Results 1 to 6 of 6

Thread: Prohibit non-local senders

  1. #1
    Join Date
    Apr 2014
    Location
    Fairbanks, AK, USA
    Posts
    7
    Rep Power
    1

    Exclamation Prohibit non-local senders

    Like any decent-sized mail operator, we've had problems with users' accounts getting phished and spammers using them to send spam. From that we've developed monitors that watch for and then automatically lock out such accounts, and that's worked well for us until yesterday.

    We identified our server sending out spam, but our systems couldn't lock out the compromised account because they couldn't identify it -- the from address wasn't one of ours. Here's zimbra.log for (one of) the first such e-mails (anonymized, and I pruned out the interleaved messages about unrelated e-mails and processes):
    Code:
    Apr 10 14:44:59 zmail postfix/smtpd[8265]: BE9F479C010: client=x-x-x-x.sbcglobal.net[x.x.x.x], sasl_method=LOGIN, sasl_username=hacked.user
    Apr 10 14:45:01 zmail postfix/qmgr[7463]: BE9F479C010: from=<bu@example.com>, size=562, nrcpt=5 (queue active)
    Apr 10 14:45:02 zmail amavis[9067]: (09067-12) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20140410T144010-09067: <bu@example.com> -> <victim1@contoso.com>,<victim2@contoso.com>,<victim3@contoso.com>,<victim4@contoso.com>,<victim5@contoso.com> SIZE=562 Received: from zmail.example.com ([127.0.0.1]) by localhost (zmail.example.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP; Thu, 10 Apr 2014 14:45:02 -0800 (AKDT)
    Apr 10 14:45:02 zmail amavis[9067]: (09067-12) Checking: GmWxq6ujewOu [x.x.x.x] <bu@example.com> -> <victim1@contoso.com>,<victim2@contoso.com>,<victim3@contoso.com>,<victim4@contoso.com>,<victim5@contoso.com>
    Apr 10 14:45:02 zmail amavis[9067]: (09067-12) Open relay? Nonlocal recips but not originating: victim1@contoso.com, victim2@contoso.com, victim3@contoso.com, victim4@contoso.com, victim5@contoso.com
    Apr 10 14:45:02 zmail amavis[9067]: (09067-12) FWD via SMTP: <bu@example.com> -> <victim1@contoso.com>,<victim2@contoso.com>,<victim3@contoso.com>,<victim4@contoso.com>,<victim5@contoso.com>,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1144E79C011
    Apr 10 14:45:02 zmail amavis[9067]: (09067-12) Passed CLEAN, [x.x.x.x] [x.x.x.x] <bu@example.com> -> <victim1@contoso.com>,<victim2@contoso.com>,<victim3@contoso.com>,<victim4@contoso.com>,<victim5@contoso.com>, Message-ID: <20140410224459.BE9F479C010@zmail.example.com>, mail_id: GmWxq6ujewOu, Hits: -, size: 528, queued_as: 1144E79C011, 93 ms
    Apr 10 14:45:02 zmail postfix/smtp[24659]: BE9F479C010: to=<victim1@contoso.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.6, delays=2.5/0/0/0.09, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1144E79C011)
    Apr 10 14:45:02 zmail postfix/smtp[24659]: BE9F479C010: to=<victim2@contoso.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.6, delays=2.5/0/0/0.09, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1144E79C011)
    Apr 10 14:45:02 zmail postfix/smtp[24659]: BE9F479C010: to=<victim3@contoso.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.6, delays=2.5/0/0/0.09, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1144E79C011)
    Apr 10 14:45:02 zmail postfix/smtp[24659]: BE9F479C010: to=<victim4@contoso.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.6, delays=2.5/0/0/0.09, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1144E79C011)
    Apr 10 14:45:02 zmail postfix/smtp[24659]: BE9F479C010: to=<victim5@contoso.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.6, delays=2.5/0/0/0.09, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 1144E79C011)
    Apr 10 14:45:02 zmail postfix/qmgr[7463]: BE9F479C010: removed
    Apr 10 14:45:02 zmail postfix/smtp[6520]: 1144E79C011: to=<victim1@contoso.com>, relay=x.x.x.166[x.x.x.166]:26, delay=0.04, delays=0.02/0.01/0/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 14BC12203D55)
    Apr 10 14:45:02 zmail postfix/smtp[6520]: 1144E79C011: to=<victim2@contoso.com>, relay=x.x.x.166[x.x.x.166]:26, delay=0.04, delays=0.02/0.01/0/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 14BC12203D55)
    Apr 10 14:45:02 zmail postfix/smtp[6520]: 1144E79C011: to=<victim3@contoso.com>, relay=x.x.x.166[x.x.x.166]:26, delay=0.04, delays=0.02/0.01/0/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 14BC12203D55)
    Apr 10 14:45:02 zmail postfix/smtp[6520]: 1144E79C011: to=<victim4@contoso.com>, relay=x.x.x.166[x.x.x.166]:26, delay=0.04, delays=0.02/0.01/0/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 14BC12203D55)
    Apr 10 14:45:02 zmail postfix/smtp[6520]: 1144E79C011: to=<victim5@contoso.com>, relay=x.x.x.166[x.x.x.166]:26, delay=0.04, delays=0.02/0.01/0/0, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 14BC12203D55)
    Apr 10 14:45:02 zmail postfix/qmgr[7463]: 1144E79C011: removed
    ("example.com" is standing in for our domain, while "contoso.com" is standing in for the 4 domains this particular message went out to.)

    The most important/relevant lines (I believe) are:
    Code:
    Apr 10 14:44:59 zmail postfix/smtpd[8265]: BE9F479C010: client=badguy.net[x.x.x.x], sasl_method=LOGIN, sasl_username=hacked.user
    Apr 10 14:45:01 zmail postfix/qmgr[7463]: BE9F479C010: from=<bu@example.com>, size=562, nrcpt=5 (queue active)
    ...
    Apr 10 14:45:02 zmail amavis[9067]: (09067-12) Open relay? Nonlocal recips but not originating: victim1@contoso.com, victim2@contoso.com, victim3@contoso.com, victim4@contoso.com, victim5@contoso.com
    The compromised account, hacked.user, sent this message as "bu@example.com". (The From address is different for each such e-mail, although the account is the same.) Which is not a valid address on our system. amavis seemed to recognize that and raised a yellow flag, but allowed it to go through anyway. "x.x.x.166" is our mail relay/smart host (using Proxmox) for outgoing and incoming mail, and does do spam filtering; however, it's also set to trust our Zimbra server, so it let these go through without a second thought. The user logged in from a remote system (seemingly one located in California; we're thousands of miles away, in Alaska).

    Our system is not configured as an open relay. (Not that that's relevant, as this log clearly shows a valid user login for each and every such e-mail being sent.) COS settings do not allow "sending from any address", and this setting has been confirmed for this specific account as well.

    So this leaves us with a few questions:
    1. How can a user log in and send mail from an address other than their own when Zimbra's configuration does not permit that?
    2. How can we configure Zimbra, postfix, amavis, or whatever to prohibit any user sending from an invalid address like this?
    3. Why doesn't Zimbra's default settings prohibit obviously malicious use like this (without being configured explicitly to permit it in those cases where it might actually be valid)?


    I've seen a few other posts about this type of issue here on the forums, but they were all either ignored completely, or else the "solutions" at best locked down to sending from a domain -- where we (and many other posters) want to lock it down further and allow sending only from valid addresses.

  2. #2
    Join Date
    Apr 2014
    Location
    Fairbanks, AK, USA
    Posts
    7
    Rep Power
    1

    Default

    Is there really no solution to this? It's very worrying to me from a security perspective that any user can apparently send from any address, and that Zimbra would be configured by default to allow this; it's even more worrying that there doesn't seem to be a way to prohibit this behavior. Most damning, I think, is that there isn't even a way to quickly identify when this is happening -- it required third-party monitoring systems to detect that we were sending the spam in the first place, and the relevant log lines that identify the true source are such that it would be infeasible to ever be able to automatically detect this type of behavior, let alone react to it.

  3. #3
    Join Date
    Oct 2012
    Posts
    5
    Rep Power
    3

    Default

    There is a solution which works with me that involves using smtpd_sender_login_maps; try following this document:
    RestrictPostfixSenders - Zimbra :: Wiki
    (do try it on a test server first, and backup the configuration before messing with it)

    This way, unless the IP is within postfix's "mynetworks", the "MAIL FROM" address has to match what the user owns. The "From:" header in the body (which can be different from the envelope "MAIL FROM") of course can still be changed (as it can for most mail servers); but this should be enough to prevent your particular problem from happening.

  4. #4
    Join Date
    Apr 2014
    Location
    Fairbanks, AK, USA
    Posts
    7
    Rep Power
    1

    Default

    I've seen that document, but right at the top of that page:

    This setup procedure will set up your server to allow outgoing mails from only the domains configured on the server itself.
    But that's not the issue. We're running a mail server for example.com, and this spammer was authenticating as a valid user and sending mail from example.com, i.e. these mails were going from the domain configured on the server itself.

    The issue is that an authenticated user was allowed to send mail from an address she didn't "own", and we don't want to allow that.

  5. #5
    Join Date
    Oct 2012
    Posts
    5
    Rep Power
    3

    Default

    Ignore that bit, I think the document is evolving and they haven't bothered to change the introduction. It does what you want it to do; here's an example from my test machine before doing the change:

    $ telnet zimbra72oss 25
    Escape character is '^]'.
    220 zimbra72oss.xrx.local ESMTP Postfix
    EHLO test.com
    250-zimbra72oss.xrx.local
    250-PIPELINING
    250-SIZE 10240000
    ...
    AUTH LOGIN
    334 VXNlcm5hbWU6

    Logging in as testuser@xrx.local: perl -MMIME::Base64 -e 'print encode_base64("testuser\@xrx.local");'
    334 UGFzc3dvcmQ6
    <testuser@xrx.local's base64 password>
    235 2.7.0 Authentication successful
    MAIL FROM: testadmin@xrx.local
    250 2.1.0 Ok
    RCPT TO: employee@xrx.local
    250 2.1.5 Ok
    DATA

    ...

    And this is the same chat after the change:
    $ telnet zimbra72oss 25
    Escape character is '^]'.
    220 zimbra72oss.xrx.local ESMTP Postfix
    EHLO test.com
    250-zimbra72oss.xrx.local
    250-PIPELINING
    250-SIZE 10240000
    ...
    AUTH LOGIN
    334 VXNlcm5hbWU6

    Logging in as testuser@xrx.local: perl -MMIME::Base64 -e 'print encode_base64("testuser\@xrx.local");'
    334 UGFzc3dvcmQ6
    <testuser@xrx.local's base64 password>
    235 2.7.0 Authentication successful
    MAIL FROM: testadmin@xrx.local
    250 2.1.0 Ok
    RCPT TO: employee@xrx.local
    553 5.7.1 <testadmin@xrx.local>: Sender address rejected: not owned by user testuser@xrx.local


    ...


    Of course spammers can still spoof your domain if they don't authenticate; but that's a completely different story.

  6. #6
    Join Date
    Oct 2012
    Posts
    5
    Rep Power
    3

    Default

    Dunno why my reply (posted 2 days ago) hasn't come up yet, but what I showed there via a telnet example was that you can ignore that bit which says it's only about the domains; it does what you want. Authenticated users will only be able to send email ("MAIL FROM") from email addresses owned by them.

Similar Threads

  1. Send NDR only to local senders
    By Labsy in forum Administrators
    Replies: 0
    Last Post: 04-05-2012, 01:11 AM
  2. Restrict senders on Local domain only
    By Samp in forum Administrators
    Replies: 0
    Last Post: 11-30-2009, 07:40 AM
  3. Want to prohibit Contact deletion
    By cedbobking in forum Administrators
    Replies: 0
    Last Post: 02-23-2009, 01:27 PM
  4. Problem with local domain senders
    By nikira in forum Administrators
    Replies: 3
    Last Post: 01-28-2009, 03:40 AM
  5. Replies: 4
    Last Post: 08-12-2008, 05:53 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •