Univention Bugzilla – Bug 38061
Postfix allows MAIL FROM address spoofing
Last modified: 2015-03-25 16:43:08 CET
Has to be implemented for UCS 4, too. +++ This bug was initially created as a clone of Bug #31738 +++ The current postfix configuration allows users to spoof arbitrary MAIL FROM addresses, e.g. boss@univention.de. Once a user is authenticated every possible address can be used, even from mail domains that are not hosted by the UCS mail server. According to main.cf: # smtpd_sender_restrictions is not defined since all relevant checks have been moved to # smtpd_recipient_restrictions and every mail has to pass smtpd_recipient_restrictions too. #smtpd_sender_restrictions = But this doesn't work, because smtpd_recpient_restrictions just applies to the RCTP TO context which doesn't check the MAIL FROM address (http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions). This is a simple workaround that checks whether the sender's login matches the MAIL FROM address he's trying to send mail for: smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch smtpd_sender_login_maps = ldap:/etc/postfix/ldap.virtual When canonical address rewriting is enabled, the login maps need to be extended. Tested with: UCS 3.1-1-errata 122 univention-mail-server 7.0.3-1.190.201210111718 univention-mail-postfix 7.0.3-1.190.201210111718
(In reply to Sönke Schwardt-Krummrich from comment #3) > So, if the SASL username has to match to the sender address and a simple > reject_authenticated_sender_login_mismatch is sufficient, this can be > achieved by calling: This was not sufficient, as the change also affected usual incoming mails over port 25. To give a possibility to fix this issue, the following changes have been made (together with the new feature from bug 38062): 1) via UCR a new set of restriction rules may be defined (submission_recipient_restrictions) similar to the UCR variables for smtpd_recipient_restrictions. The new prefix is mail/postfix/submission/restrictions/recipient/... 2) A new lookup table ldap.saslusermapping has been added for the postfix option smtpd_sender_login_maps: SASL-USER ==> (mailPrimaryAddress|mailAlternativeAddress) SASL-USER is the mail address with which the user authenticates itself at postfix. When updating to the actual version of this package, no functional change is done. To fix the problem of the bug reporter, the following steps have to be performed: 1) To force the sender address to match with the registered mail addresses at the user account (mailPrimaryAddress or mailAlternativeAddress), the following UCR variables have to be set: ucr set \ mail/postfix/submission/restrictions/recipient/10="reject_sender_login_mismatch" \ mail/postfix/submission/restrictions/recipient/20="permit_mynetworks" \ mail/postfix/submission/restrictions/recipient/30="permit_sasl_authenticated" \ mail/postfix/submission/restrictions/recipient/40="reject_unauth_destination" \ mail/postfix/submission/restrictions/recipient/50="reject_unlisted_recipient" \ mail/postfix/mastercf/options/smtps/smtpd_recipient_restrictions='$submission_recipient_restrictions' \ mail/postfix/mastercf/options/smtps/smtpd_sender_login_maps="ldap:/etc/postfix/ldap.saslusermapping" This sets the new submission_recipient_restrictions and activates the for the smtps service on port 465. Also the smtpd_sender_login_maps option is configured for the smtps service. univention-mail-postfix (9.0.0-14) 2015-03-13-univention-mail-postfix.yaml @QA: the changes have been comitted with the bug number 31738 in SVN.
OK - no change during update OK - /etc/postfix/ldap.saslusermapping OK - UCR vars OK - Setup OK - smtps from extern only with authentification OK - smtps from my_networks (without authentification) OK - force sender address to match with registered mail addresses over smtps OK - ucs-test -s mail OK - horde OK - 2015-03-13-univention-mail-postfix.yaml
<http://errata.univention.de/ucs/4.0/124.html>