#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2011
    Posts
    3
    Rep Power
    0

    Postfix Configuration: How to restrict use of CC


    I have configured postfix on my server.

    telnet mydomain.com 25
    helo validdomain.com
    mail from: validaddress@validdomain
    rcpt to: validuser@mydomain
    data
    From: validaddress@validdomain
    To: validuser@mydomain
    CC: user1@domain1,user2@domain2
    Subject: Testing postfix
    Message body

    When I run this test, as expected, the email is delivered to validuser.
    However, postfix also delivers it to user1 and user2 despite the fact that the sender does not belong to my domain.
    I have implemented client, helo and recipient restrictions as below.
    How do I prevent the malicious use of CC as described here?
    Thank you

    Snap of main.cf
    -------------------
    smtpd_client_restrictions = permit_mynetworks,
    reject_invalid_hostname,
    reject_rbl_client zen.spamhaus.org,
    reject_unknown_client,
    permit

    smtpd_helo_restrictions = permit_mynetworks,
    check_helo_access hash:/etc/postfix/helo_access,
    reject_unauth_pipelining,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    warn_if_reject reject_unknown_hostname,
    permit

    smtpd_recipient_restrictions = reject_non_fqdn_sender,
    reject_non_fqdn_recipient,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    permit_mynetworks,
    reject_unauth_pipelining,
    reject_unknown_sender_domain,
    reject_unknown_recipient_domain,
    reject_unauth_destination,
    reject_unknown_client,
    permit

    smtpd_sender_restrictions = permit_mynetworks,
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_unknown_address
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2003
    Location
    Minneapolis, MN
    Posts
    356
    Rep Power
    13
    Actually, this is not how postfix (or any MTA, for that matter) works. The only thing the MTA cares about, in terms of recipients, is what is sent as an envelope RCPT TO. That's it. The message headers are completely ignored in terms of To/From/Cc/Bcc, etc. The MTA just doesn't care, it's just part of the message blob that it sends elsewhere (or delivers locally). It may add headers (like Received) and such, but that's about it. I could do the following:
    Code:
    $ nc postfix-host.example.com 25
    220 postfix-host.example.com ESMTP Postfix
    HELO myhostname
    250 postfix-host.example.com
    MAIL FROM: me@example.net
    250 2.1.0 Ok
    RCPT TO: joeschmoe@example.com
    250 2.1.5 Ok
    DATA
    354 End data with <CR><LF>.<CR><LF>
    To: abominablesnowman@thenorthpole.com
    Cc: user@example.com.ck.this.doesnt.exist,user2@pudding
    Subject: testing stuff
    
    this is a test
    .
    250 2.0.0 Ok: queued as 793FF312
    quit
    221 2.0.0 Bye
    Despite what's in the To and Cc fields in the message headers, that message will only go to one recipient, "joeschmoe@example.com". Postfix (or, again, any MTA) only respects the "RCPT TO:" lines of the SMTP transaction as the recipients it will send to. End of story.
    badger badger badger badger
    badger badger badger badger
    MUSHROOM MUSHROOM
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2011
    Posts
    3
    Rep Power
    0
    crustymonkey, thank you for your response.

    What you are describing (that postfix should ignore the CC/BCC recipients) was exactly what I expected.
    However, to my surprise, my test disproved this:
    When I ran the telnet example I originally submitted, user1@domain1 and user2@domain2 actually received the test email (note: domain1 and domain2 are different from my domain or validdomain).
    Is it possible that something in my configuration allowed this kind of behavior? However, I don't see anything that would do so.

    When you say:
    "The message headers are completely ignored in terms of To/From/Cc/Bcc, etc. The MTA just doesn't care"
    What happens in the following case?

    telnet mydomain.com 25
    helo mydomain.com
    mail from: validuser@mydomain
    rcpt to: validaddress@validdomain
    data
    From: validuser@mydomain
    To: validaddress@validdomain
    CC: user1@domain1,user2@domain2
    Subject: Testing postfix
    Message body

    The MTA cannot ignore the CC field, because the sender is a valid user in my domain and the MTA should deliver to all CC recipients.
    What controls email delivery to CC/BCC recipients in postfix configuration?
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2003
    Location
    Minneapolis, MN
    Posts
    356
    Rep Power
    13
    Read this:

    http://www.ietf.org/rfc/rfc2821.txt

    Why don't you do an actual telnet/netcat test of that and output the actual results (along with maillogs) showing how your MTA is doing something that postfix does not do by itself. The one that I posted is an actual test that I did. In the posting here, I just manually changed the hostnames and envelope addresses. The message headers and body are *exactly* what I used and the only place that email was even attempted being sent was the envelope RCPT TO.

    The only way that is possible is if you had a milter reading the headers and sending mail to the Cc field recips or a header_checks file with similar.

    A tip for getting help with postfix that most people don't know. Instead of posting your main.cf file, post the output of "postconf -n". That will show all, non-default, settings.
    badger badger badger badger
    badger badger badger badger
    MUSHROOM MUSHROOM
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2011
    Posts
    3
    Rep Power
    0
    I redid the test.
    As this forum doesn't let me enter domain name in the post, I had to twist some of the entries

    In my test, I had 3 CCs.
    This time, no email was sent to yahoo and hotmail.
    But gmx dot com received an email!
    I tried different combinations, and gmx always received the email but not the other domains (yahoo, hotmail, etc).
    I am at loss at how gmx gets an email from this test...

    Code:
    220 mydomain ESMTP Postfix
    helo yahooCOM
    250 mydomain
    mail from: validaddress@yahooCOM
    250 2.1.0 Ok
    rcpt to: validaddress@mydomain
    250 2.1.5 Ok
    data
    354 End data with <CR><LF>.<CR><LF>
    From: validaddress@yahooCOM
    To: validaddress@mydomain
    CC: validaddresss@gmxCOM,validaddress@hotmailCOM,validaddress@yahooCOM
    Subject: Test email relay via CC
    This is a test
    .
    250 2.0.0 Ok: queued as C98B322CC6
    Below is the mail.log
    Code:
    Jan 25 07:12:12 myserver postfix/smtpd[862]: C98B322CC6: client=myhomeIP
    Jan 25 07:12:25 myserver postfix/cleanup[867]: C98B322CC6: message-id=<>
    Jan 25 07:12:25 myserver postfix/qmgr[31664]: C98B322CC6: from=<validAddress@yahooCOM>, size=391, nrcpt=1 (queue active)
    Jan 25 07:12:25 myserver postfix/local[868]: C98B322CC6: to=<validmailbox@mydomain>, orig_to=<validuser@mydomain>, relay=local, delay=24, delays=24/0.03/0/0.08, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail)
    Jan 25 07:12:25 myserver postfix/cleanup[867]: 5EEBA22F73: message-id=<>
    Jan 25 07:12:25 myserver postfix/local[868]: C98B322CC6: to=<validmailbox@mydomain>, orig_to=<validaddress@mydomain>, relay=local, delay=24, delays=24/0.03/0/0.13, dsn=2.0.0, status=sent (forwarded as 5EEBA22F73)
    Jan 25 07:12:25 myserver postfix/qmgr[31664]: 5EEBA22F73: from=<validaddress@yahooCOM>, size=539, nrcpt=1 (queue active)
    Jan 25 07:12:25 myserver postfix/qmgr[31664]: C98B322CC6: removed
    Jan 25 07:12:26 myserver postfix/smtp[870]: 5EEBA22F73: to=<validaddress@gmxCOM>, orig_to=<validuser@mydomain>, relay=mx0.gmx.com[74.208.5.90]:25, delay=0.87, delays=0.12/0.03/0.46/0.26, dsn=2.6.0, status=sent (250 2.6.0 Message accepted {mx-us011})
    Jan 25 07:12:26 myserver postfix/qmgr[31664]: 5EEBA22F73: removed
    My postconf -n
    Code:
    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    append_dot_mydomain = no
    biff = no
    config_directory = /etc/postfix
    home_mailbox = Maildir/
    inet_interfaces = all
    inet_protocols = all
    mailbox_command = /usr/bin/procmail
    mailbox_size_limit = 0
    mydestination = mydomain, myserver, localhost.localdomain, localhost
    mydomain = mydomain
    myhostname = mydomain
    mynetworks = 127.0.0.0/8
    myorigin = /etc/mailname
    readme_directory = no
    recipient_delimiter = +
    relayhost =
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtpd_banner = $myhostname ESMTP $mail_name
    smtpd_recipient_restrictions = reject_non_fqdn_sender,  reject_non_fqdn_recipient,  reject_non_fqdn_hostname,  reject_invalid_hostname,  permit_mynetworks,  reject_unauth_pipelining,  reject_unknown_sender_domain,  reject_unknown_recipient_domain,  reject_unauth_destination,  reject_unknown_client,  permit
    smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
    smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_use_tls = yes
    virtual_alias_maps = hash:/etc/postfix/virtual
  10. #6
  11. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2003
    Location
    Minneapolis, MN
    Posts
    356
    Rep Power
    13
    Beyond "validaddress@yahooCOM" being in either aliases or the virtual aliases, I'm at a loss for how you are doing this.
    badger badger badger badger
    badger badger badger badger
    MUSHROOM MUSHROOM

IMN logo majestic logo threadwatch logo seochat tools logo