NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-12

Re: Avoiding (trivial) spoofed "mail from"

From: Roman Medina-Heigl Hernandez (romanrs-labs.com)
Date: Tue Dec 02 2008 - 07:53:55 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

DJ Lucas escribió:
>> Return-Path: <bouncescanonical.com>
>> X-Original-To: romanrs-labs.com
>> Delivered-To: romanrs-labs.com
>> ...
>> Received: from gangotri.ubuntu.com (localhost.localdomain [127.0.0.1])
>> by gangotri.ubuntu.com (Postfix) with ESMTP id 0C222318376
>> for <romanrs-labs.com>; Fri, 28 Jul 2006 04:10:09 +0100 (BST)
>> From: RoMaNSoFt <romanrs-labs.com>
>>
> Maybe I'm incorrect, but I believe there was a subtle misunderstanding
> in the above conversation. The From: header is not the same as MAIL
> FROM: command in smtp transaction. MAIL FROM for this message was
> bouncescanonical.com. Feel fee to find that message in your logs and

Thank you for the correction, you are right: my example is wrong but that
doesn't change the fact we were discussing since Noel and I were always
referring to the "mail from" (i.e. the sender). If some silly ticket system
spoofs the "From" header, there is a good chance that it spoofs the "mail
from" too...

> verify. Anyway, the Postfix directive you are looking for is
> "reject_unauthenticated_sender_login_mismatch".
> http://www.postfix.org/postconf.5.html#reject_unauthenticated_sender_login_mismatch

Yes, I think that's the directive I was looking for.

> That said, cheap web scripts often do use the recipient's address in the
> transaction. Latest complaint I had was from some star rewards thing
> for frequent visits to a restaurant (for which I promptly replied:
> "choose a different restaurant" ;-) ).
>
> Take the following two manual transactions as an example with the smtpd
> sender restriction above (only slightly altered to avoid giving away
> unnecessary info and posting a real address in plain text on the internet):
>
> [djname25 ~]# telnet mail.lucasit.com 25
> Trying 192.168.xxx.xxx...
> Connected to mail.lucasit.com.
> Escape character is '^]'.
> 220 postal.lucasit.com ESMTP Postfix
> ehlo somehost.lucasit.com
> 250-postal.lucasit.com
> 250-PIPELINING

Isn't a good idea to disable pipelining? (many people recommends it to
reduce spam).

> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
> MAIL FROM: nouserlucasit.com
> 250 2.1.0 Ok
> RCPT TO: nouserlucasit.com
> 553 5.7.1 <nouserlucasit.com>: Sender address rejected: not logged in

Nice. That's what I'd like to set-up. Nevertheless, I tried to reproduce in
a test system, with no luck :-(. It should be trivial, but I cannot find
the error. Could you help me?

My setup is quite simple (using virtual domains and Amavis to "mark"
virus/spam messages):

hsnew:/etc/postfix# postconf -n
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
delay_warning_time = 4
disable_vrfy_command = yes
mail_name = mxhs
mailbox_command = procmail -a "$EXTENSION"
message_size_limit = 28311552
mydestination = $myhostname localhost localhost.$mydomain
myhostname = hsnew.rs-labs.es
mynetworks = 127.0.0.2, 127.0.0.3
myorigin = $myhostname
recipient_delimiter = +
relay_domains = hash:/etc/postfix/listas hash:/etc/postfix/mxbackup
relocated_maps = hash:/etc/postfix/relocated
show_user_unknown_table_name = no
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noplaintext
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
permit_mynetworks, permit_sasl_authenticated,
reject_unauthenticated_sender_login_mismatch, check_recipient_access
hash:/etc/postfix/recipient_access_non_trusted, reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/listas
virtual_alias_maps = hash:/etc/postfix/valias
virtual_mailbox_domains = hash:/etc/postfix/vdomain
virtual_mailbox_maps = hash:/etc/postfix/vuser
virtual_transport = lmtp:unix:/private/cyrus
hsnew:/etc/postfix# cat vuser
romanrs-labs.es whatever
hsnew:/etc/postfix# cat vdomain
rs-labs.es whatever
hsnew:/etc/postfix#

From another host ("not trusted"), I'm sending a very simple mail:
rootmta-mad:/tmp# cat mail
helo k
mail from:romanrs-labs.es
rcpt to:romanrs-labs.es
data
subject: prueba
.
quit
rootmta-mad:/tmp# nc hsnew.rs-labs.es 25 <mail
220 hsnew.rs-labs.es ESMTP Sendmail 8.14.2/8.14.1
250 hsnew.rs-labs.es
250 2.1.0 Ok
250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>
250 2.0.0 Ok: queued as 3A4F6982AA
221 2.0.0 Bye
rootmta-mad:/tmp#

My receiving MTA logs the following:

Dec 2 16:34:12 hsnew postfix/smtpd[3697]: connect from
207-150-162-19.static.sagonet.net[207.150.162.19]
Dec 2 16:34:12 hsnew postfix/smtpd[3697]: 3A4F6982AA:
client=207-150-162-19.static.sagonet.net[207.150.162.19]
Dec 2 16:34:12 hsnew postfix/cleanup[3702]: 3A4F6982AA:
message-id=<20081202153412.3A4F6982AAhsnew.rs-labs.es>
Dec 2 16:34:12 hsnew postfix/qmgr[3666]: 3A4F6982AA:
from=<romanrs-labs.es>, size=362, nrcpt=1 (queue active)
Dec 2 16:34:12 hsnew postfix/smtpd[3697]: disconnect from
207-150-162-19.static.sagonet.net[207.150.162.19]
Dec 2 16:34:15 hsnew postfix/smtpd[3706]: connect from localhost[127.0.0.1]
Dec 2 16:34:16 hsnew postfix/smtpd[3706]: EAF0A982BB:
client=localhost[127.0.0.1]
Dec 2 16:34:16 hsnew postfix/cleanup[3702]: EAF0A982BB:
message-id=<20081202153412.3A4F6982AAhsnew.rs-labs.es>
Dec 2 16:34:16 hsnew postfix/smtpd[3706]: disconnect from localhost[127.0.0.1]
Dec 2 16:34:16 hsnew postfix/qmgr[3666]: EAF0A982BB:
from=<romanrs-labs.es>, size=805, nrcpt=1 (queue active)
Dec 2 16:34:16 hsnew cyrus/master[3708]: about to exec
/usr/lib/cyrus/bin/lmtpd
Dec 2 16:34:16 hsnew amavis[3311]: (03311-01) Passed BAD-HEADER,
[207.150.162.19] [207.150.162.19] <romanrs-labs.es> -> <romanrs-labs.es>,
Message-ID: <20081202153412.3A4F6982AAhsnew.rs-labs.es>, mail_id:
NHfrTekZSsR4, Hits: 4.594, queued_as: EAF0A982BB, 3522 ms
Dec 2 16:34:16 hsnew postfix/lmtp[3703]: 3A4F6982AA:
to=<romanrs-labs.es>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.9,
delays=0.08/0.03/0.76/3.1, dsn=2.6.0, status=sent (250 2.6.0 Ok,
id=03311-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as EAF0A982BB)
Dec 2 16:34:16 hsnew postfix/qmgr[3666]: 3A4F6982AA: removed
Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: executed
Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: accepted connection
Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: lmtp connection preauth'd as
postman
Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_check:
<20081202153412.3A4F6982AAhsnew.rs-labs.es> rs-labs.es!user.roman 0
Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_check:
<20081202153412.3A4F6982AAhsnew.rs-labs.es> rs-labs.es!user.roman 0
Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: starting txn 2147484444
Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: committing txn 2147484444
Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_mark:
<20081202153412.3A4F6982AAhsnew.rs-labs.es> rs-labs.es!user.roman
1228232056 134537227
Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: Delivered:
<20081202153412.3A4F6982AAhsnew.rs-labs.es> to mailbox: rs-labs.es!user.roman
Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: starting txn 2147484445
Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: committing txn 2147484445
Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_mark:
<20081202153412.3A4F6982AAhsnew.rs-labs.es> .roman+rs-labs.es.sieve.
1228232056 0
Dec 2 16:34:16 hsnew postfix/lmtp[3707]: EAF0A982BB:
to=<romanrs-labs.es>, relay=hsnew.rs-labs.es[/private/cyrus], delay=0.41,
delays=0.12/0.01/0.14/0.13, dsn=2.1.5, status=sent (250 2.1.5 Ok)
Dec 2 16:34:16 hsnew postfix/qmgr[3666]: EAF0A982BB: removed

Why is the mail not being rejected due to
reject_unauthenticated_sender_login_mismatch? I must have a silly bug but I
couldn't find it... :-(

TIA.
-Román

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]