Bug 44357 – prevent spam with forged address from own email domain

Bug 44357 - prevent spam with forged address from own email domain


Summary:	prevent spam with forged address from own email domain

Status:	RESOLVED DUPLICATE of bug 40609

Product:	UCS
Classification:	Unclassified
Component:	Mail
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal with 2 votes (vote)
Target Milestone:	---
Assigned To:	Daniel Tröder
QA Contact:	Sönke Schwardt-Krummrich

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-04-12 10:09 CEST by Daniel Tröder
Modified:	2018-09-14 06:26 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.103
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2017041121000713
Bug group (optional):	External feedback
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Tröder

2017-04-12 10:09:00 CEST

Mails with a FROM address of the own domain is accepted on all UCS mail servers.

In the case where all mails are generated or submitted directly on the external mail server (groupware/webmail/email clients), it shouldn't accept emails from unauthenticated sources with a FROM address of the own domain.

This would prevent spam with a forged email address to be accepted.

Customer case: https://help.univention.com/t/probleme-mit-unauthorisierten-internen-mailversand-postfix-dovecot-sasl-auth/5464

This can probably implemented using reject_sender_login_mismatch and smtpd_sender_login_maps:
* http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
* http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

Comment 1 Sönke Schwardt-Krummrich

2017-04-26 22:10:40 CEST

(In reply to Daniel Tröder from comment #0)
> This can probably implemented using reject_sender_login_mismatch and
> smtpd_sender_login_maps:
> * http://www.postfix.org/postconf.5.html#reject_sender_login_mismatch
> * http://www.postfix.org/postconf.5.html#smtpd_sender_login_maps

On port 25 authentication is not supported. So *_sender_login_{mismatch,maps} won't work. I think check_sender_access in smtpd_{sender,recipient}_restrictions
may work:

smtpd_sender_restrictions = permit_mynetworks, \
                             check_sender_access hash:/etc/postfix/sender_access

---[/etc/postfix/sender_access]---
mydomain.com    REJECT
---[cut]---

Comment 2 Tobias Birkefeld

2018-03-19 13:47:04 CET

also reported in forum: https://help.univention.com/t/kopano-smtp-offen-fur-alle-bei-internen-mails/8236

Comment 3 Daniel Tröder

2018-09-14 06:26:49 CEST


*** This bug has been marked as a duplicate of bug 40609 ***