Postfix email server security

Source: Internet
Author: User
Tags ldap

To prevent unauthorized use of the Postfix email server, the server uses it to send forged spam messages. The following experiment is conducted and SMTP verification is added.

Analyze SMTP sending
Remove the internal IP address from the trusted network of the email, and then test the mail sending (relying on the mail sender)

 

  1. Root @ slackbox [~] # Telnet mail.xxxxxx.com 25
  2. Trying 10.70.253.52...
  3. Connected to mail.xxxxxx.com.
  4. Escape Character is '^]'.
  5. 220 mail.xxxxxx.com ESMTP Postfix
  6. Mail from: abc@XXXXXX.com # directly initiate the mail without SMTP authentication, and forge the sender as a abc@XXXXXX.com, ABC is actually not a user
  7. 250 2.1.0 OK # The server returns OK, indicating that the server has not authenticated the sender.
  8. Rcpt to: jhuang@XXXXXX.com # specify the recipient as me
  9. 250 2.1.5 OK # The server returns OK
  10. Data # Write email
  11. 354 end data<Cr><Lf>.<Cr><Lf> 
  12. Sfafafdsfafasfasfas
  13. Afsdasfsfasfsafas
  14. . # End the email and send it.
  15. 250 2.0.0 OK: queued as 6c0fc3d5288 # The server returns that the email has entered the sending queue.

At the same time, the mail server log shows that the mail has been sent: Status = sent, the above experiment shows that the mail server has not been SMTP certified.

Added SMTP authentication to block Vulnerabilities
Postfix Configuration

 

  1. # Specify Sender authentication Logon
  2. Smtpd_sender_login_maps=LDAP:/Etc/Postfix/ldap-users.cf,
  3. LDAP:/etc/Postfix/ldap-mailbox.cf.
  4. # Do not allow senders not in the list
  5. Smtpd_reject_unlisted_sender=Yes 
  6. # Helo information required
  7. Smtp_helo_required=Yes 
  8. The following content is added to the smtpd_recipient_restrictions section:
  9. Reject_sender_login_mismatch
  10. Reject_authenticated_sender_login_mismatch,
  11. Reject_unauthenticated_sender_login_mismatch,
  12. Reject_non_fqdn_hostname,
  13. Reject_non_fqdn_sender,
  14. Reject_non_fqdn_recipient,
  15. Reject_invalid_hostname,

Test 1: try to send an email directly without verification

 

    1. # telnet mail.xxxxxx.com 25
    2. trying 10.70.253.52...
    3. connected to mail.xxxxxx.com.
    4. escape character is '^]'.
    5. 220 "mail.xxxxxx.com Mail System"
    6. mail from: jhuang@XXXXXX.com
    7. 50 2.1.0 OK
    8. rcpt to: jhuang@XXXXXX.com
    9. 553 5.7.1 jhuang @ xxxxxx.com > : sender address rejected: not logged in

It indicates that the sent mail must be SMTP authenticated. emails cannot be sent without authentication.

Test 2: Try SMTP authentication and send an email with a forged nonexistent email address

 

  1. # Telnet mail.xxxxxx.com 25
  2. Trying 10.70.253.52...
  3. Connected to mail.xxxxxx.com.
  4. Escape Character is '^]'.
  5. 220 "mail.xxxxxx.com Mail System"
  6. AUTH LOGIN
  7. 334 vxnlcm5hbwu6
  8. Amh1yw5n
  9. 334 ugfzc3dvcsfafafmq6
  10. Bg92zxdpbm5pzxlpbg=
  11. 235 2.7.0 authentication successful
  12. Mail from: abc@XXXXXX.com
  13. 250 2.1.0 OK
  14. Rcpt to: jhuang@XXXXXX.com
  15. 550 5.1.0<ABC@ Xxxxxx.com>: Sender address rejected: User unknown in local recipient tabl

The certificate does not allow forging of a nonexistent local email address to send emails

Test 3: attempt to pass SMTP authentication and send an email by impersonating another email address

 

  1. # Telnet mail.xxxxxx.com 25
  2. Trying 10.70.253.52...
  3. Connected to mail.xxxxxx.com.
  4. 220 "mail.xxxxxx.com Mail System"
  5. AUTH LOGIN
  6. 334 vxnlcm5hbwu6
  7. Amh1yw5n
  8. 334 ugfzlllkokopkc3dvcmq6
  9. Bg92zxdpbm5pzxlpbg=
  10. 235 2.7.0 authentication successful
  11. Mail from: lxiong@XXXXXX.com
  12. 250 2.1.0 OK
  13. Rcpt to: jhuang@XXXXXX.com
  14. 553 5.7.1<Lxiong@ Xxxxxx.com>: Sender address rejected: not owned by user jhuang


Emails cannot be sent if the login user is inconsistent with the email sender

Test 4: email relay prohibited

 

    1. # telnet mail.xxxxxx.com 25
    2. trying 10.70.253.52...
    3. connected to mail.xxxxxx.com.
    4. escape character is '^]'.
    5. 220 mail.xxxxxx.com ESMTP Postfix
    6. mail from: address1@163.com
    7. 250 2.1.0 OK
    8. rcpt to: address2@yeah.net
    9. 554 5.7.1 address2 @ yeah.net > : recipient address rejected: Access Denied

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.