gabriel rosenkoetter on 23 Oct 2003 07:37:02 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] mail relay?


On Tue, Oct 21, 2003 at 08:44:17PM -0400, Jon Nelson wrote:
> gabriel rosenkoetter said:
> > On Tue, Oct 21, 2003 at 10:54:39AM -0400, Jon Nelson wrote:
> >> Oct 20 17:02:54 muffin postfix/nqmgr[1080]: 1864324122:
> >> from=<IIhBJUcUr@iris.seed.net.tw>, size=2654, nrcpt=2 (queue
> >> active) Oct 20 17:02:54 muffin postfix/nqmgr[1080]: 1864324122:
> >> to=<--quincy@linuxnotes.net>, relay=none, delay=2, status=bounced
> >> (invalid recipient syntax: "--quincy@linuxnotes.net")
> > What makes you think it had two recipients? I only see one attempted
> > delivery here...
> "nrcpt=2"  means there are 2 recipients.

D'oh. Yeah, you're right.

> > Oh, there's the other one. Did you actually *see* this spam?
> No, I saw the logs after the fact.

Right, but it *did* get delivered. Do you have a spam email matching
that Message-ID? (It may be in a spam mailbox if you're doing
filtering.)

> OK, so if I got this right...I got spammed by someone who forged the
> return path.  The mail to "--quincy" got bounced and my server tried to
> send a bounce msg to the forged address.

That's correct. The spammer also targetted quincy@ (no --), who
presumably received the spam. (It only just now hit me that you're
probably not reading qunicy@'s mail. Whoops.)

On Wed, Oct 22, 2003 at 08:14:14AM -0400, sean finney wrote:
> sativa[~]08:00:15$ nc linuxnotes.net 25
> 220 muffin.linuxnotes.net ESMTP Postfix
> helo sativa.seanius.net
> 250 muffin.linuxnotes.net
> mail from: seanius@seanius.net
> 250 Ok
> rcpt to: --quincy@linuxnotes.net
> 250 Ok
> 
> so postfix is accepting emails for invalid users at linuxnotes.net,
> which may or may not be fixable depending on your setup, though not a
> horrible problem (just wastes some cpu cycles and bandwidth, noone gets
> spammed).

Last I checked, Postfix couldn't be configured to outright reject
these mails, because smtpd is (very purposely) not in charge of
delivery (that's handed off to whatever transport maps you've got
configured, including local). smtpd only knows for what *domains* it
is to receive mail. That's a conscious division of labor. It does
mean that you blow some cycles and bandwidth on bounces of this kind
of mail, but it also means that an exploit of smtpd doesn't
necessarily imply an exploit of mail delivery on your system. It's a
security decision, and you should be aware of the implications of
breaking that model if you're going to try to do it.

> if so you can tell postfix to only accept emails for valid email
> addresses?  i believe the setting is reject_unauth_destination
> assigned to one of the smtpd_foo_restrictions, you'll need to double
> check that.

smtpd_recipient_restrictions is what you're looking for, but
reject_unauth_destination isn't, as it only checks the domain, not
the addressee (and, in any case, reject_unauth_destination is turned
on by default). It looks like I'm mistaken, though I think this
feature was added since I did UCE setup on uriel.eclipsed.net, and
Postfix can do this with check_recipient_access (which lets you
reference any sort of map you like, including checking against
localpart@, which I assume you could map to /etc/passwd, a YP/NIS
passwd map, or an LDAP ou=users,dc=your,dc=dom map), but I still
don't think it's a very good idea without understanding how smtpd's
going to be doing that checking. And, obviously, it goes to hell
if you're setting up virtual domains (because you'll then have to
maintain both the regular virtual map and, probably, a differently
formatted map with the same list of users for use with
check_recipient_access).

See http://www.postfix.org/uce.html#smtpd_recipient_restrictions for
(only slightly) more details.

> the true test would be if you recieved that email.  did you? :)

He's not quincy, so he doesn't really know. But he should have
received the postmaster email, for sure.

On Wed, Oct 22, 2003 at 11:07:09AM -0400, Jon Nelson wrote:
> Since it was a bounce message I wouldn't have gotten anything, and didn't.

Did I just hear you say "I don't read any of the mail addressed to
postmaster@my.domain?"

Bad, bad, bad decision, Jon. Please, be a good Internet neighbor and
pay attention to your mail system's primary reporting channel.

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgpvJfmEWiql1.pgp
Description: PGP signature