Univention Bugzilla – Full Text Bug Listing |
Summary: | Postfix allows MAIL FROM address spoofing | ||
---|---|---|---|
Product: | UCS | Reporter: | Sönke Schwardt-Krummrich <schwardt> |
Component: | Assignee: | Sönke Schwardt-Krummrich <schwardt> | |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | best, birkefeld, ebersbach, gohmann, grandjean, hahn, steuwer, walkenhorst |
Version: | UCS 3.2 | ||
Target Milestone: | UCS 4.0-1-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | ||
Max CVSS v3 score: | |||
Bug Depends on: | 31738 | ||
Bug Blocks: | 38063 |
Description
Sönke Schwardt-Krummrich
2015-03-17 13:17:42 CET
(In reply to Sönke Schwardt-Krummrich from comment #3) > So, if the SASL username has to match to the sender address and a simple > reject_authenticated_sender_login_mismatch is sufficient, this can be > achieved by calling: This was not sufficient, as the change also affected usual incoming mails over port 25. To give a possibility to fix this issue, the following changes have been made (together with the new feature from bug 38062): 1) via UCR a new set of restriction rules may be defined (submission_recipient_restrictions) similar to the UCR variables for smtpd_recipient_restrictions. The new prefix is mail/postfix/submission/restrictions/recipient/... 2) A new lookup table ldap.saslusermapping has been added for the postfix option smtpd_sender_login_maps: SASL-USER ==> (mailPrimaryAddress|mailAlternativeAddress) SASL-USER is the mail address with which the user authenticates itself at postfix. When updating to the actual version of this package, no functional change is done. To fix the problem of the bug reporter, the following steps have to be performed: 1) To force the sender address to match with the registered mail addresses at the user account (mailPrimaryAddress or mailAlternativeAddress), the following UCR variables have to be set: ucr set \ mail/postfix/submission/restrictions/recipient/10="reject_sender_login_mismatch" \ mail/postfix/submission/restrictions/recipient/20="permit_mynetworks" \ mail/postfix/submission/restrictions/recipient/30="permit_sasl_authenticated" \ mail/postfix/submission/restrictions/recipient/40="reject_unauth_destination" \ mail/postfix/submission/restrictions/recipient/50="reject_unlisted_recipient" \ mail/postfix/mastercf/options/smtps/smtpd_recipient_restrictions='$submission_recipient_restrictions' \ mail/postfix/mastercf/options/smtps/smtpd_sender_login_maps="ldap:/etc/postfix/ldap.saslusermapping" This sets the new submission_recipient_restrictions and activates the for the smtps service on port 465. Also the smtpd_sender_login_maps option is configured for the smtps service. univention-mail-postfix (9.0.0-14) 2015-03-13-univention-mail-postfix.yaml @QA: the changes have been comitted with the bug number 31738 in SVN. OK - no change during update OK - /etc/postfix/ldap.saslusermapping OK - UCR vars OK - Setup OK - smtps from extern only with authentification OK - smtps from my_networks (without authentification) OK - force sender address to match with registered mail addresses over smtps OK - ucs-test -s mail OK - horde OK - 2015-03-13-univention-mail-postfix.yaml |