remapping return-path ?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

remapping return-path ?

James B. Byrne
We have a situation where some party is harvesting our employees'
mailbox names and using them for a directed brute force attack against
our SMTP servers.  In order dodge this we have undertaken to rename of
user mailboxes.  However, we use the imap service to authenticate for
SMTP delivery and so the actual mailbox name must be used when
sending.

What happens then is that the newly renamed mailbox identity ends up
in the RETURN-PATH of the sender's message.  We would like to remap
that value back to the sender's original mailbox name since that is
what is set up to receive mail for that user.

A diagram may help, or not depending on whether the reader uses fixed
space fonts.

[hidden email]       <--- the original email address

in /etc/postfix/virtual

[hidden email]       oldmailboxname


On the IMAP service host
oldmailboxname                     <--- the original imap mailbox

newmailboxname                     <--- the renamed imap mailbox


in /etc/postfix/virtual

[hidden email]       newmailboxname

When sending from  newmailboxname the Return-Path value is
newmailboxname@harte-lyne.  newmailboxname is deliberately set up so
as to not receive mail.  We want the Return-path value to say
[hidden email] instead, which does receive mail.

I tried this in the outgoing MTA:

sender_canonical_maps = hash:/etc/postfix/canonical

with this in /etc/postfix/canonical:

newmailboxname        oldmailboxname

Rebuilding the hash db and restarting postfix thereafter did not
change the results shown in the Return-PAth.  Is there a way to
accomplish this?



--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3


Reply | Threaded
Open this post in threaded view
|

Re: remapping return-path ?

Tanstaafl
On 5/19/2016 1:50 PM, James B. Byrne <[hidden email]> wrote:
> We have a situation where some party is harvesting our employees'
> mailbox names and using them for a directed brute force attack against
> our SMTP servers.  In order dodge this we have undertaken to rename of
> user mailboxes.

Trying for the life of me to figure out how or why you think this is a
good way to mitigate such an attack...

Failing miserably.
Reply | Threaded
Open this post in threaded view
|

Re: remapping return-path ?

James B. Byrne

On Fri, May 20, 2016 16:06, Tanstaafl wrote:

> On 5/19/2016 1:50 PM, James B. Byrne <[hidden email]> wrote:
>> We have a situation where some party is harvesting our employees'
>> mailbox names and using them for a directed brute force attack
>> against
>> our SMTP servers.  In order dodge this we have undertaken to rename
>> of
>> user mailboxes.
>
> Trying for the life of me to figure out how or why you think this is a
> good way to mitigate such an attack...
>
> Failing miserably.
>

The issue is moot. I discovered the cause of the return path setting
was the user themselves and had them reconfigure their MUA to remove
that setting.  The mailbox renaming exercise has to do do with single
logon.  Our email addresses have had the same form since 1995 and from
that time user logon accounts were used as their mailbox and email
local address as well.

Since this information is already known we are simply moving all of
our user ids to something that does not show up in the email headers
and leaving the email addresses as they are.

It is most disconcerting to see an sasl attack on our relays which
only uses actual userids for our company employees, albeit they have a
lot of defunct userids in that list.  If these names are no longer
anywhere in use as actual user ids then that is at least one attack
avenue that is forestalled.

--
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:[hidden email]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3