Postfix SMTP 身份验证安全漏洞

Postfix SMTP 身份验证安全漏洞

我在 CentOS 6 上运行 Postfix。除了 smtp 中的一个安全漏洞外,一切运行正常。

我不断收到从我的地址发送到我的地址的垃圾邮件。我已经在 telnet 上检查过这个问题,服务器允许我向自己发送电子邮件而无需身份验证。如果我尝试发送到外部电子邮件地址,则需要身份验证。

我怎样才能堵住这个洞?

编辑:

@Jenny D 这不是问题的重复。我想阻止我的邮件服务器在未经身份验证的情况下向其自身发送电子邮件。

后配置-n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
home_mailbox = mail/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = localhost.$mydomain, localhost
mydomain = mydomain.com
myhostname = mail.mydomain.com
mynetworks = 127.0.0.0/8
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
proxy_read_maps = $local_recipient_maps $mydestination       $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps  $virtual_mailbox_domains $relay_recipient_maps $relay_domains  $canonical_maps $sender_canonical_maps $recipient_canonical_maps  $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_use_tls = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit
smtpd_recipient_restrictions = permit_sasl_authenticated,       permit_mynetworks, check_relay_domains,  reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_domains = 
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql-     virtual_forwardings.cf,         mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000

grep -n smtp /etc/postfix/master.cf

11:smtp      inet  n       -       n       -       -       smtpd
13:587      inet  n       -       n       -       -       smtpd
15:#submission inet n       -       n       -       -       smtpd
16:#  -o smtpd_tls_security_level=encrypt
17:smtps     inet  n       -       n       -       -       smtpd
18:   -o smtpd_sasl_auth_enable=yes
19:   -o smtpd_reject_unlisted_sender=yes
20:   -o smtpd_recipient_restrictions=permit_sasl_authenticated
22:#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
24:#smtps     inet  n       -       n       -       -       smtpd
25:#  -o smtpd_tls_wrappermode=yes
26:#  -o smtpd_sasl_auth_enable=yes
27:#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
43:smtp      unix  -       -       n       -       -       smtp
45:relay     unix  -       -       n       -       -       smtp
46: -o smtp_fallback_relay=
47:#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
102:#bsmtp     unix  -       n       n       -       -       pipe
103:#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient

标头

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from [103.38.130.142] (unknown [103.38.130.142])
by 807493.myserver.com (Postfix) with ESMTP id 6A8894809B6
for <[email protected]>; Mon, 28 Mar 2016 14:22:52 +0100 (BST)
From: "netadmin" <[email protected]>
To: "[email protected]" <[email protected]>
Subject: Document (1).pdf
Date: Mon, 28 Mar 2016 18:52:55 +0530
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0042_01D0A1F9.171F24B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdCh6FNHn/LWax1JSTSc7XL2c2t2TQ==
Content-Language: en-US

This is a multipart message in MIME format.

感谢您的帮助

编辑2:

我已将拒绝添加到 smtp_sender_restrictions 的末尾 - 这解决了我的问题,但是它也会破坏传入邮件???

为了更清楚地说明问题-我希望拒绝以下内容,但事实并非如此:

Connected to mail.mydomain.com.
Escape character is '^]'.
220 807493.vps-10.com ESMTP Postfix
ehlo testing.com
250-807493.vps-10.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
250 2.1.5 Ok

如果我改为:

smtpd_sender_restrictions = reject_unknown_sender_domain,    
 permit_mynetworks, permit_sasl_authenticated, reject

然后我就得到了想要的结果:

Connected to mail.mydomain.com.
Escape character is '^]'.
220 807493.vps-10.com ESMTP Postfix
ehlo testing.com
250-807493.vps-10.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:[email protected]
250 2.1.0 Ok
rcpt to:[email protected]
554 5.7.1 <[email protected]>: Sender address rejected: Access denied

然而,来自外部地址的来信现在被退回并被接收!

抱歉,但我发现这很难理解。

答案1

您需要在邮件服务器中设置发件人身份验证...从您自己的 ID 接收邮件是欺骗邮件,可以通过设置发件人 ID 和在 DNS 服务器中配置 SPF 记录来阻止这种邮件。

答案2

Postfix 似乎permit_auth_destination在其某个访问限制列表

我无法找出问题的确切原因。请问您能否添加以下问题:

  1. 的输出postconf -n
  2. 的输出grep -n smtp /etc/postfix/master.cf
  3. 从垃圾邮件中提取的标题?

编辑:

我看到该smtpd_recipient_restrictions设置包含reject_unauth_destination并且没有其他附加限制。此外,没有应用defer任何限制,因此隐式限制占上风。rejectpermit

让我写一下您的 Postfix 守护进程在 SMTP 事务中收到命令时的行为RCPT TO。假设远程客户端启动了它并打算从 和 发送一条虚假消息到[email protected]

  1. permit_sasl_authenticated=> 用户未进行身份验证,因此忽略此限制。
  2. permit_mynetworks=> 用户不属于内部网络,因此忽略此限制。
  3. check_relay_domains=> Postfix 似乎已经弃用了这个限制,因此也可能会被忽略。
  4. reject_unauth_destination=> Postfix 检测到它是邮件的最终目的地,因此忽略限制。
  5. 隐式permit发生,因此 Postfix 最终接受并传递消息。

如果您打算仅接收来自经过身份验证的用户的消息,则可以在末尾添加reject或限制。但是,如果您要接收来自不属于您的域(即公共邮件服务器)的消息,则必须遵循其他替代方案,因为明确或将拒绝这些消息。应用@Jenny D 指出的解决方案,即设置限制或配置defersmtpd_recipient_restrictionsrejectdefercheck_sender_access发件人策略框架

此外,您还可以应用其他反垃圾邮件技术:

相关内容