NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2010-12

Re: Relay restrictions

From: Victor Duchovni (Victor.Duchovnimorganstanley.com)
Date: Thu Dec 30 2010 - 12:44:46 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Dec 30, 2010 at 12:17:57PM -0600, Michael.Larsenwellsfargo.com wrote:

> > # See what addresses are allowed to relay as senders.
> > # Check them against allowed recipients in recipient_access
> > # under smtpd_restriction_classes.
> > check_sender_access hash:/etc/postfix/sender_access
>
>
> Viktor said:
>
> "This makes you an open relay for forged sender addresses."
>
> Yes, Noel made me aware of that risk when answering the original query, I just don't know what to do about it and maintain the basic functionality of what I'm trying to achieve (see below).
>

Not *a risk*, rather an inevitable, and difficult to recover from exploit.

DO NOT base relay access on envelope sender address information, it is
trivially forged.

Upthread:

I need a way to implement
"check_sender_access_AND_check_recipient_access"

Your problem is almost certainly best solved by using each of the
multiple restriction lists to check each of the required conditions.

cidr = cidr:${config_directory}/
indexed = ${default_database_type}:${config_directory}/

        smtpd_client_restrictions =
            check_client_access ${cidr}allowed-clients,
            check_client_access static:discard

        smtpd_sender_restrictions =
            check_sender_access ${indexed}allowed-senders,
            check_client_access static:discard

        # The default is likely fine:
        smtpd_recipient_restrictions =
            check_recipient_access ${indexed}allowed-recipients,
            check_client_access static:discard,
                #
                # At least one reject by default rule is required in
                # smtpd_recipient_restrictions, defeat the logic by
                # listing permit, then reject. In reality permit = discard.
                #
            permit, reject

With this all mail is discarded unless all the conditions below are met:

    - From an allowed SMTP client (IP address CIDR table)
    - From an allowed envelope sender (indexed via postmap lookup table)
    - To an allowed envelope recipient (indexed via postmap lookup table)

--
Viktor.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]