Resolved problem with fake email address

[rout3rx]

thanks trialotto
I add 127.0.0.0/128 , ::1/128 and my server ip/32 in whitelist then i removed the "POP3 before SMTP lock time ... minutes". after that i can not send email with fake email addresses but with the valid email addresses i get the :

'[email protected]' on 6/13/2016 9:28 AM

Server error: '454 4.7.1 <[email protected]>: Relay access denied'

 

[trialotto]

@rout3rx

Well, original problem solved, some new challenges are present.

It is not entirely clear what you mean by

I add 127.0.0.0/128 , ::1/128 and my server ip/32 in whitelist

Which whitelist and why the "odd" 127.0.0.1/128 range?

Do you mean the "whitelist" as in the tab on "Server-wide mail settings"? If true, it is not necessary or should not be necessary to add any IP over there.

Please remove any entry from the whitelist: it is better to have no IPs whitelisted, than having a whitelist with badly formed IP ranges.

It also is not clear what you mean by

Server error: '454 4.7.1 <[email protected]>: Relay access denied'

I suppose this is an error notification on the Gmail server side. Am I correct?

If true, you should note two things and one remark, so let´s start with the things to be noted:

- Gmail has a "learning algorithm" that can easily take some days to determine that specific mail is not spam (this is probably not relevant for your case)
- Gmail does not really require port 587, but it can be a pain-in-the-a** when trying to use the other port (465)

and the one remark is that Google has a decent "manual" at https://support.google.com/mail/troubleshooter/1668960?hl=en&rd=1

Go for the IMAP option and use ports 465 (smtps) and 993 (imaps).

By the way, I would never recommend the POP3 option, since the advantage of IMAP is that one ends up with a "backup" of all mail (if properly configured though).


Hope the above helps a bit..... just let me know.

Regards...

 

[rout3rx]

thanks for your explain
i can not disable pop3 option as my customers needs, checking the validity of users just worked when i disabled pop3 options but after that i cannot send any email address and it's return back with relay accesss denied.
i think there is no solution for securing relay on plesk!!!

 

[trialotto]

@rout3rx

It should not occur, that "relay access denied". Have you tried to use the 465 and 995 (pop3s) ports? I know, the answer is probably "yes".

I am more a Qmail guy, did you try that? And if you try it, do the problems (re-occur)?

In essence, there is always a solution for securing "relay" (not the proper term, in this case) and and this will always involve TLS enforcement.

However, a secure "relay" (again, what is in a word?) does not imply that mail clients (Outlook, Gmail etc.) are well-behaved or functioning properly.

Nevertheless, I am willing to spend some time have a look together at this particular issue, but at the momen I do lack available time.

If you have some patience and send me a PM, we can have a look at it, somewhere in the near future. I should have some time left to replicate the issue.

Regards....

 

[rout3rx]

It should not occur, that "relay access denied". Have you tried to use the 465 and 995 (pop3s) ports? I know, the answer is probably "yes".

yes i use 995 in default mode.

I am more a Qmail guy, did you try that? And if you try it, do the problems (re-occur)?

i switched to qmail but problem is exists unfortunatly

do you have this problem on your plesk ?
i think i should change a configuration in postfix configurations...

 

[rout3rx]

after a long research and ask questions in other forums, I found a way but it worked Conversely!

smtpd_sender_login_maps=hash:/var/spool/postfix/plesk/virtual
smtpd_sender_restrictions = reject_sender_login_mismatch

by default i should can reject every emails that not listed in /var/spool/postfix/plesk/virtual but i can send emails with every users that not present in this file!

whay???

 

[Lloyd_mcse]

Hi rout3rx,
I noticed you didn't have this line in your main.cf...

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

See if that helps,
Regards

Lloyd

 

[rout3rx]

thanks LIoyd
i have this restrication too.

 

[AntonM@Parallels]

The behavior you described is expected. Postfix or any other mail server (qmail, MailEnable) by default allows authenticated users to change “from” header. You may suggest this feature for implementing on uservoice:

https://plesk.uservoice.com/forums/184549-feature-suggestions

 

[rout3rx]

this means there is no way to remediate this?
it's a security problem! some services like gmail or yahoo fix this! can you give me a patch or any configuration to solve this for now?
thanks

 

[AntonM@Parallels]

This is default SMTP protocol behaviour. Indeed, this is probably can be changed on the server side, but requires research. I will have a meeting with our Project Managers on Monday to evaluate costs and possibility to implement this, I will update this thread with results then.

 

[AntonM@Parallels]

Discussed with PMs - unfortunately, right now we cannot suggest anything to restrict such behaviour. It cannot be done easily. This was added to a plan, but will be done not earlier than in next Plesk version.

Such issue may occur in case spammer compromises existing mail account and starts sending spam. To prevent this I can recommend to limit outgoing mail and set password strength requirements to "high".
http://docs.plesk.com/en-US/12.5/ad...t/mail-settings/limiting-outgoing-mail.73362/

 

[dash]

hello
there is a problem with mail service in plesk.
when you add a user in outlook you can change your account setting and change the user information filed and save, finally your emails sent with your changes, for example your valid email is : [email protected]
but you can send emails with : [email protected]

how can i restrict this?

On my clean Plesk testbox I've solved this using one additional postfix option reject_authenticated_sender_login_mismatch
This option means email rejection in case of the client is not logged in as that MAIL FROM address owner;

So now if I'm trying to send email outside of my Plesk box from outlook using account [email protected], but with From: [email protected] my email is immediately rejected by Plesk server:

Your message did not reach some or all of the intended recipients.
Subject: test postfix option

The following recipient(s) cannot be reached:

Dmitri Libenzon on 01/07/16 03:58

Server error: '553 5.7.1 <[email protected]>: Sender address rejected: not owned by user mail1'

How to enable the option:
1. add the option to postfix 'smptd_sender_restrictions'
in ssh console execute as root user:
postconf -e "smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, $(postconf -h smtpd_sender_restrictions)"

2. restart postfix:
/etc/init.d/postfix restart

You can check more postfix options here:
http://www.postfix.org/postconf.5.html#reject_authenticated_sender_login_mismatch

 

[trialotto]

@dash,

Known solution.

But it seems to be problematic if I post solutions in specific threads, you can ask NatalyF about it.

This specific solution, as described by you, is something that should be enabled by default on Plesk.

This specific solution is an additional security measure that would have prevented many "attacks" (read: attempts to hack into the mail server or to use the mail server for spam)

These "attacks" have been present for many weeks on almost every Plesk instance and Fail2Ban fails to act appropriately.

In short, would you be so kind and discuss your solution internally, so the next micro-update can contain this small change in config?

I will inform @AndreyZ, so he will more or less up-to-date.

Regards........

 

[dash]

@trialotto
As usual, thanks for your feedback.

Known solution.

That's great, I've tried this option first time So, does it really work as expected to solve initial post in this thread completely?

But it seems to be problematic if I post solutions in specific threads, you can ask NatalyF about it

Sounds intriguing. ok, I will.

In short, would you be so kind and discuss your solution internally, so the next micro-update can contain this small change in config?

I will inform @AndreyZ, so he will more or less up-to-date.

Sure, I will discuss it with Andrey. My current understanding is that this particular option is good as default for shared hosting environment. But I'm afraid it can break some scenarios for individual admins with dedicated servers. It's not included to default postfix configuration itself.

 

[trialotto]

@dash,

So, does it really work as expected to solve initial post in this thread completely?

Ehm, well, eh.....ehm, "yes, but not really": a number of settings should be applied, that is the whole problem with Postfix (and to a lesser degree, also with Qmail).

I have suggested some specific settings to @AndreyZ, mainly "client restriction settings", and we also discussed some functionality of Postfix´s anvil, that is underused at the moment.

I will add you to that conversation, I suppose that you and Andrey do not object.

Please note that it is a conversation with respect Fail2Ban default jails, which discussion currently seems to be going into the direction of a tweak of both Postfix and Fail2Ban settings.

So the particular discussion seems to be somewhat off topic, but I suggest that we enter the "Postfix factor" into the equation: discuss possibilities of Postfix settings.

Regards........

 

[dash]

a number of settings should be applied, that is the whole problem with Postfix (and to a lesser degree, also with Qmail).

That's true. As Forrest Gump's mom said "postfix is like a box of chocolates. You never know what you're gonna get."
Too many different options/combinations. So I would like to recommend to keep Plesk defaults and enable additional options very-very carefully if necessary.

 

[rout3rx]

thanks, but it reject invalid users on valid domains. for example : [email protected] > passed , [email protected] > failed but [email protected] can set for From on every authenticated users!

 

[UFHH01]

Hi rout3rx,

pls. make sure that the recommended setting "reject_authenticated_sender_login_mismatch" is placed in the correct order, as for example:

smtpd_sender_restrictions =
    check_sender_access hash:/var/spool/postfix/plesk/blacklists,
    permit_sasl_authenticated,
    reject_authenticated_sender_login_mismatch

... and pls. try to include your current main.cf/master.cf if you changed it in the past, so that people willing to help you don't have to guess your current settings.

 

[rout3rx]

of course dear
this is my main.cf content :

readme_directory = /usr/share/doc/postfix-2.11.5/README_FILES
#smtpd_sender_login_maps = hash:/var/spool/postfix/plesk/virtual
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated, reject_authenticated_sender_login_mismatch,
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
non_smtpd_milters =
smtpd_tls_mandatory_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_protocols = TLSv1 TLSv1.1 TLSv1.2
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = HIGH:!aNULL:!MD5
virtual_mailbox_domains = $virtual_mailbox_maps, hash:/var/spool/postfix/plesk/virtual_domains
virtual_alias_maps = $virtual_maps, hash:/var/spool/postfix/plesk/virtual
virtual_mailbox_maps = , hash:/var/spool/postfix/plesk/vmailbox
transport_maps = , hash:/var/spool/postfix/plesk/transport
smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_security_level = may
smtpd_use_tls = yes
smtp_tls_security_level = may
smtp_use_tls = no
smtpd_timeout = 3600s
smtpd_proxy_timeout = 3600s
disable_vrfy_command = yes
mynetworks = , 127.0.0.0/8, [::1]/128, hash:/var/spool/postfix/plesk-pop/poplock
smtp_send_xforward_command = yes
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_sasl_auth_enable = yes
virtual_mailbox_base = /var/qmail/mailnames
virtual_uid_maps = static:110
virtual_gid_maps = static:31
smtpd_milters = , inet:127.0.0.1:12768
sender_dependent_default_transport_maps = hash:/var/spool/postfix/plesk/sdd_transport_maps
virtual_transport = plesk_virtual
plesk_virtual_destination_recipient_limit = 1
mailman_destination_recipient_limit = 1
mailbox_size_limit = 0
virtual_mailbox_limit = 0
message_size_limit = 10240000

and master.cf

plesk_virtual unix - n n - - pipe flags=DORhu user=popuser:popuser argv=/usr/lib64/plesk-9.0/postfix-local -f ${sender} -d ${recipient} -p /var/qmail/mailnames
mailman unix - n n - - pipe flags=R user=mailman:mailman argv=/usr/lib64/plesk-9.0/postfix-mailman ${nexthop} ${user} ${recipient}
pickup fifo n - n 60 1 pickup
plesk_saslauthd unix y y n - 1 plesk_saslauthd status=5 listen=6 dbpath=/var/spool/postfix/plesk/passwd.db
qmgr fifo n - n 1 1 qmgr
smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes






plesk-anisabz.net-192.168.15.26- unix - n n - - smtp -o smtp_bind_address=192.168.15.26 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o smtp_helo_name=anisabz.net
plesk-quiz.kaipod.ir-192.168.15.26- unix - n n - - smtp -o smtp_bind_address=192.168.15.26 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o smtp_helo_name=quiz.kaipod.ir
plesk-best-idea.ir-192.168.15.26- unix - n n - - smtp -o smtp_bind_address=192.168.15.26 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o smtp_helo_name=best-idea.ir
plesk-emamhosseini.ir-192.168.15.26- unix - n n - - smtp -o smtp_bind_address=192.168.15.26 -o smtp_bind_address6= -o smtp_address_preference=ipv4 -o smtp_helo_name=emamhosseini.ir