Hello, On Fri, 9 Jun 2023 at 02:40, Richard Troy via Postfix-users < postfix-users@postfix.org> wrote:
> > Given all the work I did on Postfix to stop relaying from unauthorized > parties, and how after a mountain of work the "open-mail-relaying" was > only coming from a couple of spammers in Russia, it's my view they somehow > cracked things, even though we changed 100% of ALL user passwords to VERY, > and I mean completely impractical to crack values (30 chars plus). And so > I want to blame Dovecot for letting through the relaying. They say no, > it's Postfix! > What exactly happens? Do unauthenticated users send spam through your server? Or do the spammers somehow login with a valid SASL username/password? If the second, it's not the fault of postfix nor dovecot. We run a postfix server for your clients and at least once a month we get spam through "hacked" email accounts. And even if the customer changes the password, the spam continues, because guess what - they have a virus on their Windows machine which reads the saved password directly from Outlook or other email clients. So you can keep changing the password forever... > A new feature that would make a HUGE difference to sites like mine: Give > me a white-list of the ONLY accounts (usernames) that can relay; NOTHING > ELSE can relay. ... THAT would do it! But no! Neither in Postfix nor > Dovecot is there such a thing! ...Such a thing CANNOT be that hard to > implement and obviously useful to many; is there a good reason NOT to do > this? Or am I wrong and it HAS been done? > It is possible to limit accepted email to have the same envelope sender as the SASL username directly in postfix. Using milters, you can also limit other headers before accepting that email. > Combine that with a greylist type function (similar to the postgrey > package I have installed now) where the usual IP addresses for particular > relay users were let through, and new ones delayed, THAT would be awesome, > too! And this isn't even all that hard to do - I could do it if I didn't > already have a thousand obligations in life! > We have policyd which limits the number of emails per SASL username per hour and per day. Excessive emails go into the postfix HOLD queue and are inspected manually before releasing them. That limits the spam to reasonable numbers to prevent our IP being blacklisted immediately. Also I have a script which does a GEO-IP lookup on all SASL logins from the postfix logs. If a user logs in from more than 3 countries in 24 hours, I get an alert + the user is put into a bucket where the limit is 1 email per hour. > As a small digression on some of the above: I think I don't know enough > about how Postfix's use of port 587 is properly secured - the "submission > port". OK, STARTTLS we're told, but is it Postfix or Dovecot doing the > authentication? Does Postfix EVER read a password file? I think it does > not, and so I say it has to be Dovecot, but some clearing up of that would > be nice... And, now that I think of it could this be a way to prove which > is guilty of letting the spammers in? > You must know which authentication provider you are using for your SASL logins in postfix. It can be Dovecot, but can also be something else. -- bye, Marki
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
