First Last Prev Next    This bug is not in your last search results.
Bug 40377 - extend smtpd_recipient_restrictions with useful restrictions for blocking spam and not mailable mails
extend smtpd_recipient_restrictions with useful restrictions for blocking spa...
Status: REOPENED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Mail maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-06 15:25 CET by Tobias Birkefeld
Modified: 2020-04-03 15:51 CEST (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.103
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Birkefeld univentionstaff 2016-01-06 15:25:58 CET 
It would be nice to set the following smtpd_recipient_restrictions as default to prevent the mailserver from mails, which are not RFC conform and/or not mailable.

I recommend the following settings as default:

mail/postfix/smtpd/restrictions/recipient/01: reject_non_fqdn_recipient
mail/postfix/smtpd/restrictions/recipient/02: reject_non_fqdn_sender
mail/postfix/smtpd/restrictions/recipient/03: reject_unknown_sender_domain
mail/postfix/smtpd/restrictions/recipient/05: check_policy_service unix:private/listfilter (set if mail/postfix/policy/listfilter=true)
mail/postfix/smtpd/restrictions/recipient/10: permit_mynetworks
mail/postfix/smtpd/restrictions/recipient/20: permit_sasl_authenticated
mail/postfix/smtpd/restrictions/recipient/30: reject_unauth_destination
mail/postfix/smtpd/restrictions/recipient/35: reject_unlisted_recipient
mail/postfix/smtpd/restrictions/recipient/40 check_policy_service inet:127.0.0.1:10023 (set if mail/postfix/greylisting=true)

The first two restrictions reject the request when the MAIL FROM or RCPT TO address is not in fully-qualified domain form, as required by the RFC.
The third restriction reject the request when Postfix is not final destination for the sender address, and the MAIL FROM domain has
1) no DNS MX and no DNS A record, or
2) a malformed MX record such as a record with a zero-length MX hostname.

These restrictions are set for all incoming mails (even if you are (SASL) logged in or in mynetworks).
Comment 1 Daniel Tröder univentionstaff 2016-01-13 08:28:59 CET 
A hint should be added, that for old Outlook clients reject_non_fqdn_sender must be after permit_sasl_authenticated (they use only their hostname in HELO).
Comment 2 Florian Best univentionstaff 2017-06-28 14:52:46 CEST 
There is a Customer ID set so I set the flag "Enterprise Customer affected".
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2018-04-12 11:20:11 CEST 
Production config of one of our customers:

smtpd_recipient_restrictions = check_policy_service unix:private/listfilter,
        reject_unlisted_recipient,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        permit_mynetworks,
        reject_unauth_destination,
        reject_unknown_sender_domain,
        reject_invalid_helo_hostname,
        reject_unknown_sender_domain,
        check_sender_access hash:/etc/postfix/check_sender_domain_access,
        check_sender_access hash:/etc/postfix/check_custom_sender_access,
        check_recipient_access hash:/etc/postfix/check_custom_recipient_access,
        check_client_access hash:/etc/postfix/check_custom_client_access,
        #check_policy_service inet:127.0.0.1:10040,
        permit

# special recipient_restrictions which may be used by smtps/submission services
# (can be configured via UCR: mail/postfix/submission/restrictions/recipient/...)
submission_recipient_restrictions = reject_sender_login_mismatch,
        check_sender_access hash:/etc/postfix/check_submission_sender_access,
        reject_unknown_recipient_domain,
        check_policy_service unix:private/listfilter,
        check_policy_service inet:127.0.0.1:12345,
        permit_sasl_authenticated,
        reject
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2018-04-12 11:27:17 CEST 
We should install the new default on fresh installations.
During the update from UCS 4.3-0 to 4.3-1 the new default should be only applied if the current configuration is equal to the old default config.
Comment 5 Stefan Gohmann univentionstaff 2019-01-03 07:22:38 CET 
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
Comment 6 Dirk Ahrnke univentionstaff 2020-02-26 09:52:37 CET 
The absence of useful restrictions is still a point which could cause security related problems in case no hardening of the mail stack is done.
Comment 7 Arvid Requate univentionstaff 2020-04-02 14:08:59 CEST 
A Ticket-Number is required to qualify a Bug as "School Customer Affected" or "Enterprise Customer Affected".
Comment 8 Dirk Ahrnke univentionstaff 2020-04-02 15:43:53 CEST 
(In reply to Arvid Requate from comment #7)
> A Ticket-Number is required to qualify a Bug as "School Customer Affected"
> or "Enterprise Customer Affected".

The absence of a ticket number doesnt necessarily mean that one of those customer groups is not affected. 
The ticket system is a tool primarily used by the support team.
During system setups we do in professional services we usually dont create tickets because we mostly solve issues by ourself and probably document it somewhere. 
I added a customer ID which is indeed a School customer. 

From my point of view it doesnt matter if one of the flags are set or not because the defaults have to be adjusted in any case and will therefor affect all customers.
First Last Prev Next    This bug is not in your last search results.