1-to-1 mapping is bad but I disagree that complete freedom
> for authenticated users is good.

Has this been discussed already: http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

br, Petri




smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Ralph Seichter
In reply to this post by Karol Augustin
On 20.02.2018 12:26, Karol Augustin wrote:

> Ok, so I think I misunderstood you.

I only just joined the conversation, quoting both you and @lbutlr, so I
hope I did not cause confusion.

> I agree that multiple identities are useful and should be used. I use
> them myself. I just don't agree that any user should be allowed to send
> email from arbitrary domains using your e-mail server.

Same here, I would not want joe@domainA to impersonate mary@domainB. I
am mostly interested in reasonable flexibility for the address *local*
parts.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

@lbutlr
In reply to this post by Karol Augustin
On 2018-02-20 (02:35 MST), Karol Augustin <[hidden email]> wrote:

>
> On 2018-02-19 23:13, @lbutlr wrote:
>> On 2018-02-19 (09:35 MST), Alex <[hidden email]> wrote:
>>>
>>> In other words, if the sasl_username is alice, I'd like to restrict the envelope sender and From address to only legitimate accounts belonging to that sasl user.
>>
>> This may break many people's workflows.
>>
>> For example, most people have many email addresses, and rather than
>> try to manage many different servers, they will pick their "best"
>> server to send their email through.
>
> Any modern email client uses autoconfiguration this days and it is
> actually very hard to set things up as you describe (using identities
> etc.) in comparison to proper setup with one submission server per
> account.

It obviosuly is not since I see a lot of mail "from" gmail addresses going out via my server.

>> So, when I send an email to someone from my google account, it
>> probably doesn't go through google's submission servers.
>
> This might have been the case a decade ago but now doing this will most
> probably put that e-mail in spam. Sending e-mails on behalf of other
> domains breaks SPF, DKIM, DMARC and is in general considered spoofing.

Nearly everything breaks SPF and nearly no-one cares about DKIM.

> You should be prepared for complaints if you ARE allowing this.
>
> Try to send email from non-gmail address using gmail account.

I've done this as well (like when my server is down but I need to send something "from" my admin account. But it's been a couple of years.

>> Now, you might not care, but you might be prepared for the complaints.
>>
>> A better choice is to rate limit users.
>>
>> You can also check if the sender@yourdomain is a valid account, but
>> then again, there are reasons someone (a company, especially) might
>> want an invalid sender.
>>
>> And you'll break mailing lists if you aren't careful.
>
> How? What restricting users to send mail only from addresses they own
> has to do with mailing lists?

Because the envelope may not contain exactly the end-user's email address and if you assume it will, you will break things.


--
Beware of the Leopard!

Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Alex Regan
In reply to this post by Viktor Dukhovni
Hi,

On Mon, Feb 19, 2018 at 1:31 PM, Viktor Dukhovni
<[hidden email]> wrote:
>> On Feb 19, 2018, at 11:35 AM, Alex <[hidden email]> wrote:
>> In other words, if the sasl_username is alice, I'd like to restrict
>> the envelope sender and From address to only legitimate accounts
>> belonging to that sasl user.
>
> If the account is compromised, you really should deny access until
> the password is changed.  That said, you can use:

Yes, we've locked the accounts and are investigating the infected PC
that caused this.

However, I'm still having a problem with the changes you've suggested:

>  main.cf:
>    indexed = ${default_database_type}:${config_directory}/
>    smtpd_restriction_classes = enforce_login
>    enforce_login =
>         reject_authenticated_sender_login_mismatch,
>         permit_sasl_authenticated,
>         reject
>    smtpd_sender_restrictions =
>         check_sasl_access ${indexed}sasl-access
>
>  sasl-access:
>    # The lookup key is the SASL login name, which may be "user@realm",
>    # rather than just "user", specify accordingly.
>    #
>    alice   enforce_login

indexed = ${default_database_type}:${config_directory}/
smtpd_restriction_classes = enforce_login
enforce_login =
   reject_authenticated_sender_login_mismatch,
   permit_sasl_authenticated,
   reject
smtpd_sender_restrictions =
   check_sasl_access ${indexed}sasl-access

sasl-access:
user44406  enforce_login

Feb 23 11:57:51 email01 postfix/submission/smtpd[1563]: NOQUEUE:
reject: RCPT from
104-0-120-163.lightspeed.hstntx.sbcglobal.net[104.0.120.163]: 553
5.7.1 <[hidden email]>: Sender address rejected: not owned
by user user44406; from=<[hidden email]>
to=<[hidden email]> proto=ESMTP helo=<BWPC1>

I've also tried [hidden email], and while it doesn't reject
the sender, it also doesn't block users from being able to send mail
from accounts other than their own. These are non-existent accounts:

From: "mistybarry" <[hidden email]>
To: "abrennan" <[hidden email]>

I'm not sure what other details I can provide to help here.

Thanks,
Alex
Reply | Threaded
Open this post in threaded view
|

Re: Restricting submission to legitimate account name only

Viktor Dukhovni


> On Feb 23, 2018, at 12:07 PM, Alex <[hidden email]> wrote:
>
> indexed = ${default_database_type}:${config_directory}/
> smtpd_restriction_classes = enforce_login
> enforce_login =
>   reject_authenticated_sender_login_mismatch,
>   permit_sasl_authenticated,
>   reject
> smtpd_sender_restrictions =
>   check_sasl_access ${indexed}sasl-access
>
> sasl-access:
> user44406  enforce_login
>
> Feb 23 11:57:51 email01 postfix/submission/smtpd[1563]: NOQUEUE:
> reject: RCPT from
> 104-0-120-163.lightspeed.hstntx.sbcglobal.net[104.0.120.163]: 553
> 5.7.1 <[hidden email]>: Sender address rejected: not owned
> by user user44406; from=<[hidden email]>
> to=<[hidden email]> proto=ESMTP helo=<BWPC1>

What do you have in smtpd_sender_login_maps?  For the above to work, you
also of course need:

   main.cf:
        smtpd_sender_login_maps = ${indexed}sender-login

   sender-login:
        [hidden email] user44406

--
        Viktor.