[prev in list] [next in list] [prev in thread] [next in thread]
List: postfix-users
Subject: Re: Preventing domain impresonation
From: "Bill Cole" <postfixlists-070913 () billmail ! scconsult ! com>
Date: 2020-08-28 3:18:59
Message-ID: 339BB318-DA89-4DCE-ABC1-186FF9CF6561 () billmail ! scconsult ! com
[Download RAW message or body]
On 27 Aug 2020, at 8:30, Marek Kozlowski wrote:
> :-)
>
> Let's assume my hostname is 'sth.mydomain.tld'
> The following configuration:
>
> #-------------------------------------------------
> smtpd_recipient_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
> check_sender_access hash:/etc/postfix/sender_checks_my,
> ...
>
> # cat /etc/postfix/sender_checks_my
> sth.mydomain.tld 554 Please enable SMTP AUTH
> #-------------------------------------------------
>
> accepts mail from '...@sth.mydomain.tld' only from authenticated users
> or the hosts specified by the 'mynetworks' list.
Why offer AUTH on port 25 at all? Enable initial mail submission (port
465 with SSL 'wrappermode' and/or port 587 with STARTTLS) with AUTH and
disable AUTH for port 25. Removing support for initial mail submission
from port 25 SMTP allows for a more tightly defined configuration and
depending on what your specific needs are, you may be able to eliminate
IP-based authentication altogether.
> I'm wondering if there is a simple way of extending the list of hosts
> that may send me e-mails with '...@sth.mydomain.tld' as the sender
> address to my whole network (lets say '1.2.3.4/24') but without
> modifying the 'mynetworks' (which AFAIK grant much more privileges)
> list.
Viktor wrote up the standard approach to do what you asked in his reply,
using a restriction class.
A simpler solution may be to limit the privilege given to $mynetworks by
adding an explicit definition for smtpd_relay_restrictions:
smtpd_relay_restrictions = permit_sasl_authenticated,
reject_unauth_destination
With that set, the permit_mynetworks directive in
smtpd_recipient_restrictions only applies to inbound mail, not relayed
mail, so you may feel more comfortable adding more addresses to
$mynetworks.
--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic