mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
Added reject_authenticated_sender_login_mismatch (#872)
* added reject_authenticated_sender_login_mismatch handling including tests * removed obsolete reject_sender_login_mismatch * introduced SPOOF_PROTECTION env variable, tests, documentation and missing documentation for TLS_LEVEL * added missing email template
This commit is contained in:
parent
4036588c65
commit
a73692cc9f
16
.env.dist
16
.env.dist
|
@ -29,6 +29,22 @@ POSTMASTER_ADDRESS=
|
|||
# network => Add all docker containers (ipv4 only)
|
||||
PERMIT_DOCKER=
|
||||
|
||||
# empty => modern
|
||||
# modern => Enables TLSv1.2 and modern ciphers only. (default)
|
||||
# intermediate => Enables TLSv1, TLSv1.1 and TLSv1.2 and broad compatibility ciphers.
|
||||
# old => NOT implemented. If you really need it, then customize the TLS ciphers overriding postfix and dovecot settings
|
||||
# (https://github.com/tomav/docker-mailserver/wiki/)
|
||||
TLS_LEVEL=
|
||||
|
||||
# Configures the handling of creating mails with forged sender addresses.
|
||||
#
|
||||
# empty => (not recommended, but default for backwards compatability reasons)
|
||||
# Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address.
|
||||
# See also https://en.wikipedia.org/wiki/Email_spoofing
|
||||
# 1 => (recommended) Mail spoofing denied. Each user may only send with his own or his alias addresses.
|
||||
# Addresses with extension delimiters(http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
|
||||
SPOOF_PROTECTION=
|
||||
|
||||
# 1 => Enables POP3 service
|
||||
# empty => disables POP3
|
||||
ENABLE_POP3=
|
||||
|
|
|
@ -176,7 +176,7 @@ RUN mkdir /var/run/fetchmail && chown fetchmail /var/run/fetchmail
|
|||
|
||||
# Configures Postfix
|
||||
COPY target/postfix/main.cf target/postfix/master.cf /etc/postfix/
|
||||
COPY target/postfix/sender_header_filter.pcre /etc/postfix/maps/sender_header_filter.pcre
|
||||
COPY target/postfix/sender_header_filter.pcre target/postfix/sender_login_maps.pcre /etc/postfix/maps/
|
||||
RUN echo "" > /etc/aliases && \
|
||||
openssl dhparam -out /etc/postfix/dhparams.pem 2048 && \
|
||||
echo "@weekly FILE=`mktemp` ; openssl dhparam -out $FILE 2048 > /dev/null 2>&1 && mv -f $FILE /etc/postfix/dhparams.pem" > /etc/cron.d/dh2048
|
||||
|
|
2
Makefile
2
Makefile
|
@ -23,6 +23,7 @@ run:
|
|||
-v "`pwd`/test":/tmp/docker-mailserver-test \
|
||||
-v "`pwd`/test/onedir":/var/mail-state \
|
||||
-e ENABLE_CLAMAV=1 \
|
||||
-e SPOOF_PROTECTION=1 \
|
||||
-e ENABLE_SPAMASSASSIN=1 \
|
||||
-e SA_TAG=-5.0 \
|
||||
-e SA_TAG2=2.0 \
|
||||
|
@ -130,6 +131,7 @@ run:
|
|||
-e ENABLE_LDAP=1 \
|
||||
-e LDAP_SERVER_HOST=ldap \
|
||||
-e LDAP_START_TLS=no \
|
||||
-e SPOOF_PROTECTION=1 \
|
||||
-e LDAP_SEARCH_BASE=ou=people,dc=localhost,dc=localdomain \
|
||||
-e LDAP_BIND_DN=cn=admin,dc=localhost,dc=localdomain \
|
||||
-e LDAP_BIND_PW=admin \
|
||||
|
|
|
@ -232,6 +232,7 @@ If you enable Fail2Ban, don't forget to add the following lines to your `docker-
|
|||
- NET_ADMIN
|
||||
|
||||
Otherwise, `iptables` won't be able to ban IPs.
|
||||
|
||||
##### SMTP_ONLY
|
||||
|
||||
- **empty** => all daemons start
|
||||
|
@ -254,6 +255,11 @@ Please read [the SSL page in the wiki](https://github.com/tomav/docker-mailserve
|
|||
- intermediate => Enables TLSv1, TLSv1.1 and TLSv1.2 and broad compatibility ciphers.
|
||||
- old => NOT implemented. If you really need it, then customize the TLS ciphers overriding postfix and dovecot settings [ wiki](https://github.com/tomav/docker-mailserver/wiki/
|
||||
|
||||
##### SPOOF_PROTECTION
|
||||
Configures the handling of creating mails with forged sender addresses.
|
||||
- **empty** => Mail address spoofing allowed. Any logged in user may create email messages with a forged sender address. See also [Wikipedia](https://en.wikipedia.org/wiki/Email_spoofing)(not recommended, but default for backwards compatability reasons)
|
||||
- 1 => (recommended) Mail spoofing denied. Each user may only send with his own or his alias addresses. Addresses with [extension delimiters](http://www.postfix.org/postconf.5.html#recipient_delimiter) are not able to send messages.
|
||||
|
||||
##### PERMIT_DOCKER
|
||||
|
||||
Set different options for mynetworks option (can be overwrite in postfix-main.cf)
|
||||
|
|
|
@ -26,6 +26,8 @@ services:
|
|||
- POSTSCREEN_ACTION=${POSTSCREEN_ACTION}
|
||||
- SMTP_ONLY=${SMTP_ONLY}
|
||||
- SSL_TYPE=${SSL_TYPE}
|
||||
- TLS_LEVEL=${TLS_LEVEL}
|
||||
- SPOOF_PROTECTION=${SPOOF_PROTECTION}
|
||||
- PERMIT_DOCKER=${PERMIT_DOCKER}
|
||||
- VIRUSMAILS_DELETE_DELAY=${VIRUSMAILS_DELETE_DELAY}
|
||||
- ENABLE_POSTFIX_VIRTUAL_TRANSPORT=${ENABLE_POSTFIX_VIRTUAL_TRANSPORT}
|
||||
|
|
|
@ -46,7 +46,7 @@ smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname, permi
|
|||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net
|
||||
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
|
||||
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_sender_login_mismatch
|
||||
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
|
||||
disable_vrfy_command = yes
|
||||
|
||||
# Postscreen settings to drop zombies/open relays/spam early
|
||||
|
|
1
target/postfix/sender_login_maps.pcre
Normal file
1
target/postfix/sender_login_maps.pcre
Normal file
|
@ -0,0 +1 @@
|
|||
/^(.*)$/ ${1}
|
|
@ -25,6 +25,7 @@ DEFAULT_VARS["DMS_DEBUG"]="${DMS_DEBUG:="0"}"
|
|||
DEFAULT_VARS["OVERRIDE_HOSTNAME"]="${OVERRIDE_HOSTNAME}"
|
||||
DEFAULT_VARS["POSTMASTER_ADDRESS"]="${POSTMASTER_ADDRESS:="postmaster@domain.com"}"
|
||||
DEFAULT_VARS["POSTSCREEN_ACTION"]="${POSTSCREEN_ACTION:="enforce"}"
|
||||
DEFAULT_VARS["SPOOF_PROTECTION"]="${SPOOF_PROTECTION:="0"}"
|
||||
DEFAULT_VARS["TLS_LEVEL"]="${TLS_LEVEL:="modern"}"
|
||||
##########################################################################
|
||||
# << DEFAULT VARS
|
||||
|
@ -118,6 +119,11 @@ function register_functions() {
|
|||
_register_setup_function "_setup_postfix_vhost"
|
||||
_register_setup_function "_setup_postfix_dhparam"
|
||||
_register_setup_function "_setup_postfix_postscreen"
|
||||
|
||||
if [ "$SPOOF_PROTECTION" = 1 ]; then
|
||||
_register_setup_function "_setup_spoof_protection"
|
||||
fi
|
||||
|
||||
_register_setup_function "_setup_postfix_access_control"
|
||||
|
||||
if [ ! -z "$AWS_SES_HOST" -a ! -z "$AWS_SES_USERPASS" ]; then
|
||||
|
@ -128,7 +134,7 @@ function register_functions() {
|
|||
_register_setup_function "_setup_postfix_virtual_transport"
|
||||
fi
|
||||
|
||||
_register_setup_function "_setup_environment"
|
||||
_register_setup_function "_setup_environment"
|
||||
|
||||
################### << setup funcs
|
||||
|
||||
|
@ -544,7 +550,7 @@ function _setup_ldap() {
|
|||
done
|
||||
|
||||
notify 'inf' 'Starting to override configs'
|
||||
for f in /etc/postfix/ldap-users.cf /etc/postfix/ldap-groups.cf /etc/postfix/ldap-aliases.cf /etc/postfix/ldap-domains.cf
|
||||
for f in /etc/postfix/ldap-users.cf /etc/postfix/ldap-groups.cf /etc/postfix/ldap-aliases.cf /etc/postfix/ldap-domains.cf /etc/postfix/maps/sender_login_maps.ldap
|
||||
do
|
||||
[[ $f =~ ldap-user ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_USER}"
|
||||
[[ $f =~ ldap-group ]] && export LDAP_QUERY_FILTER="${LDAP_QUERY_FILTER_GROUP}"
|
||||
|
@ -615,6 +621,14 @@ function _setup_postfix_postscreen() {
|
|||
-e "s/postscreen_bare_newline_action = enforce/postscreen_bare_newline_action = $POSTSCREEN_ACTION/" /etc/postfix/main.cf
|
||||
}
|
||||
|
||||
function _setup_spoof_protection () {
|
||||
notify 'inf' "Configuring Spoof Protection"
|
||||
sed -i 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch,|' /etc/postfix/main.cf
|
||||
[ "$ENABLE_LDAP" = 1 ] \
|
||||
&& postconf -e "smtpd_sender_login_maps=ldap:/etc/postfix/ldap-users.cf ldap:/etc/postfix/ldap-aliases.cf ldap:/etc/postfix/ldap-groups.cf" \
|
||||
|| postconf -e "smtpd_sender_login_maps=texthash:/etc/postfix/virtual, texthash:/etc/aliases, pcre:/etc/postfix/maps/sender_login_maps.pcre"
|
||||
}
|
||||
|
||||
function _setup_postfix_access_control() {
|
||||
notify 'inf' "Configuring user access"
|
||||
[ -f /tmp/docker-mailserver/postfix-send-access.cf ] && sed -i 's|smtpd_sender_restrictions =|smtpd_sender_restrictions = check_sender_access texthash:/tmp/docker-mailserver/postfix-send-access.cf,|' /etc/postfix/main.cf
|
||||
|
|
14
test/auth/added-smtp-auth-spoofed-alias.txt
Normal file
14
test/auth/added-smtp-auth-spoofed-alias.txt
Normal file
|
@ -0,0 +1,14 @@
|
|||
EHLO mail
|
||||
AUTH LOGIN dXNlcjFAbG9jYWxob3N0LmxvY2FsZG9tYWlu
|
||||
bXlwYXNzd29yZA==
|
||||
MAIL FROM: alias1@localhost.localdomain
|
||||
RCPT TO: user1@localhost.localdomain
|
||||
DATA
|
||||
From: user1_alias <alias1@localhost.localdomain>
|
||||
To: Existing Local User <user1@localhost.localdomain>
|
||||
Date: Sat, 22 May 2010 07:43:25 -0400
|
||||
Subject: Test Message
|
||||
This is a test mail.
|
||||
|
||||
.
|
||||
QUIT
|
14
test/auth/added-smtp-auth-spoofed.txt
Normal file
14
test/auth/added-smtp-auth-spoofed.txt
Normal file
|
@ -0,0 +1,14 @@
|
|||
EHLO mail
|
||||
AUTH LOGIN YWRkZWRAbG9jYWxob3N0LmxvY2FsZG9tYWlu
|
||||
bXlwYXNzd29yZA==
|
||||
MAIL FROM: user2@localhost.localdomain
|
||||
RCPT TO: user1@localhost.localdomain
|
||||
DATA
|
||||
From: Not_My_Business <user2@localhost.localdomain>
|
||||
To: Existing Local User <user1@localhost.localdomain>
|
||||
Date: Sat, 22 May 2010 07:43:25 -0400
|
||||
Subject: Test Message
|
||||
This is a test mail.
|
||||
|
||||
.
|
||||
QUIT
|
15
test/auth/ldap-smtp-auth-spoofed-alias.txt
Normal file
15
test/auth/ldap-smtp-auth-spoofed-alias.txt
Normal file
|
@ -0,0 +1,15 @@
|
|||
EHLO mail
|
||||
AUTH LOGIN
|
||||
c29tZS51c2VyQGxvY2FsaG9zdC5sb2NhbGRvbWFpbg==
|
||||
c2VjcmV0
|
||||
MAIL FROM: postmaster@localhost.localdomain
|
||||
RCPT TO: some.user@localhost.localdomain
|
||||
DATA
|
||||
From: alias_address <postmaster@localhost.localdomain>
|
||||
To: Existing Local User <some.user@localhost.localdomain>
|
||||
Date: Sat, 22 May 2010 07:43:25 -0400
|
||||
Subject: Test Message
|
||||
This is a test mail.
|
||||
|
||||
.
|
||||
QUIT
|
15
test/auth/ldap-smtp-auth-spoofed.txt
Normal file
15
test/auth/ldap-smtp-auth-spoofed.txt
Normal file
|
@ -0,0 +1,15 @@
|
|||
EHLO mail
|
||||
AUTH LOGIN
|
||||
c29tZS51c2VyQGxvY2FsaG9zdC5sb2NhbGRvbWFpbg==
|
||||
c2VjcmV0
|
||||
MAIL FROM: ldap@localhost.localdomain
|
||||
RCPT TO: user1@localhost.localdomain
|
||||
DATA
|
||||
From: forged_address <ldap@localhost.localdomain>
|
||||
To: Existing Local User <user1@localhost.localdomain>
|
||||
Date: Sat, 22 May 2010 07:43:25 -0400
|
||||
Subject: Test Message
|
||||
This is a test mail.
|
||||
|
||||
.
|
||||
QUIT
|
|
@ -367,8 +367,6 @@ load 'test_helper/bats-assert/load'
|
|||
[ "$status" -ge 0 ]
|
||||
}
|
||||
|
||||
|
||||
|
||||
#
|
||||
# accounts
|
||||
#
|
||||
|
@ -1089,7 +1087,6 @@ load 'test_helper/bats-assert/load'
|
|||
assert_success
|
||||
}
|
||||
|
||||
|
||||
@test "checking accounts: listmailuser" {
|
||||
run docker exec mail /bin/sh -c "listmailuser | head -n 1"
|
||||
assert_success
|
||||
|
@ -1402,6 +1399,24 @@ load 'test_helper/bats-assert/load'
|
|||
assert_success
|
||||
}
|
||||
|
||||
@test "checking spoofing: rejects sender forging" {
|
||||
# checking rejection of spoofed sender
|
||||
run docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/added-smtp-auth-spoofed.txt | grep 'Sender address rejected: not owned by user'"
|
||||
assert_success
|
||||
# checking ldap
|
||||
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed.txt | grep 'Sender address rejected: not owned by user'"
|
||||
assert_success
|
||||
}
|
||||
|
||||
@test "checking spoofing: accepts sending as alias" {
|
||||
|
||||
run docker exec mail /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/added-smtp-auth-spoofed-alias.txt | grep 'End data with'"
|
||||
assert_success
|
||||
# checking ldap alias
|
||||
run docker exec mail_with_ldap /bin/sh -c "nc 0.0.0.0 25 < /tmp/docker-mailserver-test/auth/ldap-smtp-auth-spoofed-alias.txt | grep 'End data with'"
|
||||
assert_success
|
||||
}
|
||||
|
||||
# saslauthd
|
||||
@test "checking saslauthd: sasl ldap authentication works" {
|
||||
run docker exec mail_with_ldap bash -c "testsaslauthd -u some.user -p secret"
|
||||
|
|
Loading…
Reference in a new issue