Re: Prevent sender address spoofing

[@lbutlr]

On Sep 30, 2019, at 8:21 AM, Matus UHLAR - fantomas  wrote:
>> On Sep 30, 2019, at 5:29 AM, Matus UHLAR - fantomas  
>> wrote:
>>> rarely someone notices they are different.
> 
> On 30.09.19 08:05, @lbutlr wrote:
>> And often there are perfectly legitimate reasons for them to be different.
> 
> yes, but this thread is AFAIK about spoofing local addresses.

Fair enough, but it is common enough for overzealous admins to try to prevent 
different From and From: without considering that there are legitimate reasons 
for doing this, so it seems worth mentioning.



-- 
If you write the word "monkey" a million times, do you start to think you're
Shakespeare? -- Steven Wright

Re: Prevent sender address spoofing

[Hugo Florentino]

El lun, 30-09-2019 a las 17:58 -0400, Bill Cole escribió:
> On 29 Sep 2019, at 20:30, Hugo Florentino wrote:
> 
> > El vie, 27-09-2019 a las 09:33 -0400, Bill Cole escribió:
> > > [...]
> > > 
> > > Because, as documented, header_checks (and the other built-in
> > > content
> > > filtering in Postfix) does not support restrictions or
> > > restriction
> > > classes as results of a pattern match.
> > > 
> > > 
> > 
> > Allow me to pose a slightly different scenario then, but still
> > related
> > to my original doubt:
> > 
> > I separate smtp and submission, and prevent using my domain through
> > smtp. However somehow someones's PC gets compromised and sends mail
> > modifying the From header in the data section.
> > 
> > Even if the envelope-from is not forged (using
> > reject_sender_login_mismatch and so), email clients often display
> > only
> > the descriptive From.
> > 
> > Is there a way to prevent this forging of descriptive From using
> > postfix itself?
> 
> No. Since headers are part of message content, your options for 
> filtering based on headers are those described in the 
> CONTENT_INSPECTION_README file, which is included the Postfix 
> distribution and is available on the website. That document also 
> explains the rationale for keeping the internal content filtering in 
> Postfix itself very simple and leaving anything complex to external 
> programs. For this sort of mixed content/envelope filtering I use
> the 
> MIMEDefang milter but there are other tools available that could do 
> this.
> 
> Also, you should consider the edge cases of such a filtering policy.
> For 
> example, any message from this mailing list arrives with the From
> header 
> unmodified from how the author submitted it.
> 

OK, thank you for the explanation.

Best regards, Hugo

Re: Prevent sender address spoofing

[Bill Cole]

On 29 Sep 2019, at 20:30, Hugo Florentino wrote:


El vie, 27-09-2019 a las 09:33 -0400, Bill Cole escribió:

[...]

Because, as documented, header_checks (and the other built-in
content
filtering in Postfix) does not support restrictions or restriction
classes as results of a pattern match.




Allow me to pose a slightly different scenario then, but still related
to my original doubt:

I separate smtp and submission, and prevent using my domain through
smtp. However somehow someones's PC gets compromised and sends mail
modifying the From header in the data section.

Even if the envelope-from is not forged (using
reject_sender_login_mismatch and so), email clients often display only
the descriptive From.

Is there a way to prevent this forging of descriptive From using
postfix itself?


No. Since headers are part of message content, your options for 
filtering based on headers are those described in the 
CONTENT_INSPECTION_README file, which is included the Postfix 
distribution and is available on the website. That document also 
explains the rationale for keeping the internal content filtering in 
Postfix itself very simple and leaving anything complex to external 
programs. For this sort of mixed content/envelope filtering I use the 
MIMEDefang milter but there are other tools available that could do 
this.


Also, you should consider the edge cases of such a filtering policy. For 
example, any message from this mailing list arrives with the From header 
unmodified from how the author submitted it.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Prevent sender address spoofing

[Matus UHLAR - fantomas]

On Sep 30, 2019, at 5:29 AM, Matus UHLAR - fantomas  wrote:

rarely someone notices they are different.


On 30.09.19 08:05, @lbutlr wrote:

And often there are perfectly legitimate reasons for them to be different.


yes, but this thread is AFAIK about spoofing local addresses.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.

Re: Prevent sender address spoofing

[@lbutlr]

On Sep 30, 2019, at 5:29 AM, Matus UHLAR - fantomas  wrote:
> rarely someone notices they are different.

And often there are perfectly legitimate reasons for them to be different.


-- 
showing snuffy is when Sesame Street jumped the shark

Re: Prevent sender address spoofing

[Matus UHLAR - fantomas]

On 30.09.19 11:40, Christos Chatzaras wrote:

Add this line to main.cf :

smtpd_sender_login_maps = hash:/usr/local/etc/postfix/smtpd_sender_login_maps

And then add to smtpd_sender_login_maps :

u...@example.com u...@example.com


This only validates envelope from headers according to SASL login names.
It's good to check, though.


On 30.09.19 14:12, Christos Chatzaras wrote:

Many spammers using hacked accounts use different "From" than the e-mail 
address. So it helps in this case.


the problem is, people look on header "From:"
smtpd_sender_login_maps does NOT look at header "From:"

rarely someone notices they are different.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...

Re: Prevent sender address spoofing

[Christos Chatzaras]

> On 30.09.19 11:40, Christos Chatzaras wrote:
>> Add this line to main.cf :
>> 
>> smtpd_sender_login_maps = hash:/usr/local/etc/postfix/smtpd_sender_login_maps
>> 
>> And then add to smtpd_sender_login_maps :
>> 
>> u...@example.com u...@example.com
> 
> This only validates envelope from headers according to SASL login names.
> It's good to check, though.
> 

Many spammers using hacked accounts use different "From" than the e-mail 
address. So it helps in this case.

Re: Prevent sender address spoofing

[Matus UHLAR - fantomas]

Allow me to pose a slightly different scenario then, but still related
to my original doubt:

I separate smtp and submission, and prevent using my domain through
smtp. However somehow someones's PC gets compromised and sends mail
modifying the From header in the data section.

Even if the envelope-from is not forged (using
reject_sender_login_mismatch and so), email clients often display only
the descriptive From.

Is there a way to prevent this forging of descriptive From using
postfix itself?


No. For checking validity of From: header, you must use external
application.

On 30.09.19 11:40, Christos Chatzaras wrote:

Add this line to main.cf :

smtpd_sender_login_maps = hash:/usr/local/etc/postfix/smtpd_sender_login_maps

And then add to smtpd_sender_login_maps :

u...@example.com u...@example.com


This only validates envelope from headers according to SASL login names.
It's good to check, though.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*

Re: Prevent sender address spoofing

[Christos Chatzaras]

> 
> Allow me to pose a slightly different scenario then, but still related
> to my original doubt:
> 
> I separate smtp and submission, and prevent using my domain through
> smtp. However somehow someones's PC gets compromised and sends mail
> modifying the From header in the data section.
> 
> Even if the envelope-from is not forged (using
> reject_sender_login_mismatch and so), email clients often display only
> the descriptive From.
> 
> Is there a way to prevent this forging of descriptive From using
> postfix itself?
> 
> Best regards, Hugo
> 
> 

Add this line to main.cf :

smtpd_sender_login_maps = hash:/usr/local/etc/postfix/smtpd_sender_login_maps

And then add to smtpd_sender_login_maps :

u...@example.com u...@example.com

Re: Prevent sender address spoofing

[@lbutlr]

On Sep 29, 2019, at 6:52 PM, lists  wrote:
> Port 465 was deprecated for email.

Port 465 is defined in RFC 8314



> Port 587 is the way to go. 

Either one works, and they are a little different.

587 uses STARTTLS to begin the encrypting and therefore requires 

smtpd_tls_security_level=encrypt

While 465 does not, and therefor requires 

smtpd_tls_wrappermode=yes

> 
> The only email port I don't firewall on my server is 25.  On the rest of the 
> email ports, I block all countries that I don't visit. In addition I use my 
> 40k worth of CIDRs that from hosting companies, VSPs, etc. that have hacked 
> my web server. I don't block ISPs, as much as Comcast deserves to be blocked. 

I don’t bother blocking large blocks of Its on port 587 or 465, I let sshgiard 
or fail2ban handle that.

Well, one exception Is I do firewall on ALL ports (including port 25) all of 
Russia and China



-- 
I WILL NOT FAKE RABIES Bart chalkboard Ep. 8F07

Re: Prevent sender address spoofing

[Viktor Dukhovni]

On Mon, Sep 30, 2019 at 03:03:23AM +0200, Benny Pedersen wrote:

> lists skrev den 2019-09-30 02:52:
> > Port 465 was deprecated for email. Port 587 is the way to go.
> 
> this is false info

Only in part.  Though Port 465 was reinstated by a recent RFC,
there's nothing wrong with 587, and it is more widely supported.
So the recommendation is sound, even if the supporting facts have
changed recently.

-- 
Viktor.

Re: Prevent sender address spoofing

[Benny Pedersen]

lists skrev den 2019-09-30 02:52:

Port 465 was deprecated for email. Port 587 is the way to go.


this is false info

Re: Prevent sender address spoofing

[Benny Pedersen]

Hugo Florentino skrev den 2019-09-30 02:04:


Suppose ISP imposes restrictions so the only port open either for SMTP
or submission must be TCP 25. What then?


then use gmail, that isp is clueless if thats the case of blocking mua 
client ports, i have only seen port 25 been blocked from dynamic ips in 
isp firewall, be happy if isp allow it :(

Re: Prevent sender address spoofing

[lists]

Port 465 was deprecated for email. Port 587 is the way to go. 

The only email port I don't firewall on my server is 25.  On the rest of the 
email ports, I block all countries that I don't visit. In addition I use my 40k 
worth of CIDRs that from hosting companies, VSPs, etc. that have hacked my web 
server. I don't block ISPs, as much as Comcast deserves to be blocked. 

Firewalls do chew up RAM, but they use very little CPU. I believe you have a 
better server by blocking IP space that is just going to waste CPU cycles. 





  Original Message  



From: rich...@damon-family.org
Sent: September 29, 2019 5:29 PM
To: postfix-users@postfix.org
Subject: Re: Prevent sender address spoofing


On 9/29/19 8:04 PM, Hugo Florentino wrote:
> El vie, 27-09-2019 a las 12:22 -0400, Viktor Dukhovni escribió:
>> [...]
>>
>> This makes no sense.  Portable devices use ports 587 or 465 with all
>> the other providers.  And there's no "change ports constantly", they
>> just use the same submission port.
>>
>> Remote MTAs connect to port 25, submission clients (MUAs) connect
>> to port 587.
>>
> Suppose ISP imposes restrictions so the only port open either for SMTP
> or submission must be TCP 25. What then?
>
>
If an ISP allows you to run a mail server but won't allow access to
587/465 then you need a new ISP with a clue.

Some ISPs will block OUTGOING port 25 to prevent you from being a
spammer, requiring you to use their SMTP server for outgoing SMTP
transport, but I haven't heard of one that blocks 587 or 465 unless they
don't allow you to run servers and just block most server ports.

--
Richard Damon

Re: Prevent sender address spoofing

[Hugo Florentino]

El vie, 27-09-2019 a las 09:33 -0400, Bill Cole escribió:
> [...]
> 
> Because, as documented, header_checks (and the other built-in
> content 
> filtering in Postfix) does not support restrictions or restriction 
> classes as results of a pattern match.
> 
> 

Allow me to pose a slightly different scenario then, but still related
to my original doubt:

I separate smtp and submission, and prevent using my domain through
smtp. However somehow someones's PC gets compromised and sends mail
modifying the From header in the data section.

Even if the envelope-from is not forged (using
reject_sender_login_mismatch and so), email clients often display only
the descriptive From.

Is there a way to prevent this forging of descriptive From using
postfix itself?

Best regards, Hugo

Re: Prevent sender address spoofing

[Richard Damon]

On 9/29/19 8:04 PM, Hugo Florentino wrote:
> El vie, 27-09-2019 a las 12:22 -0400, Viktor Dukhovni escribió:
>> [...]
>>
>> This makes no sense.  Portable devices use ports 587 or 465 with all
>> the other providers.  And there's no "change ports constantly", they
>> just use the same submission port.
>>
>> Remote MTAs connect to port 25, submission clients (MUAs) connect
>> to port 587.
>>
> Suppose ISP imposes restrictions so the only port open either for SMTP
> or submission must be TCP 25. What then?
>
>
If an ISP allows you to run a mail server but won't allow access to
587/465 then you need a new ISP with a clue.

Some ISPs will block OUTGOING port 25 to prevent you from being a
spammer, requiring you to use their SMTP server for outgoing SMTP
transport, but I haven't heard of one that blocks 587 or 465 unless they
don't allow you to run servers and just block most server ports.

-- 
Richard Damon

Re: Prevent sender address spoofing

[Hugo Florentino]

El sáb, 28-09-2019 a las 11:38 -0600, @lbutlr escribió:
> 
On Sep 27, 2019, at 9:33 AM, Hugo Florentino 
> [...]
> 
> There is no changing ports constantly, or at all for that matter.
> 
> There are experts here with decades of experience telling you not to
> use port 25 for submission. Listen to them.
> 
> 

OK, fair enough. Let's see if the ISP is willing to allow access to
submission port .

I still think it would be good if postfix provided a header_checks
which one could place in a specific order of evaluation within
restriction classes.

Best regards, Hugo

Re: Prevent sender address spoofing

[Hugo Florentino]

El vie, 27-09-2019 a las 12:22 -0400, Viktor Dukhovni escribió:
> [...]
> 
> This makes no sense.  Portable devices use ports 587 or 465 with all
> the other providers.  And there's no "change ports constantly", they
> just use the same submission port.
> 
> Remote MTAs connect to port 25, submission clients (MUAs) connect
> to port 587.
> 

Suppose ISP imposes restrictions so the only port open either for SMTP
or submission must be TCP 25. What then?

Re: Prevent sender address spoofing

[@lbutlr]

On Sep 27, 2019, at 9:33 AM, Hugo Florentino  wrote:
> This is one thing I was hopping to avoid, because I intended to enable
> authenticated access to port 25 through STARTTLS so that clients who
> use portable devices can check mail wherever they are withough having
> to change ports constantly.

Huh?

There is no changing ports constantly, or at all for that matter.

There are experts here with decades of experience telling you not to use port 
25 for submission. Listen to them.


-- 
For my birthday I got a humidifier and a de-humidifier... I put them in the 
same room and let them fight it out.

Re: Prevent sender address spoofing

[Bill Cole]

On 27 Sep 2019, at 11:33, Hugo Florentino wrote:


El vie, 27-09-2019 a las 09:33 -0400, Bill Cole escribió:

On 27 Sep 2019, at 7:06, Hugo Florentino wrote:


[...]


The most important element in doing this is to separate mail
submission
from inbound SMTP mail. In 2019 there is no reasonable excuse for
supporting submission via a port 25 SMTP server that also accepts
mail
from the Internet in general for local delivery. If you require your
users to use a port 587 or 465 submission service instead, you don't
need to make allowances for local submission on the main port 25
service.


This is one thing I was hopping to avoid, because I intended to enable
authenticated access to port 25 through STARTTLS so that clients who
use portable devices can check mail wherever they are withough having
to change ports constantly.


That sentence expresses 3 deep misunderstandings:

1. Authentication is not a function of STARTTLS, which is the SMTP 
command used to initiate TLS encryption on an existing plaintext 
session. The SMTP AUTH command is independent of TLS and is supported in 
Postfix via an external SASL implementation (Cyrus or Dovecot.)


2. "Checking" mail is done with IMAP or POP and has nothing to do with 
Postfix. As with SASL, the two most common software packages used in 
conjunction with Postfix for accessing delivered mail are Cyrus and 
Dovecot.


3. Segregating initial message submission (port 465 or 587) from SMTP 
for transport (port 25) does not require users to change ports 
constantly. If their client software fails to automatically determine 
the proper port for submission, they only need to set it once.



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Prevent sender address spoofing

[Viktor Dukhovni]

On Fri, Sep 27, 2019 at 11:33:56AM -0400, Hugo Florentino wrote:

> > In 2019 there is no reasonable excuse for supporting submission via a port
> > 25 SMTP server that also accepts mail from the Internet in general for
> > local delivery. If you require your users to use a port 587 or 465
> > submission service instead, you don't need to make allowances for local
> > submission on the main port 25 service.
> 
> This is one thing I was hopping to avoid, because I intended to enable
> authenticated access to port 25 through STARTTLS so that clients who
> use portable devices can check mail wherever they are withough having
> to change ports constantly.

This makes no sense.  Portable devices use ports 587 or 465 with all
the other providers.  And there's no "change ports constantly", they
just use the same submission port.

Remote MTAs connect to port 25, submission clients (MUAs) connect
to port 587.

-- 
Viktor.

Re: Prevent sender address spoofing

[Hugo Florentino]

El vie, 27-09-2019 a las 09:33 -0400, Bill Cole escribió:
> On 27 Sep 2019, at 7:06, Hugo Florentino wrote:
> 
> > [...]
> 
> The most important element in doing this is to separate mail
> submission 
> from inbound SMTP mail. In 2019 there is no reasonable excuse for 
> supporting submission via a port 25 SMTP server that also accepts
> mail 
> from the Internet in general for local delivery. If you require your 
> users to use a port 587 or 465 submission service instead, you don't 
> need to make allowances for local submission on the main port 25 
> service.

This is one thing I was hopping to avoid, because I intended to enable
authenticated access to port 25 through STARTTLS so that clients who
use portable devices can check mail wherever they are withough having
to change ports constantly.

> 
> > Since there is no check_data_access method, I tried to do something
> > this:
> > 
> [...]
> > 
> > Why isn't this working?
> 
> Because, as documented, header_checks (and the other built-in
> content 
> filtering in Postfix) does not support restrictions or restriction 
> classes as results of a pattern match.
> 

I see .. how unfortunate.

Anyway, thank you for your time and patience to explain.

Best regards, Hugo

Re: Prevent sender address spoofing

[Bill Cole]

On 27 Sep 2019, at 7:06, Hugo Florentino wrote:


Hi,

I am using postfix 3.1.12 in a network which does not currently accept
sending mail from outside.

However some spammers change the From header in the data section and
use an internal address.

The problem is that if I use header_checks to reject my domain, it's
applied globally so mail from within the local network is rejected as
well.


The most important element in doing this is to separate mail submission 
from inbound SMTP mail. In 2019 there is no reasonable excuse for 
supporting submission via a port 25 SMTP server that also accepts mail 
from the Internet in general for local delivery. If you require your 
users to use a port 587 or 465 submission service instead, you don't 
need to make allowances for local submission on the main port 25 
service.



Since there is no check_data_access method, I tried to do something
this:


[...]


However, forged addresses still pass, and I am getting this message in
the logs:

Sep 27 06:07:52 server postfix/cleanup[5578]: warning: unknown command
in header_checks map: anti_spoofing

Why isn't this working?


Because, as documented, header_checks (and the other built-in content 
filtering in Postfix) does not support restrictions or restriction 
classes as results of a pattern match.



Could you please provide ideas on how to achieve what I want without
using external tools or costly sender verification?


As I said above, you can do this by segregating inbound mail on port 25 
from mail submission on port 465 and/or 587. Note that "sender 
verification" as implemented in Postfix ONLY operates on the envelope 
sender address, NOT on the address in the From header and is not 
*authentication* so it would not do what you're trying to do.


If you want to allow exceptions to this policy (which some systems learn 
that they need after deploying an absolute block) you will need to use a 
more sophisticated external content filtering tool.


--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)

Prevent sender address spoofing

[Hugo Florentino]

Hi,

I am using postfix 3.1.12 in a network which does not currently accept
sending mail from outside.

However some spammers change the From header in the data section and
use an internal address.

The problem is that if I use header_checks to reject my domain, it's
applied globally so mail from within the local network is rejected as
well.

Since there is no check_data_access method, I tried to do something
this:

In main.cf :

header_checks =
  pcre:/etc/postfix/header_checks.pcre

smtpd_restriction_classes = anti_spoofing

anti_spoofing =
  check_client_access cidr:/etc/postfix/localnets.cidr

In header_checks.pcre :
/^From:\s*.+\@mydomain\.tld>?$/ anti_spoofing

In localnets.cidr :
127.0.0.0/8 OK
192.168.0.0/24 OK
0.0.0.0/0 REJECT forged address

However, forged addresses still pass, and I am getting this message in
the logs:

Sep 27 06:07:52 server postfix/cleanup[5578]: warning: unknown command
in header_checks map: anti_spoofing

Why isn't this working?

Could you please provide ideas on how to achieve what I want without
using external tools or costly sender verification?

Best regards, Hugo