Home > Others

Postfix email server security

Source: Internet
Author: User
Tags ldap
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

To prevent unauthorized use of the Postfix email server, the server uses it to send forged spam messages. The following experiment is conducted and SMTP verification is added.

Analyze SMTP sending
Remove the internal IP address from the trusted network of the email, and then test the mail sending (relying on the mail sender)

 

  2. Root @ slackbox [~] # Telnet mail.xxxxxx.com 25
  4. Trying 10.70.253.52...
  6. Connected to mail.xxxxxx.com.
  8. Escape Character is '^]'.
  10. 220 mail.xxxxxx.com ESMTP Postfix
  12. Mail from: abc@XXXXXX.com # directly initiate the mail without SMTP authentication, and forge the sender as a abc@XXXXXX.com, ABC is actually not a user
  14. 250 2.1.0 OK # The server returns OK, indicating that the server has not authenticated the sender.
  16. Rcpt to: jhuang@XXXXXX.com # specify the recipient as me
  18. 250 2.1.5 OK # The server returns OK
  20. Data # Write email
  22. 354 end data<Cr><Lf>.<Cr><Lf> 
  24. Sfafafdsfafasfasfas
  26. Afsdasfsfasfsafas
  28. . # End the email and send it.
  30. 250 2.0.0 OK: queued as 6c0fc3d5288 # The server returns that the email has entered the sending queue.

At the same time, the mail server log shows that the mail has been sent: Status = sent, the above experiment shows that the mail server has not been SMTP certified.

Added SMTP authentication to block Vulnerabilities
Postfix Configuration

 

  2. # Specify Sender authentication Logon
  4. Smtpd_sender_login_maps=LDAP:/Etc/Postfix/ldap-users.cf,
  6. LDAP:/etc/Postfix/ldap-mailbox.cf.
  8. # Do not allow senders not in the list
  10. Smtpd_reject_unlisted_sender=Yes 
  12. # Helo information required
  14. Smtp_helo_required=Yes 
  16. The following content is added to the smtpd_recipient_restrictions section:
  18. Reject_sender_login_mismatch
  20. Reject_authenticated_sender_login_mismatch,
  22. Reject_unauthenticated_sender_login_mismatch,
  24. Reject_non_fqdn_hostname,
  26. Reject_non_fqdn_sender,
  28. Reject_non_fqdn_recipient,
  30. Reject_invalid_hostname,

Test 1: try to send an email directly without verification

 

    1. # telnet mail.xxxxxx.com 25
    2. trying 10.70.253.52...
    3. connected to mail.xxxxxx.com.
    4. escape character is '^]'.
    5. 220 "mail.xxxxxx.com Mail System"
    6. mail from: jhuang@XXXXXX.com
    7. 50 2.1.0 OK
    8. rcpt to: jhuang@XXXXXX.com
    9. 553 5.7.1 jhuang @ xxxxxx.com > : sender address rejected: not logged in

It indicates that the sent mail must be SMTP authenticated. emails cannot be sent without authentication.

Test 2: Try SMTP authentication and send an email with a forged nonexistent email address

 

  2. # Telnet mail.xxxxxx.com 25
  4. Trying 10.70.253.52...
  6. Connected to mail.xxxxxx.com.
  8. Escape Character is '^]'.
  10. 220 "mail.xxxxxx.com Mail System"
  12. AUTH LOGIN
  14. 334 vxnlcm5hbwu6
  16. Amh1yw5n
  18. 334 ugfzc3dvcsfafafmq6
  20. Bg92zxdpbm5pzxlpbg=
  22. 235 2.7.0 authentication successful
  24. Mail from: abc@XXXXXX.com
  26. 250 2.1.0 OK
  28. Rcpt to: jhuang@XXXXXX.com
  30. 550 5.1.0<ABC@ Xxxxxx.com>: Sender address rejected: User unknown in local recipient tabl

The certificate does not allow forging of a nonexistent local email address to send emails

Test 3: attempt to pass SMTP authentication and send an email by impersonating another email address

 

  2. # Telnet mail.xxxxxx.com 25
  4. Trying 10.70.253.52...
  6. Connected to mail.xxxxxx.com.
  8. 220 "mail.xxxxxx.com Mail System"
  10. AUTH LOGIN
  12. 334 vxnlcm5hbwu6
  14. Amh1yw5n
  16. 334 ugfzlllkokopkc3dvcmq6
  18. Bg92zxdpbm5pzxlpbg=
  20. 235 2.7.0 authentication successful
  22. Mail from: lxiong@XXXXXX.com
  24. 250 2.1.0 OK
  26. Rcpt to: jhuang@XXXXXX.com
  28. 553 5.7.1<Lxiong@ Xxxxxx.com>: Sender address rejected: not owned by user jhuang


Emails cannot be sent if the login user is inconsistent with the email sender

Test 4: email relay prohibited

 

    1. # telnet mail.xxxxxx.com 25
    2. trying 10.70.253.52...
    3. connected to mail.xxxxxx.com.
    4. escape character is '^]'.
    5. 220 mail.xxxxxx.com ESMTP Postfix
    6. mail from: address1@163.com
    7. 250 2.1.0 OK
    8. rcpt to: address2@yeah.net
    9. 554 5.7.1 address2 @ yeah.net > : recipient address rejected: Access Denied

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
microsoft o365 email security 0365 email security best email security software sonicwall email security apple security alert email android email security warning barracuda cloud email security

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More