To prevent unauthorized use of the Postfix email server, the server uses it to send forged spam messages. The following experiment is conducted and SMTP verification is added.
Analyze SMTP sending
Remove the internal IP address from the trusted network of the email, and then test the mail sending (relying on the mail sender)
-
- Root @ slackbox [~] # Telnet mail.xxxxxx.com 25
-
- Trying 10.70.253.52...
-
- Connected to mail.xxxxxx.com.
-
- Escape Character is '^]'.
-
- 220 mail.xxxxxx.com ESMTP Postfix
- Mail from: abc@XXXXXX.com # directly initiate the mail without SMTP authentication, and forge the sender as a abc@XXXXXX.com, ABC is actually not a user
-
- 250 2.1.0 OK # The server returns OK, indicating that the server has not authenticated the sender.
-
- Rcpt to: jhuang@XXXXXX.com # specify the recipient as me
-
- 250 2.1.5 OK # The server returns OK
-
- Data # Write email
-
- 354 end data<Cr><Lf>.<Cr><Lf>
- Sfafafdsfafasfasfas
-
- Afsdasfsfasfsafas
-
- . # End the email and send it.
-
- 250 2.0.0 OK: queued as 6c0fc3d5288 # The server returns that the email has entered the sending queue.
At the same time, the mail server log shows that the mail has been sent: Status = sent, the above experiment shows that the mail server has not been SMTP certified.
Added SMTP authentication to block Vulnerabilities
Postfix Configuration
-
- # Specify Sender authentication Logon
- Smtpd_sender_login_maps=LDAP:/Etc/Postfix/ldap-users.cf,
-
- LDAP:/etc/Postfix/ldap-mailbox.cf.
-
- # Do not allow senders not in the list
-
- Smtpd_reject_unlisted_sender=Yes
-
- # Helo information required
-
- Smtp_helo_required=Yes
-
- The following content is added to the smtpd_recipient_restrictions section:
-
- Reject_sender_login_mismatch
- Reject_authenticated_sender_login_mismatch,
-
- Reject_unauthenticated_sender_login_mismatch,
-
- Reject_non_fqdn_hostname,
-
- Reject_non_fqdn_sender,
-
- Reject_non_fqdn_recipient,
-
- Reject_invalid_hostname,
Test 1: try to send an email directly without verification
- # telnet mail.xxxxxx.com 25
- trying 10.70.253.52...
- connected to mail.xxxxxx.com.
- escape character is '^]'.
- 220 "mail.xxxxxx.com Mail System"
- mail from: jhuang@XXXXXX.com
- 50 2.1.0 OK
- rcpt to: jhuang@XXXXXX.com
- 553 5.7.1 jhuang @ xxxxxx.com > : sender address rejected: not logged in
It indicates that the sent mail must be SMTP authenticated. emails cannot be sent without authentication.
Test 2: Try SMTP authentication and send an email with a forged nonexistent email address
-
- # Telnet mail.xxxxxx.com 25
-
- Trying 10.70.253.52...
-
- Connected to mail.xxxxxx.com.
-
- Escape Character is '^]'.
-
- 220 "mail.xxxxxx.com Mail System"
-
- AUTH LOGIN
-
- 334 vxnlcm5hbwu6
- Amh1yw5n
-
- 334 ugfzc3dvcsfafafmq6
-
- Bg92zxdpbm5pzxlpbg=
-
- 235 2.7.0 authentication successful
-
- Mail from: abc@XXXXXX.com
-
- 250 2.1.0 OK
-
- Rcpt to: jhuang@XXXXXX.com
-
- 550 5.1.0<ABC@ Xxxxxx.com>: Sender address rejected: User unknown in local recipient tabl
The certificate does not allow forging of a nonexistent local email address to send emails
Test 3: attempt to pass SMTP authentication and send an email by impersonating another email address
-
- # Telnet mail.xxxxxx.com 25
-
- Trying 10.70.253.52...
-
- Connected to mail.xxxxxx.com.
-
- 220 "mail.xxxxxx.com Mail System"
-
- AUTH LOGIN
-
- 334 vxnlcm5hbwu6
-
- Amh1yw5n
-
- 334 ugfzlllkokopkc3dvcmq6
- Bg92zxdpbm5pzxlpbg=
-
- 235 2.7.0 authentication successful
-
- Mail from: lxiong@XXXXXX.com
-
- 250 2.1.0 OK
-
- Rcpt to: jhuang@XXXXXX.com
-
- 553 5.7.1<Lxiong@ Xxxxxx.com>: Sender address rejected: not owned by user jhuang
Emails cannot be sent if the login user is inconsistent with the email sender
Test 4: email relay prohibited
- # telnet mail.xxxxxx.com 25
- trying 10.70.253.52...
- connected to mail.xxxxxx.com.
- escape character is '^]'.
- 220 mail.xxxxxx.com ESMTP Postfix
- mail from: address1@163.com
- 250 2.1.0 OK
- rcpt to: address2@yeah.net
- 554 5.7.1 address2 @ yeah.net > : recipient address rejected: Access Denied