Facebook
Twitter
User name: lkdvc
TITLE
Weak Postfix security configuration
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk Obsidian v18.0.28_build1800200720.10 os_Ubuntu 18.04
Plesk Email Security 1.1.0-216
PROBLEM DESCRIPTION
After buying the Pro version of the Plesk Email Security extension, I discovered some weak or even missing settings on the Postifx configuration.
With the out of the box setup, you can send from (outside your Plesk server) @paypal.com, @plesk.com or any other domain from any IP, any localhost, any helo to mailboxes registered on Plesk.
Code example:
We definitely want clients to provide a HELO/EHLO hostname.
Code example:
This makes postfix reject
Code example:
This makes postfix reject
Code example:
Also take a look at http://www.postfix.org/postconf.5.html#check_recipient_access
These basic settings can deal with simple characteristics of spam.
Also take a look at Forwarded to devs - smtpd_timeout set too high
With the configurations set above, posts like these wouldn't happen.
talk.plesk.com
talk.plesk.com
talk.plesk.com
STEPS TO REPRODUCE
Check /etc/postfix/main.cf
Email examples with provided header and everything: Question - Lots of incoming spam with Plesk Email Security Pro 1.1.0 (This post would get too long, reached max characters)
ACTUAL RESULT
Email spoofing is possible
EXPECTED RESULT
Email spoofing shouldn't be possible
ANY ADDITIONAL INFORMATION
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
TITLE
Weak Postfix security configuration
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk Obsidian v18.0.28_build1800200720.10 os_Ubuntu 18.04
Plesk Email Security 1.1.0-216
PROBLEM DESCRIPTION
After buying the Pro version of the Plesk Email Security extension, I discovered some weak or even missing settings on the Postifx configuration.
With the out of the box setup, you can send from (outside your Plesk server) @paypal.com, @plesk.com or any other domain from any IP, any localhost, any helo to mailboxes registered on Plesk.
smtpd_helo_required http://www.postfix.org/postconf.5.html#smtpd_helo_required should be enabledCode example:
Code:
smtpd_helo_required = yessmtpd_helo_restrictions http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions should be configuredCode example:
Code:
smtpd_helo_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname- clients who provide malformed HELO/EHLO hostname
- clients who provide non-fully qualified HELO/EHLO hostname
- Emails if the HELO/EHLO hostnames have neither DNS A record nor MX record
smtpd_sender_restrictions http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions should be configuredCode example:
Code:
smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_authenticated_sender_login_mismatch
reject_unknown_client_hostname
reject_unknown_sender_domain- See Postfix Configuration Parameters
- See Postfix Configuration Parameters
- Emails if the domain name of the address supplied with the MAIL FROM command has neither MX record nor A record
smtpd_recipient_restrictions http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions should be configuredCode example:
Code:
smtpd_recipient_restrictions =
permit_sasl_authenticated
permit_mynetworks
reject_invalid_helo_hostname
reject_unauth_destinationThese basic settings can deal with simple characteristics of spam.
Also take a look at Forwarded to devs - smtpd_timeout set too high
With the configurations set above, posts like these wouldn't happen.
Question - Plesk Email Security Pro more info
Hi, we recently have installed PES Pro and I suposse that it's working fine. Basically I need to control the outbound spam. I see that it has detected hundreds of sent mails identified as spam, but what about them? Those spam was blocked? marked? quarantined? Is there any report or log to see...
Question - Plesk Email Security Pro and yet getting spam
I found out about the Plesk Email Security extension a while ago and decided to give it a try. It's a nice way to configure server-wide spam settings, I was getting tired of setting it up on a per-mailbox basis. Then I saw that some features like Bayes training and "Daily updates of the...
talk.plesk.com
Issue - Not happy with Plesk Email Security
Have installed Plesk Email Security and I'm getting more spam than before I had it installed. I set it to the highest level and it's still letting more through than without it. It is making me not want to purchase it - it's not exactly setting a good example is it? And before you go "it's...
STEPS TO REPRODUCE
Check /etc/postfix/main.cf
Email examples with provided header and everything: Question - Lots of incoming spam with Plesk Email Security Pro 1.1.0 (This post would get too long, reached max characters)
ACTUAL RESULT
Email spoofing is possible
EXPECTED RESULT
Email spoofing shouldn't be possible
ANY ADDITIONAL INFORMATION
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
Last edited:
