'Re: Preventing domain impresonation'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: Preventing domain impresonation
From:       "Bill Cole" <postfixlists-070913 () billmail ! scconsult ! com>
Date:       2020-08-28 3:18:59
Message-ID: 339BB318-DA89-4DCE-ABC1-186FF9CF6561 () billmail ! scconsult ! com
[Download RAW message or body]

On 27 Aug 2020, at 8:30, Marek Kozlowski wrote:

> :-)
>
> Let's assume my hostname is 'sth.mydomain.tld'
> The following configuration:
>
> #-------------------------------------------------
> smtpd_recipient_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         reject_unauth_destination,
> 	check_sender_access hash:/etc/postfix/sender_checks_my,
> 	...
>
> # cat /etc/postfix/sender_checks_my
> sth.mydomain.tld	554 Please enable SMTP AUTH
> #-------------------------------------------------
>
> accepts mail from '...@sth.mydomain.tld' only from authenticated users 
> or the hosts specified by the 'mynetworks' list.

Why offer AUTH on port 25 at all? Enable initial mail submission (port 
465 with SSL 'wrappermode' and/or port 587 with STARTTLS) with AUTH and 
disable AUTH for port 25. Removing support for initial mail submission 
from port 25 SMTP allows for a more tightly defined configuration and 
depending on what your specific needs are, you may be able to eliminate 
IP-based authentication altogether.

> I'm wondering if there is a simple way of extending the list of hosts 
> that may send me e-mails with '...@sth.mydomain.tld' as the sender 
> address to my whole network (lets say '1.2.3.4/24') but without 
> modifying the 'mynetworks' (which AFAIK grant much more privileges) 
> list.

Viktor wrote up the standard approach to do what you asked in his reply, 
using a restriction class.

A simpler solution may be to limit the privilege given to $mynetworks by 
adding an explicit definition for smtpd_relay_restrictions:

   smtpd_relay_restrictions = permit_sasl_authenticated, 
reject_unauth_destination

With that set, the permit_mynetworks directive in 
smtpd_recipient_restrictions only applies to inbound mail, not relayed 
mail, so you may feel more comfortable adding more addresses to 
$mynetworks.


-- 
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic