Results 1 to 4 of 4

Thread: Release 8.0.5.GA.5839.UBUNTU10.64 , FROM header rewrite HACK ?

  1. #1
    Join Date
    Apr 2009
    Posts
    61
    Rep Power
    6

    Question Release 8.0.5.GA.5839.UBUNTU10.64 , FROM header rewrite HACK ?

    Good Evening everybody,

    since days I'm attacked by unknown method of trivial rewrite. This is a sample of few lines caught from /var/log/mail.log

    Code:
    Jul  7 15:08:14 mail postfix/dkimmilter/smtpd[14874]: 2BFA38218A3: client=localhost.localdomain[127.0.0.1]
    Jul  7 15:08:14 mail postfix/cleanup[15839]: 2BFA38218A3: message-id=<9C739283F4794AA888BDD7EBE91A78D5@sqni>
    Jul  7 15:08:14 mail postfix/qmgr[3900]: 2BFA38218A3: from=<fedexservice@secure.info>, size=101555, nrcpt=1 (queue active)
    Jul  7 15:08:14 mail postfix/smtp[15310]: E5228821844: to=<btyqdd@t-online.de>, relay=127.0.0.1[127.0.0.1]:10026, delay=2.4, delays=2.2/0/0/0.25, dsn=2.0.0, status=sent (250 2.0.0                              from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 2BFA38218A3)
    Jul  7 15:08:14 mail postfix/smtp[15892]: 2BFA38218A3: to=<btyqdd@t-online.de>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.23, delays=0.06/0/0/0.17, dsn=2.0.0, status=sent (250 2.0                             .0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 5B1F6821844)
    Jul  7 15:08:14 mail postfix/qmgr[3900]: 2BFA38218A3: removed
    As you can see FROM header has been rewrite to an unknown user and it is processed anyway from postfix, and I don't know how to avoid this.

    Below a cat of main.cf , so you can see what I've already limited into smtpd daemon

    Code:
    zimbra@mail:~$ postconf -n|grep smtpd
    non_smtpd_milters =
    smtpd_banner = $myhostname ESMTP $mail_name
    smtpd_client_connection_count_limit = 50
    smtpd_client_connection_rate_limit = 50
    smtpd_client_message_rate_limit = 20
    smtpd_client_recipient_rate_limit = 20
    smtpd_client_restrictions = reject_unauth_pipelining
    smtpd_data_restrictions = reject_unauth_pipelining
    smtpd_discard_ehlo_keywords = silent-discard,dsn
    smtpd_end_of_data_restrictions =
    smtpd_error_sleep_time = 1s
    smtpd_etrn_restrictions = permit_mynetworks, permit_sasl_authenticated, reject
    smtpd_hard_error_limit = 20
    smtpd_helo_required = yes
    smtpd_helo_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_pipelining,reject_non_fqdn_hostname,reject_invalid_helo_hostname,reject_invalid_hostname,permit
    smtpd_milters =
    smtpd_recipient_limit = 20
    smtpd_recipient_overshoot_limit = 20
    smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_invalid_hostname, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, check_recipient_access hash:/opt/zimbra/conf/spam_lovers, check_sender_access hash:/opt/zimbra/conf/sender_blacklist, check_sender_access hash:/opt/zimbra/conf/sender_blacklist_from_users, reject_unlisted_recipient, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client dyna.spamrats.com, reject_rbl_client noptr.spamrats.com, reject_rbl_client spam.spamrats.com, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.sorbs.net, permit
    smtpd_reject_unlisted_recipient = no
    smtpd_reject_unlisted_sender = no
    smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = no
    smtpd_sasl_security_options = noanonymous
    smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
    smtpd_sender_login_maps = hash:/opt/zimbra/conf/exceptions-db ldap:/opt/zimbra/conf/ldap-restricrelay.cf
    smtpd_sender_restrictions = warn_if_reject, reject_sender_login_mismatch, warn_if_reject, reject_unauthenticated_sender_login_mismatch, warn_if_reject, reject_authenticated_sender_login_mismatch, reject_unknown_sender_domain, reject_non_fqdn_sender, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_originating.re, permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, check_sender_access regexp:/opt/zimbra/postfix/conf/tag_as_foreign.re
    smtpd_soft_error_limit = 10
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
    smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
    smtpd_tls_loglevel = 1
    smtpd_tls_security_level = may

    probably someone have noticed in sender_restrictions those syntax : warn_if_reject, reject_sender_login_mismatch, .... becouse I'm debugging this feature, but maybe it is too strong for my users. Some of them want to use different "personality" to send email from , and if I use this parameter tons of them were rejected by server.

    Have you any advice about this? Am I missing something usefull?

    Thanks.
    Andrea

  2. #2
    Join Date
    Sep 2011
    Location
    Miami
    Posts
    44
    Rep Power
    4

    Default

    You want to change |smtpd_reject_unlisted_sender = no| to yes I think.

    See Postfix Configuration Parameters

  3. #3
    Join Date
    Apr 2009
    Posts
    61
    Rep Power
    6

    Default

    Thanks for reply n.sossonko,

    I've tried to enable both smtpd_reject_unlisted_sender and recipient and restarted mta , but still something goin' strange



    example below report some trace:

    true sender: my_real_email@test.com
    changed from into: foo@bar.com
    true recipient: my_real_recipient@gmail.com
    result: 250 OK (?)

    Code:
    Jul  7 18:15:43 mail postfix/smtpd[28835]: NOQUEUE: filter: RCPT from unknown[XXX.XXX.XXX.XXX]: <foo@bar.com>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<foo@bar.com> to=<my_real_recipient@gmail.com> proto=ESMTP helo=<[172.16.200.147]>
    Jul  7 18:15:43 mail postfix/smtpd[28835]: 2FB73820104: client=unknown[XXX.XXX.XXX.XXX], sasl_method=PLAIN, sasl_username=my_real_email@test.com
    Jul  7 18:15:43 mail postfix/cleanup[27642]: 2FB73820104: message-id=<53BAC7AF.9030407@bar.com>
    Jul  7 18:15:43 mail postfix/qmgr[26837]: 2FB73820104: from=<foo@bar.com>, size=47868, nrcpt=1 (queue active)
    Jul  7 18:15:43 mail postfix/smtpd[28835]: disconnect from unknown[XXX.XXX.XXX.XXX]
    Jul  7 18:15:43 mail postfix/dkimmilter/smtpd[27632]: connect from localhost.localdomain[127.0.0.1]
    Jul  7 18:15:43 mail postfix/dkimmilter/smtpd[27632]: 65349820FB2: client=localhost.localdomain[127.0.0.1]
    Jul  7 18:15:43 mail postfix/cleanup[27642]: 65349820FB2: message-id=<53BAC7AF.9030407@bar.com>
    Jul  7 18:15:43 mail postfix/qmgr[26837]: 65349820FB2: from=<foo@bar.com>, size=48463, nrcpt=1 (queue active)
    Jul  7 18:15:43 mail postfix/dkimmilter/smtpd[27632]: disconnect from localhost.localdomain[127.0.0.1]
    Jul  7 18:15:43 mail postfix/smtp[28782]: 2FB73820104: to=<my_real_recipient@gmail.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.3, delays=0.09/0/0/0.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 65349820FB2)
    Jul  7 18:15:43 mail postfix/qmgr[26837]: 2FB73820104: removed
    Jul  7 18:15:43 mail postfix/amavisd/smtpd[27534]: connect from localhost.localdomain[127.0.0.1]
    Jul  7 18:15:43 mail postfix/amavisd/smtpd[27534]: 8BCDC820104: client=localhost.localdomain[127.0.0.1]
    Jul  7 18:15:43 mail postfix/cleanup[27642]: 8BCDC820104: message-id=<53BAC7AF.9030407@bar.com>
    Jul  7 18:15:43 mail postfix/amavisd/smtpd[27534]: disconnect from localhost.localdomain[127.0.0.1]
    Jul  7 18:15:43 mail postfix/qmgr[26837]: 8BCDC820104: from=<foo@bar.com>, size=48840, nrcpt=1 (queue active)
    Jul  7 18:15:43 mail postfix/smtp[28790]: 65349820FB2: to=<my_real_recipient@gmail.com>, relay=127.0.0.1[127.0.0.1]:10032, delay=0.18, delays=0.06/0/0/0.12, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8BCDC820104)
    Jul  7 18:15:43 mail postfix/qmgr[26837]: 65349820FB2: removed
    I suppose that everything goes becouse I'm sasl autenticated, and I've permit_sasl_authenticated into smtpd_sender_restrictions, so , even if I change my from header, I'm still able to deliver this email. Am I wrong?


    I'm testing login_mistmach too, and that works like a charme

    Code:
    Jul  7 18:15:43 mail postfix/smtpd[28835]: NOQUEUE: reject_warning: RCPT from unknown[XXX.XXX.XXX.XXX]: 553 5.7.1 <foo@bar.com>: Sender address rejected: not owned by user my_real_email@test.com; from=<foo@bar.com> to=<my_real_recipient@gmail.com> proto=ESMTP helo=<[XXX.XXX.XXX.XXX]>
    So I'm afraid there is no method to not allow local users to rewrite their own FROM field if they're authenticad. This is a little bit frustrating.

  4. #4
    Join Date
    Sep 2011
    Location
    Miami
    Posts
    44
    Rep Power
    4

    Default

    You can try RestrictPostfixSenders - Zimbra :: Wiki for the local/auth user scenario. There should be sendAs restrictions, although I think that might be enforced on the client-side, not the server-side (if you try to create a persona for additional FROM addresses, it restricts only to those accounts that you have permissions to sendAs on). Where are you sending these emails from (with the FROM changed)?

Similar Threads

  1. Replies: 2
    Last Post: 10-24-2013, 11:07 AM
  2. 7.1.4 install on Ubuntu10.04 splash screen hangs
    By bill1954 in forum Administrators
    Replies: 0
    Last Post: 01-18-2012, 11:08 PM
  3. 7.1.4 install on Ubuntu10.04 splash screen hangs
    By bill1954 in forum Installation
    Replies: 0
    Last Post: 01-18-2012, 11:08 PM
  4. Compiling HELIX-710 for Ubuntu10.04
    By steinbitglis in forum Installation
    Replies: 5
    Last Post: 04-26-2011, 04:26 AM
  5. rewrite mail header (X-Originating-IP)
    By tiger2000 in forum Administrators
    Replies: 3
    Last Post: 08-24-2009, 02:24 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •