• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs Weak Postfix security configuration

O

obendev

Basic Pleskian
User name: lkdvc

TITLE

Weak Postfix security configuration

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian v18.0.28_build1800200720.10 os_Ubuntu 18.04
Plesk Email Security 1.1.0-216

PROBLEM DESCRIPTION

After buying the Pro version of the Plesk Email Security extension, I discovered some weak or even missing settings on the Postifx configuration.
With the out of the box setup, you can send from (outside your Plesk server) @paypal.com, @plesk.com or any other domain from any IP, any localhost, any helo to mailboxes registered on Plesk.

smtpd_helo_required http://www.postfix.org/postconf.5.html#smtpd_helo_required should be enabled
Code example:
Code: 
smtpd_helo_required = yes
We definitely want clients to provide a HELO/EHLO hostname.

smtpd_helo_restrictions http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions should be configured
Code example:
Code: 
smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
This makes postfix reject
  • clients who provide malformed HELO/EHLO hostname
  • clients who provide non-fully qualified HELO/EHLO hostname
  • Emails if the HELO/EHLO hostnames have neither DNS A record nor MX record
smtpd_sender_restrictions http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions should be configured
Code example:
Code: 
smtpd_sender_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_authenticated_sender_login_mismatch
    reject_unknown_client_hostname
    reject_unknown_sender_domain
This makes postfix reject
Note that reject_unknown_client_hostname does not require HELO from SMTP client. It will fetch the hostname from PTR record, then check the A record.

smtpd_recipient_restrictions http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions should be configured
Code example:
Code: 
smtpd_recipient_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    reject_invalid_helo_hostname
    reject_unauth_destination
Also take a look at http://www.postfix.org/postconf.5.html#check_recipient_access

These basic settings can deal with simple characteristics of spam.
Also take a look at Forwarded to devs - smtpd_timeout set too high


With the configurations set above, posts like these wouldn't happen.

Question - Plesk Email Security Pro more info

Hi, we recently have installed PES Pro and I suposse that it's working fine. Basically I need to control the outbound spam. I see that it has detected hundreds of sent mails identified as spam, but what about them? Those spam was blocked? marked? quarantined? Is there any report or log to see...
talk.plesk.com talk.plesk.com

Question - Plesk Email Security Pro and yet getting spam

I found out about the Plesk Email Security extension a while ago and decided to give it a try. It's a nice way to configure server-wide spam settings, I was getting tired of setting it up on a per-mailbox basis. Then I saw that some features like Bayes training and "Daily updates of the...
talk.plesk.com talk.plesk.com

Issue - Not happy with Plesk Email Security

Have installed Plesk Email Security and I'm getting more spam than before I had it installed. I set it to the highest level and it's still letting more through than without it. It is making me not want to purchase it - it's not exactly setting a good example is it? And before you go "it's...
talk.plesk.com talk.plesk.com

STEPS TO REPRODUCE

Check /etc/postfix/main.cf
Email examples with provided header and everything: Question - Lots of incoming spam with Plesk Email Security Pro 1.1.0 (This post would get too long, reached max characters)

ACTUAL RESULT

Email spoofing is possible

EXPECTED RESULT

Email spoofing shouldn't be possible

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Last edited:
Thank you!
Good input, we'll work on the improvement in version 1.1.1.
 
Thank you once again @obendev for your detailed post. I've applied all recommended rules and will prepare the release of version 1.1.1. We plan to release it in the first half of next week.

Cheers
 
Offtopic: You can remove the changelog line there
CentOS 8 is temporarily not supported. We are already working on the integration and will add the support in version 1.1.0.
Click to expand...
 
Yes, I already informed my colleagues about it! ;-) Thanks!

Edit: Description has been updated.
 
Last edited:
You must log in or register to reply here.

Similar threads

D
Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?
Replies
2
Views
601
drdna
D
danami
Forwarded to devs Saving the Mail Server Settings page resets smtpd_recipient_restrictions
Replies
2
Views
1K
danami
danami
T
Issue SMTPD No Auth from IP Issue
Replies
2
Views
2K
Tessxr
T
S
Question Email Security showing SRS spam
Replies
0
Views
2K
shogunswb
S
R
Issue Problem Delivering Emails to Outlook/Hotmail Inbox (Ends up in Spam)
Replies
1
Views
5K
mow
M
Back
Top