canonical based on login name

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

canonical based on login name

Joris (ideeel)
hi list

I run a webservice (and a mail service). All websites run under the same
UID of [hidden email]. I know, not ideal, but i cannot
change that bit. Problem is that if one site gets hacked, user apache
starts sending spam with no way to figure out which website is
misbehaving. Thus we are going to enforce websites to use SASL-auth.

Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM
username sometimes is still apache. I know gmail rewrites the envelope
sender and the header sender based on the login name, but i have not
been able to find how to do this in postfix (canonical_classes does not
seem to help me here). I cannot really reject the mail using
reject_authenticated_sender_login_mismatch because the mails will be
send back to the apache user with again no knowledge of the true sender.

hope you can give me some pointers or documentation how I can solve this :)

best
Joris


Reply | Threaded
Open this post in threaded view
|

Re: canonical based on login name

Viktor Dukhovni


> On Jan 20, 2018, at 11:08 AM, Joris (ideeel) <[hidden email]> wrote:
>
> I know gmail rewrites the envelope sender and the header sender based on
> the login name, but I have not been able to find how to do this in Postfix

To make it clearer, we should first understand what "rewriting" means in
Postfix.

  -  Rewriting in Postfix takes an input value (say the sender address)
     and produces a new value as a function of (via a lookup table)
     of the input value.  The *only* input into the construction of the
     new value is the original value.  Thus you can transform a sender
     address to another sender address, but this cannot take into account
     any other message properties.

Since "canonical_maps" is an address rewriting mechanism, it cannot do
what you're asking for.  The transformation you're asking for presently
requires a content filter or milter.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: canonical based on login name

Wietse Venema
In reply to this post by Joris (ideeel)
Joris (ideeel):
> Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM
> username sometimes is still apache. I know gmail rewrites the envelope
> sender and the header sender based on the login name, but i have not
> been able to find how to do this in postfix (canonical_classes does not

You can use the reject_sender_login_mismatch feature to enforce
that each SASL login uses its own unique emvelope sender address.

During the transition, use:

    warn_if_reject reject_sender_login_mismatch

to find out which apps aren;t using the proper sender address.

Otherwise, as Victor says, this requires external code (content
filter or milter).

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: canonical based on login name

Karol Augustin
In reply to this post by Joris (ideeel)
On 2018-01-20 16:08, Joris (ideeel) wrote:

> hi list
>
> I run a webservice (and a mail service). All websites run under the
> same UID of [hidden email]. I know, not ideal, but i
> cannot change that bit. Problem is that if one site gets hacked, user
> apache starts sending spam with no way to figure out which website is
> misbehaving. Thus we are going to enforce websites to use SASL-auth.
>
> Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM
> username sometimes is still apache. I know gmail rewrites the envelope
> sender and the header sender based on the login name, but i have not
> been able to find how to do this in postfix (canonical_classes does
> not seem to help me here). I cannot really reject the mail using
> reject_authenticated_sender_login_mismatch because the mails will be
> send back to the apache user with again no knowledge of the true
> sender.

Maybe I am not getting something but if you force different SASL-auth
for each website you will have the offending username in the logs.


>
> hope you can give me some pointers or documentation how I can solve this :)
>
> best
> Joris


I had exactly the same problem when one of websites I was hosting got
hacked and also wanted to prevent from situation when my user is hacked
(malware) and starts sending emails with matching envelope sender but
forging From header. I ended up using vrfydmn like that:

/usr/bin/python /usr/local/sbin/vrfydmn -F -u vrfydmn -g vrfydmn -s
inet:10072@127.0.0.1 -p /var/run/vrfydmn/vrfydmn.pid

I reject emails from users that try to send them with envelope sender
that they don't own so in my case Postfix makes sure that
envelope-sender is OK (reject_sender_login_mismatch), and then vrfydmn
makes sure that From: matches.

In your case you can (apparently) force PHP to use fixed envelope-from
address. Than you can use this milter to fix From: address. Have a look,
it might be what you need.


https://github.com/croessner/vrfydmn

Karol


--
Karol Augustin
[hidden email]
http://karolaugustin.pl/
+353 85 775 5312vrfydmn