Use postfix with submission proxy (AUTH in MAIL FROM command)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Use postfix with submission proxy (AUTH in MAIL FROM command)

Vadim S. Ivanov
Hi!
I implement new feature of dovecot's "submission" proxy
(https://wiki2.dovecot.org/Submission) with postfix and I stuck with
user authentication.

When MUA connects to postfix's submission port it authenticates:
(local connection from roundcube MUA)
(postfix uses dovecot for auth)
------------------------------------------
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250-{hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250-PIPELINING
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250-SIZE 30720000
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250-AUTH PLAIN LOGIN
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250-AUTH=PLAIN LOGIN
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250-ENHANCEDSTATUSCODES
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 250 8BITMIME
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: <
localhost[127.0.0.1]: AUTH LOGIN
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]:
xsasl_dovecot_server_first: sasl_method LOGIN
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]:
xsasl_dovecot_handle_reply: auth reply: {hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 334 {hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: <
localhost[127.0.0.1]: {hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]:
xsasl_dovecot_handle_reply: auth reply: {hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 334 {hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: <
localhost[127.0.0.1]: {hidden}
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]:
xsasl_dovecot_handle_reply: auth reply: OK?1?user=username@domain?
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: >
localhost[127.0.0.1]: 235 2.7.0 Authentication successful
Oct 14 05:48:01 mailbox14 postfix/mua-submission-local/smtpd[8262]: <
localhost[127.0.0.1]: MAIL FROM:<username@domain>
------------------------------------------

When dovecot's MSA connects - it does not (obviously there is no need to
do it again):
------------------------------------------
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250-{hidden}
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250-PIPELINING
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250-SIZE 30720000
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250-AUTH PLAIN LOGIN
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250-AUTH=PLAIN LOGIN
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250-ENHANCEDSTATUSCODES
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: >
{host_fqdn}[{host_ip}]: 250 8BITMIME
Oct 14 05:42:15 mailbox14 postfix/mua-submission-primary/smtpd[8056]: <
{host_fqdn}[{host_ip}]: MAIL FROM:<username@domain> AUTH=username@domain
BODY=8BITMIME SIZE=1545
------------------------------------------
As described here: https://tools.ietf.org/html/rfc4954#section-5
User is already authenticated by proxy and postfix receives AUTH with
MAIL FROM command. It's $sasl_sender if I'm right:
http://www.postfix.org/postconf.5.html#permit_sasl_authenticated

Problem is:
I prevent sender address forging with smtpd_sender_login_mismatch and
smtpd_sender_login_maps.
Also i have setup dovecot's shared mailboxes feature and certain users
can send mail on behalf of them. Controlled forgery so to speak.

In case of dovecot MSA i can't run those checks, because postfix treats
dovecot as unauthenticated client.
It is possible to set up authentication in dovecot, but in this case all
users will have one sasl login. It passes permit_sasl_authenticated, but
does not prevent forgery, since smtpd_sender_login_mismatch has to be
removed.
Not to mention it makes dovecot authenticate against itself again, which
is ridiculous.

So, i set up a dedicated smtpd to get in working:
------------------------------------------ (part of master.cf)
172.16.229.5:5870 inet n       -       n       -       -       smtpd
   -o cleanup_service_name=pre-cleanup
   -o content_filter=smtp-amavis:[127.0.0.1]:10026
   -o syslog_name=postfix/msa-dovecot
   -o mynetworks={dovecot_ip}
   -o smtpd_tls_auth_only=yes
   -o smtpd_tls_wrappermode=no
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_tls_security_options=noanonymous
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_sasl_security_options=noanonymous
   -o smtpd_client_restrictions=
   -o smtpd_helo_restrictions=
   -o smtpd_sender_restrictions=
   -o smtpd_relay_restrictions=
   -o
smtpd_recipient_restrictions=reject_unlisted_sender,reject_unlisted_recipient,reject_unknown_recipient_domain,check_sender_access,hash:/etc/postfix/maps/restricted_senders,permit_mynetworks,reject
   -o smtpd_restriction_classes=restrict
   -o
restrict=check_recipient_access,hash:/etc/postfix/maps/restricted_senders_allowed_destinations,reject
     ###
------------------------------------------

Now it works, but any user can forge it's sender address.

So the question is:
Is there any way to configure postfix to do the same checks (or
different with the same purpose) against $sasl_sender to prevent sender
address forgery?
Exim has something like that:
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-smtp_authentication.html#SECTauthparamail

my core setup:
postfix 2.11
dovecot 2.3.3

PS: whole picture
I'm configuring sort of Exchange's "Outlook everywhere" function. Since
dovecot supports proxy protocol, a can use SNI check on HAProxy node to
present IMAPS and SMTPS on single 443 port and preserve client addresses
in logs.
It's very useful for people who roams city and connects to mail server
from firewalled/DPIed public networks.
Reply | Threaded
Open this post in threaded view
|

Re: Use postfix with submission proxy (AUTH in MAIL FROM command)

Wietse Venema
Vadim S. Ivanov:
> When dovecot's MSA connects - it does not (obviously there is no need to
> [SASL authenticate] again):

Postfix implements protocols by the spec.

Where does the SASL protocol definition say that if a client logs
in with one SMTP session, that the client does not have to log in
again with a different SMTP session?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Use postfix with submission proxy (AUTH in MAIL FROM command)

Vadim S. Ivanov
I agree. I looked at rfc4422. Treating identity in MAIL FROM command as
sasl authenticated will violate rfc itself (no auth mechanisms was
involved).
I won't be able do run smtpd_sender_login_mismatch,
smtpd_sender_login_maps checks.


But rfc4954 section 5 states:
         The optional AUTH parameter to the MAIL FROM command allows
         cooperating agents in a trusted environment to communicate the
         authorization identity associated with individual messages.

         If the server trusts the authenticated identity of the client to
         assert that the message was originally submitted by the supplied
         <mailbox>, then the server SHOULD supply the same <mailbox> in
         an AUTH parameter when relaying the message to any other server
         which supports the AUTH extension.

         For this reason, servers that advertise support for this
         extension MUST support the AUTH parameter to the MAIL FROM
         command even when the client has not authenticated itself to the
         server.

So dovecot authenticated user and relayed it's mail to postfix with
"authorization identity" in MAIL FROM:

MAIL FROM:<user@domain> AUTH=user@domain BODY=8BITMIME SIZE=1545

Does postfix support this AUTH extension ?
If it does, is it possible to run some checks against "authorization
identity" to prevent sender address forgery? (in my case user logs in
using full mail address, so usermailbox=userlogin)
Reply | Threaded
Open this post in threaded view
|

Re: Use postfix with submission proxy (AUTH in MAIL FROM command)

Wietse Venema
Vadim S. Ivanov:

> I agree. I looked at rfc4422. Treating identity in MAIL FROM command as
> sasl authenticated will violate rfc itself (no auth mechanisms was
> involved).
> I won't be able do run smtpd_sender_login_mismatch,
> smtpd_sender_login_maps checks.
>
>
> But rfc4954 section 5 states:
>          The optional AUTH parameter to the MAIL FROM command allows
>          cooperating agents in a trusted environment to communicate the
>          authorization identity associated with individual messages.
>
>          If the server trusts the authenticated identity of the client to
>          assert that the message was originally submitted by the supplied
>          <mailbox>, then the server SHOULD supply the same <mailbox> in
>          an AUTH parameter when relaying the message to any other server
>          which supports the AUTH extension.
>
>          For this reason, servers that advertise support for this
>          extension MUST support the AUTH parameter to the MAIL FROM
>          command even when the client has not authenticated itself to the
>          server.
>
> So dovecot authenticated user and relayed it's mail to postfix with
> "authorization identity" in MAIL FROM:
>
> MAIL FROM:<user@domain> AUTH=user@domain BODY=8BITMIME SIZE=1545
>
> Does postfix support this AUTH extension ?

Postfix allows the parameter, and discards the result.

> If it does, is it possible to run some checks against "authorization
> identity" to prevent sender address forgery? (in my case user logs in
> using full mail address, so usermailbox=userlogin)

No. Without authentication, the MAIL FROM AUTH parameter is just
a bunch of unauthenticated data.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Use postfix with submission proxy (AUTH in MAIL FROM command)

Vadim S. Ivanov
OK, thank you!

I'll come up with something.

---
--
Regards,
Vadim S. Ivanov
mailto:[hidden email]