Topic: Postfix configuration problem

This should be very simple, but either the docs are unnecessarily obscure or I'm missing the obvious. (Yeah, blame it on the docs)

We had a trojanned box that was sending things out, and I want to be sure it doesn't happen again, as we got listed in all the bad places.  (Rightfully so.  Telling the users not to use MS is not an option)

So, what I want to do is this--we are not an open relay, but the box, which was on one of the subnets, was sending out things with different from lines, e.g. verizon.net etc.

I want to block all senders that don't have one of our domain names from sending.  I thought I could do this with sender access maps, but it's not working.  Testing it on a test machine (a good place to test things) I can send out if I change the From to read verizon.net, whatever.net foobar.net, et al.


By now, I've tried and failed with so many different things, I can't give a list of all that I've tried.  Googling gave a couple of things that I thought would work, but they also failed. 

So, I'd be grateful for pointers---actually, I'm at the stage where I'd like someone to hold my hand and tell me exactly how to only allow senders with a From of foo.com, bar.com and foobar.com

Thanks for any help.

Your lamer friend

<@andre> i would be so much more efficient if i wasn't so stupid

Re: Postfix configuration problem

To add a bit of info here---it turned out, as I said, to be trojanned machines--they weren't sending through the mailserver, however the whole thing made me think it is worthwhile to add that condition, that they come from one of two domain names.

It seemed trivial.  I found this man page which seemed to describe my situation exactly.  Therefore, I'm not sure what I'm missing.  I did the restriction class and outsider file exactly as specified.

Thanks again.  So far, no answers, but I am hoping it's because the postfix experts here, and I know there are a few, simply haven't been the ones to read this yet

<@andre> i would be so much more efficient if i wasn't so stupid

3

Re: Postfix configuration problem

Scott, we I use the following two settings:

# require authentication:
smtpd_client_restrictions = permit_sasl_authenticated reject
# require the sender to be authenticated as the MAIL FROM address owner:
smtpd_sender_restrictions = [...] reject_authenticated_sender_login_mismatch [...]

Plus we also use "check_sender_access". In that restriction example, it's using "smtpd_recipient_restrictions", maybe you just forgot to change it to "smtpd_sender_restrictions"?

Re: Postfix configuration problem

Typo--I meant to say I'd added the insiders part. 

smtpd_restriction_classes = insiders_only
    insiders_only = check_sender_access hash:/etc/postfix/insiders, reject


Then created insiders_only

/etc/postfix/insiders:
    my.domain       OK  matches my.domain and subdomains
    another.domain  OK  matches another.domain and subdomains

I've been testing it on my own machine, the scottro.net one. However, I'm still able to send as scottro@fakedomain.net.


The situation at work isn't that practical for the people to use smtp authentication, though I'm thinking of going that way.  Your example seems to require it. 

One ironic problem is that our setup is so much simpler than most howtos---NIS authentication off of an AIX box for receiving, no sql databases, no imap, not much of anything.  Mostly it's to allow the AIX box to send mail and for a couple of users to send spooler reports. 

I've ordered Mr. Hildebrandt's book, maybe that'll have the answer.  Mr. Dent's book gave a few possibilities, but I suspect I've misunderstood something which often happens to me with O'Reilly books

<@andre> i would be so much more efficient if i wasn't so stupid

5

Re: Postfix configuration problem

Try adding the "check_sender_access" rule in "smtpd_sender_restrictions". This works in the MAIL FROM address, while the scheme in that example seems to work on the SMTP "From:" header: "What follows is based on the sender SMTP envelope address, and therefore is subject to SMTP sender spoofing."

Re: Postfix configuration problem

No, that didn't work either, assuming I am understanding your suggestion.  I added the following to main.cf

smtpd_sender_restrictions =
        check_sender_access hash:/usr/local/etc/insiders, reject

The insiders file looks like

scottro.net     OK

I then ran postmap insiders.  Then did postfix reload.

Then, using mutt I sent an email to scottro@scottro.net.  Using Esc f I then edited the From line to read
scottro@fakedomain.net

However, it wasn't rejected. 

I'm looking for something that acts on the from line and only allows if the domain is listed in mydestinations.

Oh well, maybe I'm too tired tonight.

I'll come back to this in the morning, and Andre, thanks, as always for you rhelp.

<@andre> i would be so much more efficient if i wasn't so stupid

7

Re: Postfix configuration problem

Hrm. I guess I was too tired, I didn't understand what you needed and also didn't understand what the docs were saying :s

Oh well... lemme go check them again

8

Re: Postfix configuration problem

Have you tried "reject_unauthenticated_sender_login_mismatch"? The description of how it works wasn't very clear to me but it could be what you want.

What is the MAIL FROM address the trojanned machines are using to send the emails?

Re: Postfix configuration problem

The trojanned machines were using legit addresses--that is, legit domains, verizon.com, etc. 

They weren't going through the mailserver, so this whole thing isn't a need, per se, as much as a wish.  I don't know what would have happened had they tried to go through the machine.  (I'm able to send a fake address while on the local machine, so this whole thing might be a waste of energy.  I haven't tried to send with a fake address from another machine through the local machine.)

Nor am I sure what would have happened had the trojanned boxen tried to send the stuff through the mail server.  (Or maybe they did, I've been too buried to check for logs of failed attempts, I just wanted to make sure that nothing was going out through the server.)

I'll play with the sender_login_mismatch too, but from what I could grab from the docs (like you, I read them when I was quite tired) it seemed to do with using smtp authentication. 

Again, I have to play with trying to send, while in mynetworks, with a faked domain name from another machine. 
I'm not going to have time for a few days though, as another crisis has arisen here, AND I have domestic chores this weekend.  :-(

Thank you as always for your help, reading up on the suggestions you're making is, at least, furthering my knowledge.

<@andre> i would be so much more efficient if i wasn't so stupid

10

Re: Postfix configuration problem

scottro wrote:

The trojanned machines were using legit addresses--that is, legit domains, verizon.com, etc.

Also for the envelope MAIL FROM?  Like, are they using these domains in both the SMTP protocol MAIL FROM line and the From: header? If so, filtering on the envelope address seems to be easier than on the From header (at least there are many main.cf options for that).

I'll play with the sender_login_mismatch too, but from what I could grab from the docs (like you, I read them when I was quite tired) it seemed to do with using smtp authentication.

That's what the docs seem to say, but considering there's an "reject_unauthenticated_sender_login_mismatch" statement, maybe it also works if you're not using authentication (I never really tried that).

Edit: typos. It's weird when you wake up early in the morning and it feels like you're more tired than before going to sleep... tongue