Discussion:
sender is my domain, but coming from outside -- postfix/amavisd combo did NOT tag SPF violation!
(too old to reply)
Shawn Heisey
2016-07-19 20:46:28 UTC
Permalink
I'm reasonably certain that this is my own mistake, but I need help
tracking down what I've done wrong.

I have postfix/amavisd (and other software components) in a mail relay
role, sitting between an Exchange server and the Internet. All email
coming in from the Internet and all email heading out towards the
Internet passes through this installation. We have SPF information on
in our DNS.

I *thought* I had everything set up so it would check SPF records on any
message coming in from the Internet, but one of our executives received
a spam email that had another of our executives as the "From" address.

At the very least, I would hope that this would result in some kind of
info (spamassassin score increase, an added header, subject
modification, etc) to indicate that SPF was violated, but there was
nothing. Looking at the headers, it definitely came from the Internet.

The postfix version is 2.11.0-1ubuntu1, amavisd is version
1:2.7.1-2ubuntu3. All the software is installed using distro packages
in Ubuntu 14.

Can I get help with this problem here? If so, what information do I
need to include?

Thanks,
Shawn
Benny Pedersen
2016-07-19 20:53:59 UTC
Permalink
Post by Shawn Heisey
Can I get help with this problem here? If so, what information do I
need to include?
sure, where is postconf -n ? :=)

its simple with postfix to reject own domains in postfix port 25, and
reqire sasl auth on port 587 and port 465

it does not really need spf
Noel Jones
2016-07-19 22:07:08 UTC
Permalink
Post by Shawn Heisey
I *thought* I had everything set up so it would check SPF records on any
message coming in from the Internet, but one of our executives received
a spam email that had another of our executives as the "From" address.
Are you talking about the From: header? That header is not
protected by SPF; you'll need to find another way to detect spam
with forged From: headers.

Forged From: headers are a difficult problem to solve. For example,
this message claims to be From me, but the actual sender is the
postfix-users list.


-- Noel Jones
Shawn Heisey
2016-07-22 17:53:11 UTC
Permalink
Post by Benny Pedersen
sure, where is postconf -n ? :=)
its simple with postfix to reject own domains in postfix port 25, and
reqire sasl auth on port 587 and port 465
it does not really need spf
The server is *just* a spam-filtering relay. It does no authentication.
Authenticated sending is done via the Exchange server ... which then
relays through this pair of mail servers. Port 25 is all there is. Any
email generated by local servers uses this pair of servers to send.

I do have a complete list of all valid local relay destination
addresses, which gets autogenerated every 15 minutes. I do have logic
in the autogeneration to limit the number of lines that can be deleted
automatically, to prevent accidental errors. This list is used by
relay_recipient_maps.

Yes, I know all about the evils of Exchange, but I don't get a choice in
that department. That's what the company uses for corporate email
accounts, and it's not going to change. I'm using postfix so that SMTP
on Exchange is not exposed directly to the Internet.

Here's a slightly redacted postconf -n. I replaced our domain name with
REDACTED and some public IP addresses with OBFUSCATED:

========================
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = pcre:/etc/postfix/body_checks
bounce_queue_lifetime = 1d
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
enable_long_queue_ids = yes
header_checks = pcre:/etc/postfix/header_checks
inet_interfaces = all
mailbox_size_limit = 524288000
maximal_queue_lifetime = 2d
message_size_limit = 52428800
mydestination = nexus1.REDACTED.com, localhost.REDACTED.com,
localhost.localdomain, localhost
myhostname = nexus1.REDACTED.com
mynetworks = 10.2.1.39 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12
192.168.0.0/16 OBFUSCATED/24 OBFUSCATED/24 OBFUSCATED/28 OBFUSCATED
OBFUSCATED/23 OBFUSCATED OBFUSCATED OBFUSCATED OBFUSCATED
myorigin = /etc/mailname
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/client_access, cidr:/etc/postfix/postcreen_access,
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_ttl = 4h
postscreen_dnsbl_whitelist_threshold = -2
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
readme_directory = no
recipient_delimiter = +
relay_domains = $mydestination, hash:/etc/postfix/local_domains
relay_recipient_maps = hash:/etc/postfix/relay_recipients
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 8
smtpd_client_connection_rate_limit = 12
smtpd_client_restrictions = permit_mynetworks, check_recipient_access
hash:/etc/postfix/spam_lovers, check_client_access
regexp:/etc/postfix/client_regexp, check_client_access
cidr:/etc/postfix/client_access, reject_unknown_reverse_client_hostname
reject_unknown_client_hostname
smtpd_data_restrictions = check_client_access
cidr:/etc/postfix/rule_breakers, reject_unauth_pipelining,
permit_mynetworks, reject_multi_recipient_bounce
smtpd_delay_reject = yes
smtpd_error_sleep_time = 15
smtpd_hard_error_limit = 5
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname
smtpd_recipient_restrictions = permit_mynetworks, sleep 2,
check_recipient_access hash:/etc/postfix/spam_lovers,
check_recipient_access hash:/etc/postfix/recipient_access,
reject_non_fqdn_recipient, reject_unauth_destination,
reject_unknown_recipient_domain, reject_unlisted_recipient,
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
smtpd_sender_restrictions = permit_mynetworks, check_recipient_access
hash:/etc/postfix/spam_lovers, check_sender_access
hash:/etc/postfix/sender_access, reject_non_fqdn_sender,
reject_unknown_sender_domain
smtpd_soft_error_limit = 2
smtpd_tls_cert_file = /etc/ssl/certs/local/wildcard.combined.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = hash:/etc/postfix/virtual
========================

Basically, if something doesn't pass permit_mynetworks, and the envelope
sender (not the From: header) is an address with a domain name that's
mentioned in hash:/etc/postfix/local_domains, I want to reject the
message. Is that possible? If necessary, I could create a second copy
of local_domains that has "reject" instead of "ok" on all lines.

Thanks,
Shawn
Benny Pedersen
2016-07-22 20:10:18 UTC
Permalink
Post by Shawn Heisey
relay_domains = $mydestination, hash:/etc/postfix/local_domains
if local_domains contains domains local, you can reject senders that
forge sender AFTER permit_sasl_auth...

postfix is always first match wins

google check_sender_access

http://www.postfix.org/SASL_README.html

so its just in what order with hash file wins first to make it work

if mynetworks contains too many ips its openrelay for them in that case
remove permit_mynetworks or place it AFTER sender accesss, remember
permit_mynetworks must accept email without @
Shawn Heisey
2016-07-29 14:16:46 UTC
Permalink
Post by Benny Pedersen
Post by Shawn Heisey
relay_domains = $mydestination, hash:/etc/postfix/local_domains
if local_domains contains domains local, you can reject senders that
forge sender AFTER permit_sasl_auth...
You're mentioning authentication again. As I said once already, this
postfix server does NOT authenticate users. It only listens on port 25,
not port 587. I might have enabled 465, but I do not remember. All
user accounts and mailboxes are on the Exchange server, and users can
connect directly to Exchange over encrypted channels.

The pair of postfix servers are mail relays and authoritative DNS
servers. Our MX record points to a VIP that can float between the two
servers. They serve as a spam/virus filter for mail headed to and
coming from the Exchange server, and have a second role as a smarthost
for internal systems that need to send notification email. The only
"authentication" done for the smarthost role is source IP --
permit_mynetworks.

I have no interest in postfix validating "From" headers, but if the
envelope sender contains one of my domains and the sending server is not
in mynetworks, I want postfix to reject it. Is that possible?

Thanks,
Shawn
Benny Pedersen
2016-07-29 14:28:21 UTC
Permalink
Post by Shawn Heisey
Post by Benny Pedersen
Post by Shawn Heisey
relay_domains = $mydestination, hash:/etc/postfix/local_domains
if local_domains contains domains local, you can reject senders that
forge sender AFTER permit_sasl_auth...
You're mentioning authentication again.
sorry about that
Post by Shawn Heisey
As I said once already, this
postfix server does NOT authenticate users.
sorry about that aswell
Post by Shawn Heisey
It only listens on port 25,
there you go
Post by Shawn Heisey
not port 587. I might have enabled 465, but I do not remember. All
user accounts and mailboxes are on the Exchange server, and users can
connect directly to Exchange over encrypted channels.
yes thats ok, but how does users from exchange send mail ?, its a bug to
use port 25
Post by Shawn Heisey
The pair of postfix servers are mail relays and authoritative DNS
servers. Our MX record points to a VIP that can float between the two
servers. They serve as a spam/virus filter for mail headed to and
coming from the Exchange server, and have a second role as a smarthost
for internal systems that need to send notification email. The only
"authentication" done for the smarthost role is source IP --
permit_mynetworks.
all that is ok
Post by Shawn Heisey
I have no interest in postfix validating "From" headers, but if the
envelope sender contains one of my domains and the sending server is
not
in mynetworks, I want postfix to reject it. Is that possible?
this is not a job for postfix, if you want From: header policy use
opendkim in postfix
Viktor Dukhovni
2016-07-29 14:50:59 UTC
Permalink
Post by Shawn Heisey
I have no interest in postfix validating "From" headers, but if the
envelope sender contains one of my domains and the sending server is not
in mynetworks, I want postfix to reject it. Is that possible?
Yes, quite possible and widely used.

main.cf:
indexed = ${default_database_type}:${config_directory}/
smtpd_sender_restrictions =
check_sender_access ${indexed}smtp-from

smtp-from:
example.com permit_mynetworks, reject
.example.com permit_mynetworks, reject
--
Viktor.
Continue reading on narkive:
Loading...