|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Roman Medina-Heigl Hernandez (roman
rs-labs.com)
Date: Tue Dec 02 2008 - 09:14:07 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Roman Medina-Heigl Hernandez escribió:
> DJ Lucas escribió:
>>> Return-Path: <bouncescanonical.com>
>>> X-Original-To: romanrs-labs.com
>>> Delivered-To: romanrs-labs.com
>>> ...
>>> Received: from gangotri.ubuntu.com (localhost.localdomain [127.0.0.1])
>>> by gangotri.ubuntu.com (Postfix) with ESMTP id 0C222318376
>>> for <romanrs-labs.com>; Fri, 28 Jul 2006 04:10:09 +0100 (BST)
>>> From: RoMaNSoFt <romanrs-labs.com>
>>>
>> Maybe I'm incorrect, but I believe there was a subtle misunderstanding
>> in the above conversation. The From: header is not the same as MAIL
>> FROM: command in smtp transaction. MAIL FROM for this message was
>> bouncescanonical.com. Feel fee to find that message in your logs and
>
> Thank you for the correction, you are right: my example is wrong but that
> doesn't change the fact we were discussing since Noel and I were always
> referring to the "mail from" (i.e. the sender). If some silly ticket system
> spoofs the "From" header, there is a good chance that it spoofs the "mail
> from" too...
>
>> verify. Anyway, the Postfix directive you are looking for is
>> "reject_unauthenticated_sender_login_mismatch".
>> http://www.postfix.org/postconf.5.html#reject_unauthenticated_sender_login_mismatch
>
> Yes, I think that's the directive I was looking for.
>
>> That said, cheap web scripts often do use the recipient's address in the
>> transaction. Latest complaint I had was from some star rewards thing
>> for frequent visits to a restaurant (for which I promptly replied:
>> "choose a different restaurant" ;-) ).
>>
>> Take the following two manual transactions as an example with the smtpd
>> sender restriction above (only slightly altered to avoid giving away
>> unnecessary info and posting a real address in plain text on the internet):
>>
>> [djname25 ~]# telnet mail.lucasit.com 25
>> Trying 192.168.xxx.xxx...
>> Connected to mail.lucasit.com.
>> Escape character is '^]'.
>> 220 postal.lucasit.com ESMTP Postfix
>> ehlo somehost.lucasit.com
>> 250-postal.lucasit.com
>> 250-PIPELINING
>
> Isn't a good idea to disable pipelining? (many people recommends it to
> reduce spam).
>
>> 250-SIZE 10240000
>> 250-VRFY
>> 250-ETRN
>> 250-STARTTLS
>> 250-ENHANCEDSTATUSCODES
>> 250-8BITMIME
>> 250 DSN
>> MAIL FROM: nouserlucasit.com
>> 250 2.1.0 Ok
>> RCPT TO: nouserlucasit.com
>> 553 5.7.1 <nouserlucasit.com>: Sender address rejected: not logged in
>
> Nice. That's what I'd like to set-up. Nevertheless, I tried to reproduce in
> a test system, with no luck :-(. It should be trivial, but I cannot find
> the error. Could you help me?
>
> My setup is quite simple (using virtual domains and Amavis to "mark"
> virus/spam messages):
>
> hsnew:/etc/postfix# postconf -n
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> config_directory = /etc/postfix
> content_filter = amavisfeed:[127.0.0.1]:10024
> daemon_directory = /usr/lib/postfix
> delay_warning_time = 4
> disable_vrfy_command = yes
> mail_name = mxhs
> mailbox_command = procmail -a "$EXTENSION"
> message_size_limit = 28311552
> mydestination = $myhostname localhost localhost.$mydomain
> myhostname = hsnew.rs-labs.es
> mynetworks = 127.0.0.2, 127.0.0.3
> myorigin = $myhostname
> recipient_delimiter = +
> relay_domains = hash:/etc/postfix/listas hash:/etc/postfix/mxbackup
> relocated_maps = hash:/etc/postfix/relocated
> show_user_unknown_table_name = no
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noplaintext
> smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
> smtpd_recipient_restrictions = reject_non_fqdn_recipient,
> permit_mynetworks, permit_sasl_authenticated,
> reject_unauthenticated_sender_login_mismatch, check_recipient_access
> hash:/etc/postfix/recipient_access_non_trusted, reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = smtpd
> smtpd_sasl_security_options = noanonymous
> smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
> smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
> smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
> smtpd_use_tls = yes
> transport_maps = hash:/etc/postfix/listas
> virtual_alias_maps = hash:/etc/postfix/valias
> virtual_mailbox_domains = hash:/etc/postfix/vdomain
> virtual_mailbox_maps = hash:/etc/postfix/vuser
> virtual_transport = lmtp:unix:/private/cyrus
> hsnew:/etc/postfix# cat vuser
> romanrs-labs.es whatever
> hsnew:/etc/postfix# cat vdomain
> rs-labs.es whatever
> hsnew:/etc/postfix#
>
>
> From another host ("not trusted"), I'm sending a very simple mail:
> rootmta-mad:/tmp# cat mail
> helo k
> mail from:romanrs-labs.es
> rcpt to:romanrs-labs.es
> data
> subject: prueba
> .
> quit
> rootmta-mad:/tmp# nc hsnew.rs-labs.es 25 <mail
> 220 hsnew.rs-labs.es ESMTP Sendmail 8.14.2/8.14.1
> 250 hsnew.rs-labs.es
> 250 2.1.0 Ok
> 250 2.1.5 Ok
> 354 End data with <CR><LF>.<CR><LF>
> 250 2.0.0 Ok: queued as 3A4F6982AA
> 221 2.0.0 Bye
> rootmta-mad:/tmp#
>
>
> My receiving MTA logs the following:
>
> Dec 2 16:34:12 hsnew postfix/smtpd[3697]: connect from
> 207-150-162-19.static.sagonet.net[207.150.162.19]
> Dec 2 16:34:12 hsnew postfix/smtpd[3697]: 3A4F6982AA:
> client=207-150-162-19.static.sagonet.net[207.150.162.19]
> Dec 2 16:34:12 hsnew postfix/cleanup[3702]: 3A4F6982AA:
> message-id=<20081202153412.3A4F6982AAhsnew.rs-labs.es>
> Dec 2 16:34:12 hsnew postfix/qmgr[3666]: 3A4F6982AA:
> from=<romanrs-labs.es>, size=362, nrcpt=1 (queue active)
> Dec 2 16:34:12 hsnew postfix/smtpd[3697]: disconnect from
> 207-150-162-19.static.sagonet.net[207.150.162.19]
> Dec 2 16:34:15 hsnew postfix/smtpd[3706]: connect from localhost[127.0.0.1]
> Dec 2 16:34:16 hsnew postfix/smtpd[3706]: EAF0A982BB:
> client=localhost[127.0.0.1]
> Dec 2 16:34:16 hsnew postfix/cleanup[3702]: EAF0A982BB:
> message-id=<20081202153412.3A4F6982AAhsnew.rs-labs.es>
> Dec 2 16:34:16 hsnew postfix/smtpd[3706]: disconnect from localhost[127.0.0.1]
> Dec 2 16:34:16 hsnew postfix/qmgr[3666]: EAF0A982BB:
> from=<romanrs-labs.es>, size=805, nrcpt=1 (queue active)
> Dec 2 16:34:16 hsnew cyrus/master[3708]: about to exec
> /usr/lib/cyrus/bin/lmtpd
> Dec 2 16:34:16 hsnew amavis[3311]: (03311-01) Passed BAD-HEADER,
> [207.150.162.19] [207.150.162.19] <romanrs-labs.es> -> <romanrs-labs.es>,
> Message-ID: <20081202153412.3A4F6982AAhsnew.rs-labs.es>, mail_id:
> NHfrTekZSsR4, Hits: 4.594, queued_as: EAF0A982BB, 3522 ms
> Dec 2 16:34:16 hsnew postfix/lmtp[3703]: 3A4F6982AA:
> to=<romanrs-labs.es>, relay=127.0.0.1[127.0.0.1]:10024, delay=3.9,
> delays=0.08/0.03/0.76/3.1, dsn=2.6.0, status=sent (250 2.6.0 Ok,
> id=03311-01, from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as EAF0A982BB)
> Dec 2 16:34:16 hsnew postfix/qmgr[3666]: 3A4F6982AA: removed
> Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: executed
> Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: accepted connection
> Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: lmtp connection preauth'd as
> postman
> Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_check:
> <20081202153412.3A4F6982AAhsnew.rs-labs.es> rs-labs.es!user.roman 0
> Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_check:
> <20081202153412.3A4F6982AAhsnew.rs-labs.es> rs-labs.es!user.roman 0
> Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: starting txn 2147484444
> Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: committing txn 2147484444
> Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_mark:
> <20081202153412.3A4F6982AAhsnew.rs-labs.es> rs-labs.es!user.roman
> 1228232056 134537227
> Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: Delivered:
> <20081202153412.3A4F6982AAhsnew.rs-labs.es> to mailbox: rs-labs.es!user.roman
> Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: starting txn 2147484445
> Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: mystore: committing txn 2147484445
> Dec 2 16:34:16 hsnew cyrus/lmtpunix[3708]: duplicate_mark:
> <20081202153412.3A4F6982AAhsnew.rs-labs.es> .roman+rs-labs.es.sieve.
> 1228232056 0
> Dec 2 16:34:16 hsnew postfix/lmtp[3707]: EAF0A982BB:
> to=<romanrs-labs.es>, relay=hsnew.rs-labs.es[/private/cyrus], delay=0.41,
> delays=0.12/0.01/0.14/0.13, dsn=2.1.5, status=sent (250 2.1.5 Ok)
> Dec 2 16:34:16 hsnew postfix/qmgr[3666]: EAF0A982BB: removed
>
> Why is the mail not being rejected due to
> reject_unauthenticated_sender_login_mismatch? I must have a silly bug but I
> couldn't find it... :-(
I got to solve it by:
smtpd_sender_login_maps = $virtual_mailbox_maps
But it seems tricky, since you have to explicitly define a login map... I
think (please, correct me if I'm wrong) the point is: "if you don't define
$smtpd_sender_login_maps, Postfix doesn't know where a "login mismatch"
could exist. Yes, it's true but:
- wouldn't it be clever to assume SASL login should be equal to the sender,
if not explicitly defined otherwise? (so no login map is necessary, except
when login users are different from sender).
- SASL works ok without defining $smtpd_sender_login_maps so you can
perfectly differentiate "authenticated_sender" vs "unauthenticated_sender",
without having any map? Why is it necessary to define
$smtpd_sender_login_maps? It's confussing...
Finally, if you have to define $smtpd_sender_login_maps, it would be
equivalent to use my former propposed method, with check_sender_access (see
my first post on this thread and the second one by Noel), in the sense that
you have to create an extra db file, and even worse than my first solution,
since first one seems more restrictive (it could reject
non_validrs-labs.es -> valid_userrs-labs.es, while second one only can
reject validrs-labs.es -> validrs-labs.es, because only valid users are
included in $virtual_mailbox_maps).
I'd like hearing from you...
Cheers,
-Román
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]