3

I am running OpenSMTPD on OpenBSD together with spamd, spampd and spamassassin, DKIMproxy and dovecot. My setup is to handle both local e-mail on the server and (external) email for my domain. My setup seems to be working (still in testing phase). I am happy to be able to realise my setup with an opensmtpd.conf file of 17 lines excluding comments and spaces. There are however a few things that I am not happy with. I hope someone can suggest how to address these:

While building the setup I initially had no spampd / spamassessin. In that config there was exactly one 'accept' command picking up the email and delivering to dovecot. The OpenSMTPD server checks existence of the recipient address and if not existing returns error 550 and does not allow submission of the e-mail. This is good.

After I incorporated spampd and spamassassin the 'accept' command picking up the incoming e-mail forwards to spampd (which runs spamassassin). After spampd / spamassasin processing the message is picked up by another OpenSMTP accept command that delivers to dovecot. Though this works there are some unwanted side effects that, if not fixed, would lead to vulnerabilities:

1) spampd / spamassassin will process all incoming messages for my domain, also those for recipients on that domain that do not exist. Spampd/spamassassion are not exactly 'light' tasks. Together this makes the opportunities for a DOS attack higher.

2) All incoming messages for my domain are first accepted. In case of unknown recipients this will only be detected after spampd / spamassassin processing. Once the unknown recipient is detected a delivery status e-mail will be send by the mailer deamon to the sender stating the recipient is unknown. That allows an attacker to use my server to send spam-like email to any valid recipient by sending an e-mail to my server with as sender any valid e-mail address and as recipient any invalid recipient on my domain.

Questions:

  • Is there any way to configure OpenSMTPD such that it rejects unknown recipients immediately (i.e. as part of the initial submission to OpenSMTPD) even when spampd / spamassassin are incorporated?
  • Is there any way in which I can make the server NOT send out reject messages for non-existent recipients

Kind Regards,

Esa Jokinen
  • 43,252
  • 2
  • 75
  • 122
pvswie01
  • 31
  • 2
  • Welcome to Serverfault. While you have described your configuration well and asked reasonable questions, the title didn't define your questions. You'd get more attention to your question, if the reader can tell from the first sight whether it's within his/her expertise. Hopefully this modification helps you to get a quality answer. – Esa Jokinen Jul 15 '17 at 06:26
  • Very interesting question :-) Have you found an answer ? Also can you share your opensmtpd configuration ? Thx – Xavier Jan 17 '18 at 17:05

1 Answers1

1

In the new opensmtpd 6.4+ syntax, I was wondering about this as well. Currently I had a file with all my domains in it and I just had a rule that ensured I'd get e-mails only for my domains. This allows in messages for users that may not exist, resulting in bounce messages going back out.

table vdoms  "/mail/db/vdomains"
...
match from any for domain <vdoms> action your_spam_filter_action

To restrict on just your users, you need to have a table of all your valid e-mail addresses, and then use rcpt-to for your matcher. This may be duplicating some of the information you already have in other alias/user tables.

So assuming you have a /etc/mail/addrs table:

bob@example.com
mary@example.com
sue@example.net

In your smtpd.conf you'd need

table addrs  "/mail/db/addrs"
...
...
match from any for rcpt-to <addrs> action your_spam_filter_action

Now, opensmtp will reject the e-mail at the RCPT TO: <wrongperson@example.com> command, rather than accepting it and later sending a bounce.

djsumdog
  • 1,060
  • 2
  • 16
  • 29