4

The server correctly accepts/rejects the logins though dovecot's authentication mechanism, but after that I can pretend to be anyone when sending emails.

smtpd_sender_login_maps = texthash:/etc/postfix/permmap
append_at_myorigin=no

smtpd_helo_restrictions =
     permit_mynetworks,
     reject_non_fqdn_helo_hostname,
     reject_invalid_helo_hostname,
     #reject_unknown_helo_hostname,
     permit

smtpd_sender_restrictions =
     permit_sasl_authenticated,
     permit_mynetworks,
     reject_sender_login_mismatch,
#     reject_non_fqdn_sender,
     reject_unknown_sender_domain,
     permit

smtpd_client_restrictions =
     permit_mynetworks,
     permit_sasl_authenticated,
     reject_unauth_pipelining,
     reject_rbl_client bl.spamcop.net,
     reject_rbl_client zen.spamhaus.org,
     permit

I use this site for testing, because it's convenient and with --verbose shows me the whole communication, except the message body.

This is the communication log, obviously with identifying stuff and password censored

> EHLO localhost
[250] 'example.com'
[250] 'PIPELINING'
[250] 'SIZE 104857600'
[250] 'ETRN'
[250] 'AUTH PLAIN LOGIN'
[250] 'ENHANCEDSTATUSCODES'
[250] '8BITMIME'
[250] 'DSN'
AUTH method (PLAIN LOGIN): using LOGIN
> AUTH LOGIN
[334] 'VXNlcm5hbWU6'
> dXNlckFAdmlydHVhbGRvbWFpbkE=
[334] 'UGFzc3dvcmQ6'
> dGhlcGFzc3dvcmQ=
[235] '2.7.0 Authentication successful'
Authentication of userA@virtualdomainA@example.com succeeded
> MAIL FROM: <userB@example.com>
[250] '2.1.0 Ok'
> RCPT TO: <realremote@example.net>
[250] '2.1.5 Ok'
> DATA
[354] 'End data with <CR><LF>.<CR><LF>'
[250] '2.0.0 Ok: queued as 73519140287'
> QUIT
[221] '2.0.0 Bye'

The email was indeed sent as if I was userB@example.com

The second probable problem we see there, is that it appends it's real domain to the virtual one, even though append_at_myorigin should disable it. The docs weren't much help. They don't even suggest what the lookup-table should resemble. I had to learn that from elsewhere.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
coladict
  • 219
  • 1
  • 7
  • 2
    `MAIL FROM` has nothing to do with authentication. I just sets the return path. It's not even the same address the receiver sees in their mail client. – Halfgaar Dec 20 '14 at 14:03
  • Ah, I forget about your *second probable problem*. Maybe it was added by `smtpd_sasl_local_domain` parameter :) – masegaloeh Dec 20 '14 at 16:06

1 Answers1

9

As I can see, your expectation is user can't send behalf other user because you put reject_sender_login_mismatch in smtpd_sender_restrictions. Yes, that should work.

Unfortunately, you put reject_sender_login_mismatch after permit_sasl_authenticated. Based on postfix logic, if your client successfully login via SASL, it won't checked against reject_sender_login_mismatch because the it successfully pass the restriction permit_sasl_authenticated.

The solution is reorder the restrictions according to the Postfix official documentation. 

smtpd_sender_restrictions = 
    ...other restriction...
    reject_sender_login_mismatch,
    permit_sasl_authenticated,
    ...other restriction...
user
  • 4,335
  • 4
  • 34
  • 71
masegaloeh
  • 18,236
  • 10
  • 57
  • 106