Bug 38061 - Postfix allows MAIL FROM address spoofing
Postfix allows MAIL FROM address spoofing
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 4.0-1-errata
Assigned To: Sönke Schwardt-Krummrich
Felix Botner
:
Depends on: 31738
Blocks: 38063
  Show dependency treegraph
 
Reported: 2015-03-17 13:17 CET by Sönke Schwardt-Krummrich
Modified: 2015-03-25 16:43 CET (History)
8 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2015-03-17 13:17:42 CET
Has to be implemented for UCS 4, too.

+++ This bug was initially created as a clone of Bug #31738 +++

The current postfix configuration allows users to spoof arbitrary MAIL FROM addresses, e.g. boss@univention.de.  Once a user is authenticated every possible address can be used, even from mail domains that are not hosted by the UCS mail server.

According to main.cf:
# smtpd_sender_restrictions is not defined since all relevant checks have been moved to
# smtpd_recipient_restrictions and every mail has to pass smtpd_recipient_restrictions too.
#smtpd_sender_restrictions =

But this doesn't work, because smtpd_recpient_restrictions just applies to the RCTP TO context which doesn't check the MAIL FROM address (http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions).

This is a simple workaround that checks whether the sender's login matches the MAIL FROM address he's trying to send mail for:
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
smtpd_sender_login_maps = ldap:/etc/postfix/ldap.virtual

When canonical address rewriting is enabled, the login maps need to be extended.


Tested with:
UCS 3.1-1-errata 122
univention-mail-server                              7.0.3-1.190.201210111718
univention-mail-postfix                             7.0.3-1.190.201210111718
Comment 1 Sönke Schwardt-Krummrich univentionstaff 2015-03-17 13:52:31 CET
(In reply to Sönke Schwardt-Krummrich from comment #3)
> So, if the SASL username has to match to the sender address and a simple
> reject_authenticated_sender_login_mismatch is sufficient, this can be
> achieved by calling:

This was not sufficient, as the change also affected usual incoming mails over port 25.

To give a possibility to fix this issue, the following changes have been made (together with the new feature from bug 38062):

1) via UCR a new set of restriction rules may be defined (submission_recipient_restrictions) similar to the UCR variables for smtpd_recipient_restrictions.
The new prefix is mail/postfix/submission/restrictions/recipient/...

2)
A new lookup table ldap.saslusermapping has been added for the postfix option smtpd_sender_login_maps:
SASL-USER ==> (mailPrimaryAddress|mailAlternativeAddress)
SASL-USER is the mail address with which the user authenticates itself at postfix.

When updating to the actual version of this package, no functional change is done.


To fix the problem of the bug reporter, the following steps have to be performed:
1)
To force the sender address to match with the registered mail addresses at the user account (mailPrimaryAddress or mailAlternativeAddress), the following UCR variables have to be set:
ucr set \
  mail/postfix/submission/restrictions/recipient/10="reject_sender_login_mismatch" \
  mail/postfix/submission/restrictions/recipient/20="permit_mynetworks" \
  mail/postfix/submission/restrictions/recipient/30="permit_sasl_authenticated" \
  mail/postfix/submission/restrictions/recipient/40="reject_unauth_destination" \
  mail/postfix/submission/restrictions/recipient/50="reject_unlisted_recipient" \
  mail/postfix/mastercf/options/smtps/smtpd_recipient_restrictions='$submission_recipient_restrictions' \
  mail/postfix/mastercf/options/smtps/smtpd_sender_login_maps="ldap:/etc/postfix/ldap.saslusermapping"

This sets the new submission_recipient_restrictions and activates the for the smtps service on port 465.
Also the smtpd_sender_login_maps option is configured for the smtps service.

univention-mail-postfix (9.0.0-14)

2015-03-13-univention-mail-postfix.yaml

@QA: the changes have been comitted with the bug number 31738 in SVN.
Comment 2 Felix Botner univentionstaff 2015-03-18 13:35:20 CET
OK - no change during update
OK - /etc/postfix/ldap.saslusermapping
OK - UCR vars
OK - Setup 
OK - smtps from extern only with authentification
OK - smtps from my_networks (without authentification)
OK - force sender address to match with registered mail addresses over smtps
OK - ucs-test -s mail
OK - horde

OK - 2015-03-13-univention-mail-postfix.yaml
Comment 3 Janek Walkenhorst univentionstaff 2015-03-25 16:43:08 CET
<http://errata.univention.de/ucs/4.0/124.html>