Univention Bugzilla – Bug 31738
Postfix allows MAIL FROM address spoofing
Last modified: 2015-04-23 12:22:09 CEST
The current postfix configuration allows users to spoof arbitrary MAIL FROM addresses, e.g. boss@univention.de. Once a user is authenticated every possible address can be used, even from mail domains that are not hosted by the UCS mail server. According to main.cf: # smtpd_sender_restrictions is not defined since all relevant checks have been moved to # smtpd_recipient_restrictions and every mail has to pass smtpd_recipient_restrictions too. #smtpd_sender_restrictions = But this doesn't work, because smtpd_recpient_restrictions just applies to the RCTP TO context which doesn't check the MAIL FROM address (http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions). This is a simple workaround that checks whether the sender's login matches the MAIL FROM address he's trying to send mail for: smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch smtpd_sender_login_maps = ldap:/etc/postfix/ldap.virtual When canonical address rewriting is enabled, the login maps need to be extended. Tested with: UCS 3.1-1-errata 122 univention-mail-server 7.0.3-1.190.201210111718 univention-mail-postfix 7.0.3-1.190.201210111718
(In reply to Jan Christoph Ebersbach from comment #0) > According to main.cf: > # smtpd_sender_restrictions is not defined since all relevant checks have > been moved to > # smtpd_recipient_restrictions and every mail has to pass > smtpd_recipient_restrictions too. > #smtpd_sender_restrictions = > > But this doesn't work, because smtpd_recpient_restrictions just applies to > the RCTP TO context which doesn't check the MAIL FROM address > (http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions). Wrong: in the SMTP dialog has the following fixed order: 0. TCP-Connect → smtpd_client_restrictions 1. HELO/EHLO → smtpd_helo_restrictions 2. (AUTH) → smtpd_sasl_auth_enable 3. MAIL FROM → smtpd_sender_restrictions 4. RCPT TO → smtpd_recipient_restrictions / smtpd_relay_restrictions 5. DATA → smtpd_data_restrictions 6. . → smtpd_end_of_data_restrictions The named Postfix checks are executed after the appropriate step, that is "as soon as the information is available". (I hope is clear that the recipient address can't be verified until it is available, that is any recipient check can only be specified on smtpd_recipien_restriction or later, that is also on smtpd_data_restriction or smtpd_end_of_data_restriction). > This is a simple workaround that checks whether the sender's login matches > the MAIL FROM address he's trying to send mail for: > smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch The real problem is the following assignment: > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination, > reject_unlisted_recipient Postfix implements a "first-test-wins" strategy, that is because "permit_sasl_authenticated" matches, all *following tests are skipped*, so no verification of unlisted recipients happens! If unknown recipients should be rejected in all cases, "reject_unlisted_recipient" must be moved before all other "permit_*" rules.
reported again in 2015030921000527
> If unknown recipients should be rejected in all cases, > "reject_unlisted_recipient" must be moved before all other "permit_*" rules. IIRC in this case postfix rejects mails for foreign mail domains/MX. I wouldn't support that change. It's a good habit to use only smtpd_recipient_restrictions because: - postfix talks to the client until the RCPT TO even if a previous restriction failed - the rule construct will be much simpler - all rules mentioned in previous restrictions (client, helo, sender, ...) can be also used without penalty in smtpd_recipient_restrictions The smtpd_recipient_restrictions in univention-mail-postfix are constructed via UCR variables: mail/postfix/smtpd/restrictions/recipient/10: permit_mynetworks mail/postfix/smtpd/restrictions/recipient/30: permit_sasl_authenticated mail/postfix/smtpd/restrictions/recipient/50: reject_unauth_destination mail/postfix/smtpd/restrictions/recipient/70: reject_unlisted_recipient results in smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unlisted_recipient So, if the SASL username has to match to the sender address and a simple reject_authenticated_sender_login_mismatch is sufficient, this can be achieved by calling: ucr set mail/postfix/smtpd/restrictions/recipient/20=\ "reject_authenticated_sender_login_mismatch"
(In reply to Sönke Schwardt-Krummrich from comment #3) > So, if the SASL username has to match to the sender address and a simple > reject_authenticated_sender_login_mismatch is sufficient, this can be > achieved by calling: This was not sufficient, as the change also affected usual incoming mails over port 25. To give a possibility to fix this issue, the following changes have been made (together with the new feature from bug 38062): 1) via UCR a new set of restriction rules may be defined (submission_recipient_restrictions) similar to the UCR variables for smtpd_recipient_restrictions. The new prefix is mail/postfix/submission/restrictions/recipient/... 2) A new lookup table ldap.saslusermapping has been added for the postfix option smtpd_sender_login_maps: SASL-USER ==> (mailPrimaryAddress|mailAlternativeAddress) SASL-USER is the mail address with which the user authenticates itself at postfix. When updating to the actual version of this package, no functional change is done. To fix the problem of the bug reporter, the following steps have to be performed: 1) To force the sender address to match with the registered mail addresses at the user account (mailPrimaryAddress or mailAlternativeAddress), the following UCR variables have to be set: ucr set \ mail/postfix/submission/restrictions/recipient/10="reject_sender_login_mismatch" \ mail/postfix/submission/restrictions/recipient/20="permit_mynetworks" \ mail/postfix/submission/restrictions/recipient/30="permit_sasl_authenticated" \ mail/postfix/submission/restrictions/recipient/40="reject_unauth_destination" \ mail/postfix/submission/restrictions/recipient/50="reject_unlisted_recipient" \ mail/postfix/mastercf/options/smtps/smtpd_recipient_restrictions='$submission_recipient_restrictions' \ mail/postfix/mastercf/options/smtps/smtpd_sender_login_maps="ldap:/etc/postfix/ldap.saslusermapping" This sets the new submission_recipient_restrictions and activates the for the smtps service on port 465. Also the smtpd_sender_login_maps option is configured for the smtps service. univention-mail-postfix (8.0.13-9) 2015-03-17-univention-mail-postfix.yaml
OK - no change during update OK - /etc/postfix/ldap.saslusermapping OK - UCR vars OK - Setup OK - smtps from extern only with authentification OK - smtps from my_networks (without authentification) OK - force sender address to match with registered mail addresses over smtps OK - ucs-test -s mail OK - open xchange OK - 2015-03-17-univention-mail-postfix.yaml
To avoid confusion: Please notice that the restriction of comment 4 only applies to the SMTP envelope. The sender is still able to enter whatever he wants to the "To:" and "From:" lines within the mail header.
<http://errata.univention.de/ucs/3.2/300.html>
(In reply to Sönke Schwardt-Krummrich from comment #4) > > To fix the problem of the bug reporter, the following steps have to be > performed: > 1) > To force the sender address to match with the registered mail addresses at > the user account (mailPrimaryAddress or mailAlternativeAddress), the > following UCR variables have to be set: > ucr set \ > > mail/postfix/submission/restrictions/recipient/ > 10="reject_sender_login_mismatch" \ > mail/postfix/submission/restrictions/recipient/20="permit_mynetworks" \ > > mail/postfix/submission/restrictions/recipient/ > 30="permit_sasl_authenticated" \ > > mail/postfix/submission/restrictions/recipient/ > 40="reject_unauth_destination" \ > > mail/postfix/submission/restrictions/recipient/ > 50="reject_unlisted_recipient" \ > > mail/postfix/mastercf/options/smtps/ > smtpd_recipient_restrictions='$submission_recipient_restrictions' \ > > mail/postfix/mastercf/options/smtps/smtpd_sender_login_maps="ldap:/etc/ > postfix/ldap.saslusermapping" > > This sets the new submission_recipient_restrictions and activates the for > the smtps service on port 465. > Also the smtpd_sender_login_maps option is configured for the smtps service. > This is not a good submission_recipient_restrictions. With this settings it is possible to deliver mails via submission port without authentication (even if you are not in "mynetworks"). But this should only be allowed on port 25, where several other (harder) checks are implemented. Only authenticated user are allowed to deliver their mails via submission port. No other client or server should be allowed to do it here. My suggestion for the configuration: mail/postfix/submission/restrictions/recipient/10="reject_sender_login_mismatch" mail/postfix/submission/restrictions/recipient/20="reject_unknown_recipient_domain" mail/postfix/submission/restrictions/recipient/30="permit_sasl_authenticated" mail/postfix/submission/restrictions/recipient/99="reject"