Bug 31738 - Postfix allows MAIL FROM address spoofing
Postfix allows MAIL FROM address spoofing
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-5-errata
Assigned To: Sönke Schwardt-Krummrich
Felix Botner
:
Depends on: 38062
Blocks: 38063 38061
  Show dependency treegraph
 
Reported: 2013-06-13 19:21 CEST by Jan Christoph Ebersbach
Modified: 2015-04-23 12:22 CEST (History)
8 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Christoph Ebersbach univentionstaff 2013-06-13 19:21:06 CEST
The current postfix configuration allows users to spoof arbitrary MAIL FROM addresses, e.g. boss@univention.de.  Once a user is authenticated every possible address can be used, even from mail domains that are not hosted by the UCS mail server.

According to main.cf:
# smtpd_sender_restrictions is not defined since all relevant checks have been moved to
# smtpd_recipient_restrictions and every mail has to pass smtpd_recipient_restrictions too.
#smtpd_sender_restrictions =

But this doesn't work, because smtpd_recpient_restrictions just applies to the RCTP TO context which doesn't check the MAIL FROM address (http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions).

This is a simple workaround that checks whether the sender's login matches the MAIL FROM address he's trying to send mail for:
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
smtpd_sender_login_maps = ldap:/etc/postfix/ldap.virtual

When canonical address rewriting is enabled, the login maps need to be extended.


Tested with:
UCS 3.1-1-errata 122
univention-mail-server                              7.0.3-1.190.201210111718
univention-mail-postfix                             7.0.3-1.190.201210111718
Comment 1 Philipp Hahn univentionstaff 2013-06-14 09:09:36 CEST
(In reply to Jan Christoph Ebersbach from comment #0)
> According to main.cf:
> # smtpd_sender_restrictions is not defined since all relevant checks have
> been moved to
> # smtpd_recipient_restrictions and every mail has to pass
> smtpd_recipient_restrictions too.
> #smtpd_sender_restrictions =
> 
> But this doesn't work, because smtpd_recpient_restrictions just applies to
> the RCTP TO context which doesn't check the MAIL FROM address
> (http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions).

Wrong: in the SMTP dialog has the following fixed order:
  0. TCP-Connect → smtpd_client_restrictions
  1. HELO/EHLO → smtpd_helo_restrictions
  2. (AUTH) → smtpd_sasl_auth_enable
  3. MAIL FROM → smtpd_sender_restrictions
  4. RCPT TO → smtpd_recipient_restrictions / smtpd_relay_restrictions
  5. DATA → smtpd_data_restrictions
  6. . → smtpd_end_of_data_restrictions

The named Postfix checks are executed after the appropriate step, that is "as soon as the information is available". (I hope is clear that the recipient address can't be verified until it is available, that is any recipient check can only be specified on smtpd_recipien_restriction or later, that is also on smtpd_data_restriction or smtpd_end_of_data_restriction).

> This is a simple workaround that checks whether the sender's login matches
> the MAIL FROM address he's trying to send mail for:
> smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch

The real problem is the following assignment:
> smtpd_recipient_restrictions = permit_mynetworks,
>         permit_sasl_authenticated,
>         reject_unauth_destination,
>         reject_unlisted_recipient

Postfix implements a "first-test-wins" strategy, that is because "permit_sasl_authenticated" matches, all *following tests are skipped*, so no verification of unlisted recipients happens!
If unknown recipients should be rejected in all cases, "reject_unlisted_recipient" must be moved before all other "permit_*" rules.
Comment 2 Ingo Steuwer univentionstaff 2015-03-10 13:05:03 CET
reported again in 2015030921000527
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2015-03-10 21:10:45 CET
> If unknown recipients should be rejected in all cases, 
> "reject_unlisted_recipient" must be moved before all other "permit_*" rules.

IIRC in this case postfix rejects mails for foreign mail domains/MX. I wouldn't support that change.



It's a good habit to use only smtpd_recipient_restrictions because:
- postfix talks to the client until the RCPT TO even if a previous restriction 
  failed
- the rule construct will be much simpler
- all rules mentioned in previous restrictions (client, helo, sender, ...) can 
  be also used without penalty in smtpd_recipient_restrictions

The smtpd_recipient_restrictions in univention-mail-postfix are constructed via UCR variables:

mail/postfix/smtpd/restrictions/recipient/10: permit_mynetworks
mail/postfix/smtpd/restrictions/recipient/30: permit_sasl_authenticated
mail/postfix/smtpd/restrictions/recipient/50: reject_unauth_destination
mail/postfix/smtpd/restrictions/recipient/70: reject_unlisted_recipient

results in

smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_unlisted_recipient

So, if the SASL username has to match to the sender address and a simple reject_authenticated_sender_login_mismatch is sufficient, this can be achieved by calling:

ucr set mail/postfix/smtpd/restrictions/recipient/20=\
                       "reject_authenticated_sender_login_mismatch"
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2015-03-17 13:52:41 CET
(In reply to Sönke Schwardt-Krummrich from comment #3)
> So, if the SASL username has to match to the sender address and a simple
> reject_authenticated_sender_login_mismatch is sufficient, this can be
> achieved by calling:

This was not sufficient, as the change also affected usual incoming mails over port 25.

To give a possibility to fix this issue, the following changes have been made (together with the new feature from bug 38062):

1) via UCR a new set of restriction rules may be defined (submission_recipient_restrictions) similar to the UCR variables for smtpd_recipient_restrictions.
The new prefix is mail/postfix/submission/restrictions/recipient/...

2)
A new lookup table ldap.saslusermapping has been added for the postfix option smtpd_sender_login_maps:
SASL-USER ==> (mailPrimaryAddress|mailAlternativeAddress)
SASL-USER is the mail address with which the user authenticates itself at postfix.

When updating to the actual version of this package, no functional change is done.


To fix the problem of the bug reporter, the following steps have to be performed:
1)
To force the sender address to match with the registered mail addresses at the user account (mailPrimaryAddress or mailAlternativeAddress), the following UCR variables have to be set:
ucr set \
  mail/postfix/submission/restrictions/recipient/10="reject_sender_login_mismatch" \
  mail/postfix/submission/restrictions/recipient/20="permit_mynetworks" \
  mail/postfix/submission/restrictions/recipient/30="permit_sasl_authenticated" \
  mail/postfix/submission/restrictions/recipient/40="reject_unauth_destination" \
  mail/postfix/submission/restrictions/recipient/50="reject_unlisted_recipient" \
  mail/postfix/mastercf/options/smtps/smtpd_recipient_restrictions='$submission_recipient_restrictions' \
  mail/postfix/mastercf/options/smtps/smtpd_sender_login_maps="ldap:/etc/postfix/ldap.saslusermapping"

This sets the new submission_recipient_restrictions and activates the for the smtps service on port 465.
Also the smtpd_sender_login_maps option is configured for the smtps service.

univention-mail-postfix (8.0.13-9)

2015-03-17-univention-mail-postfix.yaml
Comment 5 Felix Botner univentionstaff 2015-03-18 13:35:17 CET
OK - no change during update
OK - /etc/postfix/ldap.saslusermapping
OK - UCR vars
OK - Setup 
OK - smtps from extern only with authentification
OK - smtps from my_networks (without authentification)
OK - force sender address to match with registered mail addresses over smtps
OK - ucs-test -s mail
OK - open xchange

OK - 2015-03-17-univention-mail-postfix.yaml
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2015-03-24 10:40:17 CET
To avoid confusion:
Please notice that the restriction of comment 4 only applies to the SMTP envelope.
The sender is still able to enter whatever he wants to the "To:" and "From:" lines within the mail header.
Comment 7 Janek Walkenhorst univentionstaff 2015-03-25 14:04:51 CET
<http://errata.univention.de/ucs/3.2/300.html>
Comment 8 Tobias Birkefeld univentionstaff 2015-04-23 12:22:09 CEST
(In reply to Sönke Schwardt-Krummrich from comment #4)
> 
> To fix the problem of the bug reporter, the following steps have to be
> performed:
> 1)
> To force the sender address to match with the registered mail addresses at
> the user account (mailPrimaryAddress or mailAlternativeAddress), the
> following UCR variables have to be set:
> ucr set \
>  
> mail/postfix/submission/restrictions/recipient/
> 10="reject_sender_login_mismatch" \
>   mail/postfix/submission/restrictions/recipient/20="permit_mynetworks" \
>  
> mail/postfix/submission/restrictions/recipient/
> 30="permit_sasl_authenticated" \
>  
> mail/postfix/submission/restrictions/recipient/
> 40="reject_unauth_destination" \
>  
> mail/postfix/submission/restrictions/recipient/
> 50="reject_unlisted_recipient" \
>  
> mail/postfix/mastercf/options/smtps/
> smtpd_recipient_restrictions='$submission_recipient_restrictions' \
>  
> mail/postfix/mastercf/options/smtps/smtpd_sender_login_maps="ldap:/etc/
> postfix/ldap.saslusermapping"
> 
> This sets the new submission_recipient_restrictions and activates the for
> the smtps service on port 465.
> Also the smtpd_sender_login_maps option is configured for the smtps service.
> 

This is not a good submission_recipient_restrictions. With this settings it is possible to deliver mails via submission port without authentication (even if you are not in "mynetworks"). But this should only be allowed on port 25, where several other (harder) checks are implemented. Only authenticated user are allowed to deliver their mails via submission port. No other client or server should be allowed to do it here.

My suggestion for the configuration:
mail/postfix/submission/restrictions/recipient/10="reject_sender_login_mismatch"
mail/postfix/submission/restrictions/recipient/20="reject_unknown_recipient_domain"
mail/postfix/submission/restrictions/recipient/30="permit_sasl_authenticated"
mail/postfix/submission/restrictions/recipient/99="reject"