1

I have an email server running on Debian11 with postfix. I have strict restrictions implemented (SPF, DKIM, ...) to prevent spam. Works fine so far.

But recently I just realized every guy with a valid reverse hostname can send with a spoofed sender address from my own domain to accounts of my own domain.

So an email from unknownuser@mydomain.com to realuser@mydomain.com from an IP with a valid reverse hostname is getting accepted. Obviously this is something I do not want- I want my postfix to allow only authenticated users to send with mydomain.com as sender.

Is there a simple fix for this? I can not believe it is so easy to trick postfix nowadays :| I found a similar question and answers to this issue here, but it has been eight years ago and the solution is not as "quick-and-easy" as I was looking for.

So the main question: Is there a more recent solution to the issue?

Here's the main part of my main.cf:

smtpd_helo_restrictions =
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname
smtpd_client_restrictions =
        permit_sasl_authenticated,
        reject_unknown_client_hostname,
        reject_rbl_client ix.dnsbl.manitu.net,
        reject_rhsbl_client dbl.spamhaus.org,
        reject_rhsbl_reverse_client dbl.spamhaus.org,
        reject_rbl_client psbl.surriel.com
smtpd_sender_restrictions = 
        permit_sasl_authenticated,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_unknown_client_hostname,
        reject_unknown_reverse_client_hostname
smtpd_recipient_restrictions = 
        permit_sasl_authenticated,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_unauth_destination,
        reject_unauth_pipelining,
        check_sender_access hash:/etc/postfix/access,
        check_policy_service unix:private/policy
        check_policy_service inet:127.0.0.1:10023
Christian
  • 121
  • 3

1 Answers1

0

Edit: SPF is the mechanism to prevent this and you have it working since

Original answer: I think you lack reject_sender_login_mismatch in the smtpd_sender_restrictions section. It includes (amongst other) reject_unauthenticated_sender_login_mismatch, that do:

Reject the request when SASL is enabled, the MAIL FROM address is listed in $smtpd_sender_login_maps, but the client is not authenticated with SASL. With SASL enabled, this prevents an unauthenticated client from using any MAIL FROM address that is listed in $smtpd_sender_login_maps. This feature is available in Postfix version 2.1 and later.

(see doc).

So you can use instead:

smtpd_sender_restrictions = 
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_sender_login_mismatch

(I removed the duplicate rejects from smtpd_client_restrictions, and permit_sasl_authenticated that is not needed: the emails originated from your server shouldn't be rejected by these 3)

setenforce 1
  • 349