• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs Weak Postfix security configuration

obendev

Basic Pleskian
User name: lkdvc

TITLE

Weak Postfix security configuration

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian v18.0.28_build1800200720.10 os_Ubuntu 18.04
Plesk Email Security 1.1.0-216

PROBLEM DESCRIPTION

After buying the Pro version of the Plesk Email Security extension, I discovered some weak or even missing settings on the Postifx configuration.
With the out of the box setup, you can send from (outside your Plesk server) @paypal.com, @plesk.com or any other domain from any IP, any localhost, any helo to mailboxes registered on Plesk.

smtpd_helo_required http://www.postfix.org/postconf.5.html#smtpd_helo_required should be enabled
Code example:
Code:
smtpd_helo_required = yes
We definitely want clients to provide a HELO/EHLO hostname.

smtpd_helo_restrictions http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions should be configured
Code example:
Code:
smtpd_helo_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
This makes postfix reject
  • clients who provide malformed HELO/EHLO hostname
  • clients who provide non-fully qualified HELO/EHLO hostname
  • Emails if the HELO/EHLO hostnames have neither DNS A record nor MX record
smtpd_sender_restrictions http://www.postfix.org/postconf.5.html#smtpd_sender_restrictions should be configured
Code example:
Code:
smtpd_sender_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    reject_authenticated_sender_login_mismatch
    reject_unknown_client_hostname
    reject_unknown_sender_domain
This makes postfix reject
Note that reject_unknown_client_hostname does not require HELO from SMTP client. It will fetch the hostname from PTR record, then check the A record.

smtpd_recipient_restrictions http://www.postfix.org/postconf.5.html#smtpd_recipient_restrictions should be configured
Code example:
Code:
smtpd_recipient_restrictions =
    permit_sasl_authenticated
    permit_mynetworks
    reject_invalid_helo_hostname
    reject_unauth_destination
Also take a look at http://www.postfix.org/postconf.5.html#check_recipient_access

These basic settings can deal with simple characteristics of spam.
Also take a look at Forwarded to devs - smtpd_timeout set too high


With the configurations set above, posts like these wouldn't happen.

STEPS TO REPRODUCE

Check /etc/postfix/main.cf
Email examples with provided header and everything: Question - Lots of incoming spam with Plesk Email Security Pro 1.1.0 (This post would get too long, reached max characters)

ACTUAL RESULT

Email spoofing is possible

EXPECTED RESULT

Email spoofing shouldn't be possible

ANY ADDITIONAL INFORMATION



YOUR EXPECTATIONS FROM PLESK SERVICE TEAM


Confirm bug
 
Last edited:
Thank you!
Good input, we'll work on the improvement in version 1.1.1.
 
Thank you once again @obendev for your detailed post. I've applied all recommended rules and will prepare the release of version 1.1.1. We plan to release it in the first half of next week.

Cheers
 
Offtopic: You can remove the changelog line there
CentOS 8 is temporarily not supported. We are already working on the integration and will add the support in version 1.1.0.
 
Yes, I already informed my colleagues about it! ;-) Thanks!

Edit: Description has been updated.
 
Last edited:
Back
Top