smtp relay server security

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
JDN
Reply | Threaded
Open this post in threaded view
|

smtp relay server security

JDN

Hello

 

How can we secure are postfix smtp relay server?

 

For the moment we have a rule that only allow mail from exchange server adres to postfix (relay server), but when somebody spoofs this address mail gets accept and you can send your mail to anybody as anybody.

 

When I check:

[administrator@eqx-mailman02 ~]$ sudo postconf -a

[sudo] wachtwoord voor administrator:

cyrus

dovecot

 

 

So I know I can use these but we are not used of working with this.

 

Can we setup another way of authentication?

 

I would not like to setup users/mailboxes on the relay server, all are users are on the exchange server (AD), and postfix is are simple relay server we would like to secure.

 

Thanks in advance

************************************************************
Any reaction to this e-mail or any other mail, including any
files transmitted therewith to sender's e-mail address(es)
shall be dealt with not as private, but as business
communication(s) and shall be registered as such.
************************************************************

Reply | Threaded
Open this post in threaded view
|

Re: smtp relay server security

Matus UHLAR - fantomas
On 03.06.19 13:02, De Petter Mattheas wrote:
>How can we secure are postfix smtp relay server?

complicated question...

>For the moment we have a rule that only allow mail from exchange server
> adres to postfix (relay server),

show us.

>but when somebody spoofs this address mail gets accept and you can send your mail to anybody as anybody.

your rule apparently has logical error.

>So I know I can use these but we are not used of working with this.
>
>Can we setup another way of authentication?

it's hard to answer without knowing the real problem.
You apparently don't require authentication and what you require is not what
you want to achieve.

>I would not like to setup users/mailboxes on the relay server, all are
> users are on the exchange server (AD), and postfix is are simple relay
> server we would like to secure.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
JDN
Reply | Threaded
Open this post in threaded view
|

RE: smtp relay server security

JDN
Hello

Answers in after the #

On 03.06.19 13:02, De Petter Mattheas wrote:
>How can we secure are postfix smtp relay server?

complicated question...

>For the moment we have a rule that only allow mail from exchange server  
>adres to postfix (relay server),

show us.

# mynetworks = xxx.xxx.xxx.xxx/32, 127.0.0.1/32
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination

>but when somebody spoofs this address mail gets accept and you can send your mail to anybody as anybody.

your rule apparently has logical error.
# thing is it is secure because postfix accept only mail from exchange server, but when you get access to the exchange server, or spoof the ip adress of the exchange server you can send mails. How can i block this?

>So I know I can use these but we are not used of working with this.
>
>Can we setup another way of authentication?

it's hard to answer without knowing the real problem.
You apparently don't require authentication and what you require is not what you want to achieve.

# see answer above

>I would not like to setup users/mailboxes on the relay server, all are  
>users are on the exchange server (AD), and postfix is are simple relay  
>server we would like to secure.

#so I can't setup any security when we do not created mailboxes on the relay server?
Can't the authentication take place with the user accounts of the OS?


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
************************************************************
Any reaction to this e-mail or any other mail, including any
files transmitted therewith to sender's e-mail address(es)
shall be dealt with not as private, but as business
communication(s) and shall be registered as such.
************************************************************

Reply | Threaded
Open this post in threaded view
|

Re: smtp relay server security

Matus UHLAR - fantomas
On 03.06.19 14:19, De Petter Mattheas wrote:
>Answers in after the #

indenting the original answer usually giver much more readable result.
outlook does support indenting...

>On 03.06.19 13:02, De Petter Mattheas wrote:
>>How can we secure are postfix smtp relay server?
>
>complicated question...
>
>>For the moment we have a rule that only allow mail from exchange server
>>adres to postfix (relay server),
>
>show us.
>
># mynetworks = xxx.xxx.xxx.xxx/32, 127.0.0.1/32
>smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination

this should be fine

>>but when somebody spoofs this address mail gets accept and you can send your mail to anybody as anybody.
>
>your rule apparently has logical error.

># thing is it is secure because postfix accept only mail from exchange
># server, but when you get access to the exchange server, or spoof the ip
># adress of the exchange server you can send mails.  How can i block this?

if either your postfix or your exchange server is in network where spoofing
can happen, move them away.

>>So I know I can use these but we are not used of working with this.
>>
>>Can we setup another way of authentication?
>
>it's hard to answer without knowing the real problem.
>You apparently don't require authentication and what you require is not what you want to achieve.
>
># see answer above
>
>>I would not like to setup users/mailboxes on the relay server, all are
>>users are on the exchange server (AD), and postfix is are simple relay
>>server we would like to secure.

>#so I can't setup any security when we do not created mailboxes on the relay server?
>Can't the authentication take place with the user accounts of the OS?

it can, and usually does. But you said you don't want to set up mailboxes on
the relay server.
In fact you can set up one account and use it for relaying mail through
postfix.

but the option I gave you above is better. If eomeone can fake your
mailserver's address, you should move it elsewhere.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
JDN
Reply | Threaded
Open this post in threaded view
|

RE: smtp relay server security

JDN
They are in are in the same network only admin's can access the network, the users are in another vlan and can's ssh or rdp to the server. But I just wan't to make sure everything is secure and covered.

That is the reason for the question.

I thought authentication was possible without creating mailboxes on the server.


Thanks for your advice.



-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Matus UHLAR - fantomas
Sent: 03 June 2019 16:32
To: [hidden email]
Subject: Re: smtp relay server security

On 03.06.19 14:19, De Petter Mattheas wrote:
>Answers in after the #

indenting the original answer usually giver much more readable result.
outlook does support indenting...

>On 03.06.19 13:02, De Petter Mattheas wrote:
>>How can we secure are postfix smtp relay server?
>
>complicated question...
>
>>For the moment we have a rule that only allow mail from exchange
>>server adres to postfix (relay server),
>
>show us.
>
># mynetworks = xxx.xxx.xxx.xxx/32, 127.0.0.1/32
>smtpd_recipient_restrictions =
>permit_mynetworks,reject_unauth_destination

this should be fine

>>but when somebody spoofs this address mail gets accept and you can send your mail to anybody as anybody.
>
>your rule apparently has logical error.

># thing is it is secure because postfix accept only mail from exchange
># server, but when you get access to the exchange server, or spoof the
>ip # adress of the exchange server you can send mails.  How can i block this?

if either your postfix or your exchange server is in network where spoofing can happen, move them away.

>>So I know I can use these but we are not used of working with this.
>>
>>Can we setup another way of authentication?
>
>it's hard to answer without knowing the real problem.
>You apparently don't require authentication and what you require is not what you want to achieve.
>
># see answer above
>
>>I would not like to setup users/mailboxes on the relay server, all are
>>users are on the exchange server (AD), and postfix is are simple relay
>>server we would like to secure.

>#so I can't setup any security when we do not created mailboxes on the relay server?
>Can't the authentication take place with the user accounts of the OS?

it can, and usually does. But you said you don't want to set up mailboxes on the relay server.
In fact you can set up one account and use it for relaying mail through postfix.

but the option I gave you above is better. If eomeone can fake your mailserver's address, you should move it elsewhere.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
************************************************************
Any reaction to this e-mail or any other mail, including any
files transmitted therewith to sender's e-mail address(es)
shall be dealt with not as private, but as business
communication(s) and shall be registered as such.
************************************************************

Reply | Threaded
Open this post in threaded view
|

Re: smtp relay server security

Jon Radel
In reply to this post by Matus UHLAR - fantomas
On 6/3/19 10:31 AM, Matus UHLAR - fantomas wrote:

>
>>> For the moment we have a rule that only allow mail from exchange server
>>> adres to postfix (relay server),
>>
>> show us.
>>
>> # mynetworks = xxx.xxx.xxx.xxx/32, 127.0.0.1/32
>> smtpd_recipient_restrictions =
>> permit_mynetworks,reject_unauth_destination
>
> this should be fine
>
>
>> # thing is it is secure because postfix accept only mail from exchange
>> # server, but when you get access to the exchange server, or spoof
>> the ip
>> # adress of the exchange server you can send mails.  How can i block
>> this?
>
> if either your postfix or your exchange server is in network where
> spoofing
> can happen, move them away.
>
>>> So I know I can use these but we are not used of working with this.
>>>
>>> Can we setup another way of authentication?
>>

While I agree entirely with Matus that if untrusted people can access
your Exchange server, or steal its IP address on your network, you have
larger issues that postfix will not be fixing, I will point out that
could improve things a bit with careful use of TLS.  See
http://www.postfix.org/TLS_README.html#server_vrfy_client for details.
You should be able to configure things to allow access only from the
Exchange server and the certificate you configure on it.  That is until
those untrusted people rummage around and steal the cert off of the
Exchange server.



--Jon Radel

Network Infrastructure Lead
Folio Financial, Inc.
8180 Greensboro Drive, 8th Floor
McLean, VA 22102
(T) 703-245-4844
(M) 703-861-5128
(E) [hidden email]
www.folioinvesting.com

Please do not use e-mail to transmit orders for securities or for other time-sensitive messages. Securities products and services are offered through Folio Investments, Inc. and are subject to investment risk, including the possible loss of principal. Member FINRA/SIPC. Folio Investments, Inc. and First Affirmative Financial Network, LLC are affiliates. This e-mail message and any files transmitted with it are confidential, intended only for the person(s) to whom this e-mail message is addressed. If you have received this e-mail message in error, please notify the sender immediately by telephone or e-mail and destroy the original message without making a copy. This e-mail is subject to review, retrieval, archiving and disclosure by Folio to third parties.
Reply | Threaded
Open this post in threaded view
|

Re: smtp relay server security

Viktor Dukhovni
In reply to this post by JDN


> On Jun 3, 2019, at 9:02 AM, De Petter Mattheas <[hidden email]> wrote:
>
> For the moment we have a rule that only allow mail from exchange server address to postfix (relay server), but when somebody spoofs this address mail gets accept and you can send your mail to anybody as anybody.
>  
> When I check:
> [administrator@eqx-mailman02 ~]$ sudo postconf -a
> [sudo] wachtwoord voor administrator:
> cyrus
> dovecot

You can configure SASL authentication on both ends (client on Exchange, server on Postfix)
and require SASL authentication for relaying:

        http://www.postfix.org/SASL_README.html

or you can require a TLS client certificate:

        http://www.postfix.org/postconf.5.html#check_ccert_access
        http://www.postfix.org/postconf.5.html#relay_clientcerts

--
        Viktor.

JDN
Reply | Threaded
Open this post in threaded view
|

RE: smtp relay server security

JDN
Thx for the respons


I have setup sasl auth by dovecot


-----Original Message-----
From: [hidden email] <[hidden email]> On Behalf Of Viktor Dukhovni
Sent: 03 June 2019 16:58
To: Postfix users <[hidden email]>
Subject: Re: smtp relay server security



> On Jun 3, 2019, at 9:02 AM, De Petter Mattheas <[hidden email]> wrote:
>
> For the moment we have a rule that only allow mail from exchange server address to postfix (relay server), but when somebody spoofs this address mail gets accept and you can send your mail to anybody as anybody.
>  
> When I check:
> [administrator@eqx-mailman02 ~]$ sudo postconf -a [sudo] wachtwoord
> voor administrator:
> cyrus
> dovecot

You can configure SASL authentication on both ends (client on Exchange, server on Postfix) and require SASL authentication for relaying:

        http://www.postfix.org/SASL_README.html

or you can require a TLS client certificate:

        http://www.postfix.org/postconf.5.html#check_ccert_access
        http://www.postfix.org/postconf.5.html#relay_clientcerts

--
        Viktor.

************************************************************
Any reaction to this e-mail or any other mail, including any
files transmitted therewith to sender's e-mail address(es)
shall be dealt with not as private, but as business
communication(s) and shall be registered as such.
************************************************************