On Tue, 22 Jan 2019 at 06:22, Stephen McHenry <stephen.mche...@gmail.com>
wrote:
> I've been running Postfix for many years now (so thanks to Wietse and all
> the others who have put in hard work to make it such a great mail system)
> and recently I built a new mail server and copied most of the config files
> from the old one.
>
> After a couple of months, I began to notice that it appeared to be getting
> used (infrequently) as an open relay, despite my attempts to lock it down
> so that couldn't happen. Then, the problem got worse. The one pattern I
> noticed was that all the messages had forged senders that were from my
> domain (e.g., bogussen...@mydomain.com).
>
> I've poured through the documentation, and a couple of times thought I
> found the answer, only to make a change and have it not work. My band-aid
> (while researching the real solution) has been to firewall off access from
> IP address ranges that were the sources of the email. But to be clear,
> that's only a band-aid until a real solution is in place.
>
> The two config parameters that seem most relevant to the problem are
> listed below:
> (from postconf -n)
>
> *smtpd*_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, permit_auth_destination, reject_non_fqdn_sender,
> reject_non_fqdn_recipient, reject_unknown_sender_domain,
> reject_unknown_recipient_domain, reject_unauth_destination,
> reject_unlisted_recipient, reject_unauth_destination check_recipient_access
> regexp:/etc/postfix/recipient_checks.regexp, check_recipient_access
> hash:/etc/postfix/recipient_checks, reject_unauth_pipelining,
> reject_invalid_hostname, reject_non_fqdn_hostname, reject_rbl_client
> domain-name, permit
>
>
> (and from postconf -d)
>
> *smtpd*_relay_restrictions = permit_mynetworks,
> permit_sasl_authenticated, defer_unauth_destination
>
> What's really confounding me is that it seems to be (properly) rejecting
> all relay email except those that have mydomain.com in their from
> address. Adding to that confusion is that this same set of config
> parameters used to work fine on the old system, so I've also been looking
> at relevant defaults that changed. Unfortunately, I'm coming up dry at this
> point.
>
> Any help or pointers would be greatly appreciated.
>
I think you are just lucky that this didn't happen till now. Note that
postconf -d just shows the defaults, not what you are using.
My approach (a typical one I think) is to block all emails with envelope
sender @mydomain.com unless the client has authenticated via port 465 or
587:
master.cf:
#note - smtps is port 465
465 inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=$smtpd_recipient_restrictions_authenticated
#submission=port 587
587 inet n - y - - smtpd
-o smtpd_tls_security_level=encrypt
-o syslog_name=postfix/submission
-o smtpd_sasl_auth_enable=yes
-o
smtpd_recipient_restrictions=$smtpd_recipient_restrictions_authenticated
main.cf:
...
# for authenticated senders only
smtpd_recipient_restrictions_authenticated =
# make the implicit permit explicit
permit
# for all others
smtpd_recipient_restrictions =
...
check_sender_access hash:/etc/postfix/sender_access
...
...
sender_access:
...
mydomain.com REJECT privileged domain without authentication
...
Note: this stops fake envelope sender using domain.com, but does not stop
fake 'From:' header using domain.com; for the latter I use DMARC. I also
use header_checks to detect fakes such as From: domi...@mydomain.com <
fakesen...@fakedomain.com>.
