Conditional SASL authentication
Hello,
I have a few users that are often hit by a trojan virus that steals e-mail user and password. Having a very little (if not null) power on their machines, I need to be able to block the outgoing mail wich is handled by postfix via dovecot SASL. Blocking it at dovecot level would be optimal, for the virus doesn't necessarily use the e-mail of the user as its from, just the user and password for the authentication phase.
Is it feasible?
AdvThanksAnce,
Luciano.
/"\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL / E-MAIL: posthamster@sublink.sublink.ORG / \ AND POSTINGS / WWW: http://www.lesassaie.IT/
The things that occur to me are
Ensure that the sender domain is authorized by doing a rule in main.cf for send_restrictions. Then at least they won't be sending things with faked from=.
Do some work with rate limiting.
http://steam.io/2013/04/01/postfix-rate-limiting/
- Look at something like fail2ban.
On 2/24/2015 10:28 AM, Luciano Mannucci wrote:
Hello,
I have a few users that are often hit by a trojan virus that steals e-mail user and password. Having a very little (if not null) power on their machines, I need to be able to block the outgoing mail wich is handled by postfix via dovecot SASL. Blocking it at dovecot level would be optimal, for the virus doesn't necessarily use the e-mail of the user as its from, just the user and password for the authentication phase.
Is it feasible?
AdvThanksAnce,
Luciano.
-- George Sexton *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Am 24.02.2015 um 18:28 schrieb Luciano Mannucci:
I have a few users that are often hit by a trojan virus that steals e-mail user and password. Having a very little (if not null) power on their machines, I need to be able to block the outgoing mail wich is handled by postfix via dovecot SASL. Blocking it at dovecot level would be optimal, for the virus doesn't necessarily use the e-mail of the user as its from, just the user and password for the authentication phase.
Is it feasible?
not sure what you try to achieve
- if you cahnge the pwd SASL auth is taken away
- if you don't want enforce SASL per IP mynetworks is your friend
but nobody really wants to place foreign machines in mynetworks and allow to send mail unauthenticated from a machine he don't own - and if it si only because in most configurations more restrictions than with SASL are bypassed
it's anyways not a dovecot question
On Tue, 24 Feb 2015 18:56:03 +0100 Reindl Harald h.reindl@thelounge.net wrote:
- if you cahnge the pwd SASL auth is taken away True. But this way the user will be unable to read his/her mail, including my message saying "Hey, you've got a new virus!".
Thanks anyway,
luciano.
/"\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL / E-MAIL: posthamster@sublink.sublink.ORG / \ AND POSTINGS / WWW: http://www.lesassaie.IT/
Am 24.02.2015 um 19:04 schrieb Luciano Mannucci:
On Tue, 24 Feb 2015 18:56:03 +0100 Reindl Harald h.reindl@thelounge.net wrote:
- if you cahnge the pwd SASL auth is taken away True. But this way the user will be unable to read his/her mail, including my message saying "Hey, you've got a new virus!"
if the account is compromised the password *must be changed* and the user contacted on a different channel - otherwise you risk hijacking his other accounts connected to the mail-address and a ton of additional damage
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue, 24 Feb 2015, Luciano Mannucci wrote:
On Tue, 24 Feb 2015 18:56:03 +0100 Reindl Harald h.reindl@thelounge.net wrote:
- if you cahnge the pwd SASL auth is taken away True. But this way the user will be unable to read his/her mail, including my message saying "Hey, you've got a new virus!".
OK, I had the task to disallow somebody to use SMTP, but allow to use IMAP. I use LDAP and my pass_filter contains: (!(deniedService=%Ls))
deniedService is a locally created string attribute. I don't know what postfix-Dovecot-SASL uses as "service", but it should be something like smtp. With LDAP or SQL you can block users (or even select passwords) by service string. See http://wiki2.dovecot.org/Variables for more options.
Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQEVAwUBVO1r4Xz1H7kL/d9rAQL83ggApmDjmx4+97oKJYsrDIWmbZfLLyam6sTJ Sk6G3/Qh4pHDZBS/G55VeThwTO9UCvh9u2RL8pAWMnOyF576YduE6Q/xBvksnKXQ /+qaO1aOQxuEKwCqcoLh+k7q6kanMqxhgHvF86aO9ifEz7BaCP/doN65gKZuXUg9 ywBqS22guTlN4Lwuuhn8hoZi5OILs/WqD+Ym45VwMQz8wrS5Vq0WxzECkhFxewMa lebS7B6CePokF4x8J4xalH/yRTlJo3sDk89xTEYmv6CWMNnRiL1XB2dO4+MdxXH9 E7CAF328DHLN2ZiZwCmLjyOS3lA8pgWaib0wcSP+D09Qi/mUYWXi9Q== =cJoL -----END PGP SIGNATURE-----
On February 24, 2015 6:30:53 PM Luciano Mannucci luciano@vespaperitivo.it wrote:
Is it feasible?
no, when this happend disable smtp auth, but not login, then send a mail why smtp auth is disabled
On Tue, 24 Feb 2015 19:00:09 +0100 Benny Pedersen me@junc.eu wrote:
no, when this happend disable smtp auth, but not login, then send a mail why smtp auth is disabled This way, I'll block everybody, not only the troyan victims.
luciano.
/"\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL / E-MAIL: posthamster@sublink.sublink.ORG / \ AND POSTINGS / WWW: http://www.lesassaie.IT/
Am 24.02.2015 um 18:28 schrieb Luciano Mannucci:
for the virus doesn't necessarily use the e-mail of the user as its from, just the user and password for the authentication phase
so you allow random envelope senders on your servers? why?
smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_sender reject_authenticated_sender_login_mismatch permit_sasl_authenticated reject
On Tue, 24 Feb 2015 19:00:32 +0100 Reindl Harald h.reindl@thelounge.net wrote:
so you allow random envelope senders on your servers? why? I know it is not necessarily a good idea... :) It is basicaly to allow fake home addresses from the office for some managers.
Thanks for the smtpd_recipient_restrictions list, it sounds interesting!
Luciano.
/"\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL / E-MAIL: posthamster@sublink.sublink.ORG / \ AND POSTINGS / WWW: http://www.lesassaie.IT/
Am 24.02.2015 um 19:20 schrieb Luciano Mannucci:
On Tue, 24 Feb 2015 19:00:32 +0100 Reindl Harald h.reindl@thelounge.net wrote:
so you allow random envelope senders on your servers? why? I know it is not necessarily a good idea... :) It is basicaly to allow fake home addresses from the office for some managers.
don't allow senders which you would not receive mail for - period
especially don't allow fakes - if your machine spews a large amount of mail here not bypass sender-verification because not SPF you would get blocked unconditionally IP based
Thanks for the smtpd_recipient_restrictions list, it sounds interesting!
it's for submission only!
Am 24.02.2015 um 19:37 schrieb Adrian Minta:
On 24.02.2015 20:29, Reindl Harald wrote:
don't allow senders which you would not receive mail for - period
Seems interesting, at least until the bots adapt to this. Any idea how could this be implemented?
with the configuration i have posted in that thread?
for me that was a prerequisite before even consider put my first mailserver setup on a public IP and that's enforced even on any webserver here by shared database tables
On 24.02.2015 20:40, Reindl Harald wrote:
Am 24.02.2015 um 19:37 schrieb Adrian Minta:
On 24.02.2015 20:29, Reindl Harald wrote:
don't allow senders which you would not receive mail for - period
Seems interesting, at least until the bots adapt to this. Any idea how could this be implemented?
with the configuration i have posted in that thread?
for me that was a prerequisite before even consider put my first mailserver setup on a public IP and that's enforced even on any webserver here by shared database tables
Ups ... sorry, reject_authenticated_sender_login_mismatch from smtpd_sender_restrictions ofc. I was thinking about not accepting mails from users/ip witch don't do a least one pop3 or imap read before sending.
-- Best regards, Adrian Minta
Am 24.02.2015 um 19:48 schrieb Adrian Minta:
On 24.02.2015 20:40, Reindl Harald wrote:
Am 24.02.2015 um 19:37 schrieb Adrian Minta:
On 24.02.2015 20:29, Reindl Harald wrote:
don't allow senders which you would not receive mail for - period
Seems interesting, at least until the bots adapt to this. Any idea how could this be implemented?
with the configuration i have posted in that thread?
for me that was a prerequisite before even consider put my first mailserver setup on a public IP and that's enforced even on any webserver here by shared database tables
Ups ... sorry, reject_authenticated_sender_login_mismatch from smtpd_sender_restrictions ofc. I was thinking about not accepting mails from users/ip witch don't do a least one pop3 or imap read before sending
pop-before-smtp was a completly broken idea 15 years ago and is now much more after having a ton of clients behind carrier-grade NAT (mobile devices and all that stuff)
- implement SMTP auth properly
- enforce SMTP auth unconditionally
- don't allow foreign sender domains
if you can't do that 3 things don't run a public mailserver
Hello, take a look at postfwd, especially "rate limit examples": http://postfwd.org/
-- Best regards, Adrian Minta
participants (6)
-
Adrian Minta
-
Benny Pedersen
-
George Sexton
-
Luciano Mannucci
-
Reindl Harald
-
Steffen Kaiser