Re: canonical based on login name

2018-01-22 Thread Karol Augustin 
On 2018-01-20 16:08, Joris (ideeel) wrote:
> hi list
> 
> I run a webservice (and a mail service). All websites run under the
> same UID of apa...@webserver.domain.com. I know, not ideal, but i
> cannot change that bit. Problem is that if one site gets hacked, user
> apache starts sending spam with no way to figure out which website is
> misbehaving. Thus we are going to enforce websites to use SASL-auth.
> 
> Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM
> username sometimes is still apache. I know gmail rewrites the envelope
> sender and the header sender based on the login name, but i have not
> been able to find how to do this in postfix (canonical_classes does
> not seem to help me here). I cannot really reject the mail using
> reject_authenticated_sender_login_mismatch because the mails will be
> send back to the apache user with again no knowledge of the true
> sender.

Maybe I am not getting something but if you force different SASL-auth
for each website you will have the offending username in the logs.


> 
> hope you can give me some pointers or documentation how I can solve this :)
> 
> best
> Joris


I had exactly the same problem when one of websites I was hosting got
hacked and also wanted to prevent from situation when my user is hacked
(malware) and starts sending emails with matching envelope sender but
forging From header. I ended up using vrfydmn like that:

/usr/bin/python /usr/local/sbin/vrfydmn -F -u vrfydmn -g vrfydmn -s
inet:10072@127.0.0.1 -p /var/run/vrfydmn/vrfydmn.pid

I reject emails from users that try to send them with envelope sender
that they don't own so in my case Postfix makes sure that
envelope-sender is OK (reject_sender_login_mismatch), and then vrfydmn
makes sure that From: matches.

In your case you can (apparently) force PHP to use fixed envelope-from
address. Than you can use this milter to fix From: address. Have a look,
it might be what you need.


https://github.com/croessner/vrfydmn

Karol


--
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312vrfydmn

Re: canonical based on login name

2018-01-20 Thread Wietse Venema 
Joris (ideeel):
> Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM 
> username sometimes is still apache. I know gmail rewrites the envelope 
> sender and the header sender based on the login name, but i have not 
> been able to find how to do this in postfix (canonical_classes does not 

You can use the reject_sender_login_mismatch feature to enforce
that each SASL login uses its own unique emvelope sender address.

During the transition, use:

warn_if_reject reject_sender_login_mismatch

to find out which apps aren;t using the proper sender address.

Otherwise, as Victor says, this requires external code (content
filter or milter).

Wietse

Re: canonical based on login name

2018-01-20 Thread Viktor Dukhovni 


> On Jan 20, 2018, at 11:08 AM, Joris (ideeel)  wrote:
> 
> I know gmail rewrites the envelope sender and the header sender based on
> the login name, but I have not been able to find how to do this in Postfix

To make it clearer, we should first understand what "rewriting" means in
Postfix.

  -  Rewriting in Postfix takes an input value (say the sender address)
 and produces a new value as a function of (via a lookup table)
 of the input value.  The *only* input into the construction of the
 new value is the original value.  Thus you can transform a sender
 address to another sender address, but this cannot take into account
 any other message properties.

Since "canonical_maps" is an address rewriting mechanism, it cannot do
what you're asking for.  The transformation you're asking for presently
requires a content filter or milter.

-- 
Viktor.

canonical based on login name

2018-01-20 Thread Joris (ideeel) 

hi list

I run a webservice (and a mail service). All websites run under the same 
UID of apa...@webserver.domain.com. I know, not ideal, but i cannot 
change that bit. Problem is that if one site gets hacked, user apache 
starts sending spam with no way to figure out which website is 
misbehaving. Thus we are going to enforce websites to use SASL-auth.


Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM 
username sometimes is still apache. I know gmail rewrites the envelope 
sender and the header sender based on the login name, but i have not 
been able to find how to do this in postfix (canonical_classes does not 
seem to help me here). I cannot really reject the mail using 
reject_authenticated_sender_login_mismatch because the mails will be 
send back to the apache user with again no knowledge of the true sender.


hope you can give me some pointers or documentation how I can solve this :)

best
Joris