Postfix allowed auth outside of docker network

veiam

Recently I had a user’s account breached and send out about a 100 spam emails before it was caught. How the password was found is a separate issue being addressed, but there’s another problem that is stumping me. The authentication was done outside of the docker network:

connect from s062.cyon.net[149.126.4.71]

Meanwhile I have not changed the postfix extra.cfg to allow relaying outside of the subnet and my mailcow.conf has the following:

# Internal IPv4 /24 subnet, format n.n.n. (expands to n.n.n.0/24)
IPV4_NETWORK=172.22.1

# Internal IPv6 subnet in fc00::/7
IPV6_NETWORK=fd4d:6169:6c63:6f77::/64

Any other reason someone was allowed to authenticate outside of the subnet?

mlcwuser

veiam connect from s062.cyon.net[149.126.4.71]

Is this from the postfix logs? If so that’s normal, otherwise postfix wouldn’t be able to send and receive email to/from external servers. However, if you found this in the Dovecot logs, that would indeed be concerning.

esackbauer

That is allowed by default, otherwise no IMAP user would be able to send mails if he is abroad.
This is why I use for such things (apps) only app passwords, those are long and complex and need only be entered once when the app is configured.
The normal password should be secured by enabling 2FA.

veiam

I didn’t think of that way, my bad. I noticed all my clients that connect went through sogo or other mailcow docker networked hosts. Dovecot did appear safe, and I have had a talk with the user about passwords already.