• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Forwarded to devs Weak Postfix security configuration

O

obendev

Basic Pleskian
User name: lkdvc

TITLE

Weak Postfix security configuration

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian v18.0.28_build1800200720.10 os_Ubuntu 18.04
Plesk Email Security 1.1.0-216

PROBLEM DESCRIPTION

After buying the Pro version of the Plesk Email Security extension, I discovered some weak or even missing settings on the Postifx configuration.
With the out of the box setup, you can send from (outside your Plesk server) @paypal.com, @plesk.com or any other domain from any IP, any localhost, any helo to mailboxes registered on Plesk.

smtpd_helo_required http://www.postfix.org/postconf.5.html#smtpd_helo_required should be enabled
Code example:
Code: 
smtpd_helo_required = yes
We definitely want clients to provide a HELO/EHLO hostname.

smtpd_helo_restrictions http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions should be configured
Code example:
Code: 
smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
This makes postfix reject
  • clients who provide malformed HELO/EHLO hostname
  • clients who provide non-fully qualified HELO/EHLO hostname
  • Emails if the HELO/EHLO hostnames have neither DNS A record nor MX record
smtpd_sender_restrictions http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions should be configured
Code example:
Code: 
smtpd_sender_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_authenticated_sender_login_mismatch
    reject_unknown_client_hostname
    reject_unknown_sender_domain
This makes postfix reject
Note that reject_unknown_client_hostname does not require HELO from SMTP client. It will fetch the hostname from PTR record, then check the A record.

smtpd_recipient_restrictions http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions should be configured
Code example:
Code: 
smtpd_recipient_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    reject_invalid_helo_hostname
    reject_unauth_destination
Also take a look at http://www.postfix.org/postconf.5.html#check_recipient_access

These basic settings can deal with simple characteristics of spam.
Also take a look at Forwarded to devs - smtpd_timeout set too high


With the configurations set above, posts like these wouldn't happen.

Question - Plesk Email Security Pro more info

Hi, we recently have installed PES Pro and I suposse that it's working fine. Basically I need to control the outbound spam. I see that it has detected hundreds of sent mails identified as spam, but what about them? Those spam was blocked? marked? quarantined? Is there any report or log to see...
talk.plesk.com talk.plesk.com

Question - Plesk Email Security Pro and yet getting spam

I found out about the Plesk Email Security extension a while ago and decided to give it a try. It's a nice way to configure server-wide spam settings, I was getting tired of setting it up on a per-mailbox basis. Then I saw that some features like Bayes training and "Daily updates of the...
talk.plesk.com talk.plesk.com

Issue - Not happy with Plesk Email Security

Have installed Plesk Email Security and I'm getting more spam than before I had it installed. I set it to the highest level and it's still letting more through than without it. It is making me not want to purchase it - it's not exactly setting a good example is it? And before you go "it's...
talk.plesk.com talk.plesk.com

STEPS TO REPRODUCE

Check /etc/postfix/main.cf
Email examples with provided header and everything: Question - Lots of incoming spam with Plesk Email Security Pro 1.1.0 (This post would get too long, reached max characters)

ACTUAL RESULT

Email spoofing is possible

EXPECTED RESULT

Email spoofing shouldn't be possible

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug
 
Last edited:
Thank you!
Good input, we'll work on the improvement in version 1.1.1.
 
Thank you once again @obendev for your detailed post. I've applied all recommended rules and will prepare the release of version 1.1.1. We plan to release it in the first half of next week.

Cheers
 
Offtopic: You can remove the changelog line there
CentOS 8 is temporarily not supported. We are already working on the integration and will add the support in version 1.1.0.
Click to expand...
 
Yes, I already informed my colleagues about it! ;-) Thanks!

Edit: Description has been updated.
 
Last edited:
You must log in or register to reply here.

Similar threads

Jürgen_T
Question Safe to enable postgrey with free Plesk Email Security (Amavis + SpamAssassin + ClamAV)?
Replies
1
Views
203
ChristophRo
ChristophRo
Polli
Issue Getting DANE working
2
Replies
33
Views
3K
Polli
Polli
wakabayashi
Resolved Fail2Ban - Postfix not working for SASL (bug?)
Replies
4
Views
1K
mizar
mizar
Jan Bludau
Resolved Patch: Postfix - 37C3 - SMTP Smuggling – Spoofing E-Mails Worldwide
Replies
5
Views
3K
Peter Debik
P
D
Issue Spoofed Emails Appearing as Sent from My Own Server Despite Correct SPF/DKIM/DMARC Configuration?
Replies
2
Views
2K
drdna
D
Back
Top