mynetworks equivalent for sender address

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

mynetworks equivalent for sender address

dave-2
Hi,

Here is my problem. I have a Raspberry running in my home network, and I
want it to be able to send me email. I set up a send only postfix on it
and that works fine. The email that arrives on my email server fails a
couple of testsĀ  - domain not found and need FQDN.

The email is from root@raspberrypi.

Obviously I could change that, but I don't think I could get it to a
proper domain and FQDN, and I'd rather not if I can avoid it. The IP
address it arrives from is random as it's sometimes through a VPN.

I have full control of the email server, which is a latest standard
Debian/postfix/dovecot set up.

So what I'm looking for is the easiest way of accepting that email,
while staying pretty secure. I could update the sending domain to be
some random unguessable string.

There appear to be some ways that might work (TLS fingerprint of the
client sort of stuff?)

A simple equivalent of mynetworks, but for a from address rather than an
IP/network would be ideal.

Thanks in advance for any suggestions.

regards

Dave

Reply | Threaded
Open this post in threaded view
|

Re: mynetworks equivalent for sender address

Nick-5
On 2020-08-30 18:08 BST, dave wrote:
> So what I'm looking for is the easiest way of accepting that email,
> while staying pretty secure.

From your home machine, send mail to the server's submission port and
with authentication, as in
<http://www.postfix.org/SOHO_README.html#client_sasl_enable>.

HTH,
--
Nick
Reply | Threaded
Open this post in threaded view
|

Re: mynetworks equivalent for sender address

dave-2
Great, thanks. Do I need the "enabling DSASL authion postfix client
section, or configure sender dependent SASL. And do I need to use
relayhosts?

thanks

Dave


On 30/08/2020 18:24, Nick wrote:
> On 2020-08-30 18:08 BST, dave wrote:
>> So what I'm looking for is the easiest way of accepting that email,
>> while staying pretty secure.
>  From your home machine, send mail to the server's submission port and
> with authentication, as in
> <http://www.postfix.org/SOHO_README.html#client_sasl_enable>.
>
> HTH,
Reply | Threaded
Open this post in threaded view
|

Re: mynetworks equivalent for sender address

Viktor Dukhovni
In reply to this post by dave-2
On Sun, Aug 30, 2020 at 06:08:36PM +0100, dave wrote:

> A simple equivalent of mynetworks, but for a from address rather than an
> IP/network would be ideal.

There is, for good reason, no relay authorisation based on sender
address, because unlike a source IP address on your network (which is
difficult to forge with TCP) without being on your network, a sender
address is trivially forged by just using it.  Sender addresses are
neither secret not difficult to forge.

Thus permit_mynetworks (and thus mynetworks) is a thing, but there
is no permit_sender_domain (nor thus mydomains).

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: mynetworks equivalent for sender address

Jaroslaw Rafa
Dnia 30.08.2020 o godz. 16:11:32 Viktor Dukhovni pisze:
>
> There is, for good reason, no relay authorisation based on sender
> address, because unlike a source IP address on your network (which is
> difficult to forge with TCP) without being on your network, a sender
> address is trivially forged by just using it.  Sender addresses are
> neither secret not difficult to forge.
>
> Thus permit_mynetworks (and thus mynetworks) is a thing, but there
> is no permit_sender_domain (nor thus mydomains).

However if someone wants to take a risk, I guess they can still put in
main.cf something like

smtpd_relay_restrictions = ..., check_sender_access /etc/postfix/relayuser, ...

where /etc/postfix/relayuser contains something like

[hidden email] PERMIT

Wouldn't it work?
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: mynetworks equivalent for sender address

dave-2
That would be great if it works.

It may be easy to forge, but it can be harder to guess depending on what
name I choose?

But you both mention relay - is that in the loose sense of the word? I
don't need to relay it do I? Just permit?

thanks

Dave

On 30/08/2020 23:31, Jaroslaw Rafa wrote:

> Dnia 30.08.2020 o godz. 16:11:32 Viktor Dukhovni pisze:
>> There is, for good reason, no relay authorisation based on sender
>> address, because unlike a source IP address on your network (which is
>> difficult to forge with TCP) without being on your network, a sender
>> address is trivially forged by just using it.  Sender addresses are
>> neither secret not difficult to forge.
>>
>> Thus permit_mynetworks (and thus mynetworks) is a thing, but there
>> is no permit_sender_domain (nor thus mydomains).
> However if someone wants to take a risk, I guess they can still put in
> main.cf something like
>
> smtpd_relay_restrictions = ..., check_sender_access /etc/postfix/relayuser, ...
>
> where /etc/postfix/relayuser contains something like
>
> [hidden email] PERMIT
>
> Wouldn't it work?
Reply | Threaded
Open this post in threaded view
|

Re: mynetworks equivalent for sender address

Viktor Dukhovni
On Sun, Aug 30, 2020 at 11:54:19PM +0100, dave wrote:

> That would be great if it works.

You mean that would be a double-barrelled shotgun you aim at your feet,
sure...

> It may be easy to forge, but it can be harder to guess depending on what
> name I choose?
>
> But you both mention relay - is that in the loose sense of the word? I
> don't need to relay it do I? Just permit?

Mail to your own domains is permitted by default.  You don't need to
"permit" specific sender domains.  It is sending to other people's
domains (relaying) that requires access control.  The rest of the
access policy is then about blocking inbound spam and the like.

Now you for some reason report that your Raspberry Pi client is
not a stable client IP on your network.  If you take it with
you on the road, you'll need either a VPN back to an internal
network, a client cert or SASL auth.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: mynetworks equivalent for sender address

dave-2
Thanks,

Maybe I need to clarify a few things. My email server is not in my home
network. My raspberry is, and it gets random IPs as sometimes it has to
go through a VPN to the internet.

Mail to my own domains is not permitted by default. This email from
raspberry is sent to my own domain (the one I'm using on this list) and
it fails the sender address domain not found and FQDN tests.

There is no relaying needed.

thanks

Dave

On 31/08/2020 00:05, Viktor Dukhovni wrote:

> On Sun, Aug 30, 2020 at 11:54:19PM +0100, dave wrote:
>
>> That would be great if it works.
> You mean that would be a double-barrelled shotgun you aim at your feet,
> sure...
>
>> It may be easy to forge, but it can be harder to guess depending on what
>> name I choose?
>>
>> But you both mention relay - is that in the loose sense of the word? I
>> don't need to relay it do I? Just permit?
> Mail to your own domains is permitted by default.  You don't need to
> "permit" specific sender domains.  It is sending to other people's
> domains (relaying) that requires access control.  The rest of the
> access policy is then about blocking inbound spam and the like.
>
> Now you for some reason report that your Raspberry Pi client is
> not a stable client IP on your network.  If you take it with
> you on the road, you'll need either a VPN back to an internal
> network, a client cert or SASL auth.
>
Reply | Threaded
Open this post in threaded view
|

Re: mynetworks equivalent for sender address

Bill Cole-3
On 31 Aug 2020, at 4:51, dave wrote:

> Mail to my own domains is not permitted by default. This email from
> raspberry is sent to my own domain (the one I'm using on this list)
> and it fails the sender address domain not found and FQDN tests.
>
> There is no relaying needed.

You could move those constraints to the smtpd_sender_restrictions list
with a suitable check_sender_access map ahead of them to exempt the
sloppy sender, with other controls later in smtpd_relay_restrictions,
i.e. a check_sender_access map to explicitly deny relaying to the sloppy
sender.

Or you could do proper submission with SASL AUTH and have a sane
configuration.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Reply | Threaded
Open this post in threaded view
|

Re: mynetworks equivalent for sender address

dave-2
Thanks, SASL looks the best way.

Still not sure why we're talking relaying... ;-)

regards

Dave

On 31/08/2020 17:55, Bill Cole wrote:

> On 31 Aug 2020, at 4:51, dave wrote:
>
>> Mail to my own domains is not permitted by default. This email from
>> raspberry is sent to my own domain (the one I'm using on this list)
>> and it fails the sender address domain not found and FQDN tests.
>>
>> There is no relaying needed.
>
> You could move those constraints to the smtpd_sender_restrictions list
> with a suitable check_sender_access map ahead of them to exempt the
> sloppy sender, with other controls later in smtpd_relay_restrictions,
> i.e. a check_sender_access map to explicitly deny relaying to the
> sloppy sender.
>
> Or you could do proper submission with SASL AUTH and have a sane
> configuration.
>
Reply | Threaded
Open this post in threaded view
|

Re: mynetworks equivalent for sender address

Bill Cole-3
On 31 Aug 2020, at 16:07, dave wrote:

> Thanks, SASL looks the best way.
>
> Still not sure why we're talking relaying... ;-)

Because historically, to explicitly "permit" a message included relay
unless a later restriction stopped it.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
Reply | Threaded
Open this post in threaded view
|

Re: mynetworks equivalent for sender address

Viktor Dukhovni
In reply to this post by dave-2
On Mon, Aug 31, 2020 at 09:51:42AM +0100, dave wrote:

> Maybe I need to clarify a few things. My email server is not in my home
> network. My raspberry is, and it gets random IPs as sometimes it has to
> go through a VPN to the internet.
>
> Mail to my own domains is not permitted by default. This email from
> raspberry is sent to my own domain (the one I'm using on this list) and
> it fails the sender address domain not found and FQDN tests.
>
> There is no relaying needed.

Thanks, this makes the use-case dramatically more clear.  If you're just
trying to avoid rejecting some non-fqdn forms, you can do that in
smtpd_sender_restrictions:

    smtpd_sender_restrictions =
        # Optionally allow trusted clients to use non-fqdn forms?
        # permit_mynetworks
        # permit_sasl_authenticated
        #
        # Allow some particular non-fqdn domains
        check_sender_access some:table,
        reject_non_fqdn-sender

    smtpd_recipient_restrictions
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        ...
        # But no reject_non_fqdn_sender here, unless
        # you choose to place it LAST with the exception
        # list directly above it, and always below
        # reject_unauth_destination

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: mynetworks equivalent for sender address

dave-2
Thanks Viktor, that looks good.

regards

Dave

On 01/09/2020 08:38, Viktor Dukhovni wrote:

> On Mon, Aug 31, 2020 at 09:51:42AM +0100, dave wrote:
>
>> Maybe I need to clarify a few things. My email server is not in my home
>> network. My raspberry is, and it gets random IPs as sometimes it has to
>> go through a VPN to the internet.
>>
>> Mail to my own domains is not permitted by default. This email from
>> raspberry is sent to my own domain (the one I'm using on this list) and
>> it fails the sender address domain not found and FQDN tests.
>>
>> There is no relaying needed.
> Thanks, this makes the use-case dramatically more clear.  If you're just
> trying to avoid rejecting some non-fqdn forms, you can do that in
> smtpd_sender_restrictions:
>
>      smtpd_sender_restrictions =
>          # Optionally allow trusted clients to use non-fqdn forms?
>          # permit_mynetworks
>          # permit_sasl_authenticated
>          #
>          # Allow some particular non-fqdn domains
>          check_sender_access some:table,
>          reject_non_fqdn-sender
>
>      smtpd_recipient_restrictions
>          permit_mynetworks,
>          permit_sasl_authenticated,
>          reject_unauth_destination,
>          ...
>          # But no reject_non_fqdn_sender here, unless
>          # you choose to place it LAST with the exception
>          # list directly above it, and always below
>          # reject_unauth_destination
>