1

I was surprised to notice that sending email from a local server account allows any user to send a message with:

From: whatever@whateverdomain

This is a security issue, because it allows identity spoofing.

When sending email from a local server account, email are put into the maildrop directory and Postfix daemon pickup sends the email.

Searching Postfix documentation (man pickup) doesn't show a dedicated check for this problem.

How can this be solved without disabling the pickup daemon, which is required for correct system function?

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Let me clarify the question: with the submission service you can prevent the problem with the restriction 'reject_sender_login_mismatch'. I'm just asking how to do the same thing when E-mail are sent from pickup. In that meaning, it is not a duplicate question. –  Mar 13 '20 at 13:03

1 Answers1

0

Since Postfix 3.6 (Debian bullseye currently ships 3.5) you can use local_login_sender_maps to specify which envelope from a local login is allowed to specify. To quote the documentation's example:

/etc/postfix/main.cf:
    # Allow root and postfix full control, anyone else can only
    # send mail as themselves. Use "uid:" followed by the numerical
    # UID when the UID has no entry in the UNIX password file.
    local_login_sender_maps =
        inline:{ { root = *}, { postfix = * } },
        pcre:/etc/postfix/login_senders

/etc/postfix/login_senders:
   # Allow both the bare username and the user@domain forms.
    /(.+)/ $1 $1@example.com/

Please note, that this only prevents Postfix from forwarding offending mails put into it's maildrop queue. Local users can still create their own outgoing SMTP connections, sending mail originating at your host (so passing SPF) without involving Postfix at all.

You might want to:

  • sign all your outgoing mail (and hope all possible recipients do not accept unsigned mail) with a key only accessible to Postfix and/or
  • use iptables to restrict non-postfix users from connecting to remote port 25 (and hope noone accepts mail on any other port).
    • Consider also restricting both submission ports in this way in case some remote also accepts incoming mail there. That will break anyone using a mail client trying to connect and authenticate to a remote relay from your host, but that seems like an unlikely use case anyways.
tirei
  • 3
  • 2