Unauthenticated send locally, but only to local domains?

zoomba

Hi, I currently allow unauthenticated send for 10.0.0.0/8, but I don’t think that’s the happiest solution.

On my mailcow server, I have 2 domains (my.domain and dmz.arpa), one for regular external mail, and one for internal servers. It would be too complicated to configure credentials for all services, so I figure it’s just easier to have unauthenticated send locally, but I’d like to limit this to only allow unauthenticated send, to the local domains, no others.

So:

legit-host@dmz.arpa > anywhere@dmz.arpa - OK
legit-host@dmz.arpa > anywhere@my.domain - OK
hypothetical-malware@dmz.arpa > anywhere@dmz.arpa - OK, don’t care, it’s local
hypothetical-malware@dmz.arpa > anywhere@my.domain - OK, don’t care, it’s local
hypothetical-malware@dmz.arpa > anywhere@external.com - BLOCK

Does anyone know how to configure this?

zoomba

Would this work?

smtpd_sender_restrictions =
    reject_authenticated_sender_login_mismatch,
    check_client_access cidr:/opt/mailcow-dockerized/data/conf/postfix/allowed_subnets,
    check_sender_access hash:/opt/mailcow-dockerized/data/conf/postfix/sender_allowed_domain,
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unlisted_sender,
    reject_unknown_sender_domain

with
/opt/mailcow-dockerized/data/conf/postfix/sender_allowed_domain : 10.0.0.0/8 DUNNO
/opt/mailcow-dockerized/data/conf/postfix/sender_allowed_domain : dmz.arpa OK

I also modified data/conf/postfix/local_transport to:

/watchdog@localhost$/   watchdog_discard:
/localhost$/  local:
/@dmz\.arpa$/  local:

But mail still keeps getting denied…

zoomba

It seems like just adding:

smtpd_relay_restrictions =
    check_recipient_access regexp:/opt/postfix/conf/local_domains,
    permit_sasl_authenticated,
    defer_unauth_destination

To extra.cf seems to have done the job. Can someone sanity-test me please?

local_domains:

/dmz\.arpa$/ OK
/my\.domain$/ OK

Oh and mynetworks still has 10.0.0.0/8 alongside 127.0.0.0/8

esackbauer

Why don’t you only add the server IPs which are allowed to send unauthenticated in Mailcows admin UI under “Forwarding hosts”? No need to have a extra.cf

zoomba

Because if these servers are ever compromised, they would be able to send unauthenticated emails to non local domains. I won’t ever have a need for them to send emails to non local domains, hence the need for additional security measures, it doesn’t matter if I specify 5-50-500 servers, or just leave the A class subnet.

esackbauer

zoomba Because if these servers are ever compromised,

Doesnt matter and probably you have then more serious problems than some spam mails…
If the servers are comprimised then they could also read the SMTP config of your services and use the credentials to spam.

zoomba

My guy, why do you bother replying if you don’t read through everything?

If the servers are comprimised then they could also read the SMTP config of your services and use the credentials to spam.

False statement, and we are probably thinking at different levels of compromise.

And it’s not “just spam mails”. Being able to send without authentication to external mails opens up a whole other attack vector, which can be used for further privilege escalation. Please refrain from commenting if you have nothing helpful to say. Thanks.

esackbauer

Then why not clarifying what you mean with “compromised” in the first place? Then my answer would be more concise. And again, if a system is compromised an attacker could get the authentications details for SMTP easily. Most of them are stored in clear text and can be found easily.

mlcwuser

Yes, but from my humble non-expert perspective, there is still a difference between a compromised server being able to send emails only to local domains versus essentially being given an open relay that can send emails to the entire world through your mail server. And from that perspective, whether authentication is used or not isn’t even the most important part. What matters more, in my opinion, is the ability to restrict where those emails can be sent.

However, for maximum protection, wouldn’t it be best to use authentication with a dedicated mailbox, and then limit which recipient domains that mailbox is allowed to send to?

But maybe I’m missing something here. As I said, I’m not an expert…

esackbauer

Again, if your server is already compromised, your least worry is sending mails from there, but the biggest concern would be to prevent lateral movement of the attackers in the network. And that has nothing to do with limiting SMTP recipients…

zoomba

esackbauer It would be too complicated to explain my entire network stack here, but limiting SMTP recipients is guaranteed to prevent lateral movement in my case. To get back on track:

extra.cf:

smtpd_relay_restrictions =
    check_recipient_access regexp:/opt/postfix/conf/local_domains,
    permit_sasl_authenticated,
    defer_unauth_destination

local_domains:

/dmz\.arpa$/ OK
/my\.domain$/ OK

main.cf snippet:

mynetworks = 127.0.0.0/8 10.0.0.0/8

Is there a way I can limit to who specifically the relaying/sending would be allowed, instead of anyone on my.domain, would it be possible to allow just sending to admin@my.domain?

having local_domains set as:

/dmz\.arpa$/ OK
/admin@my\.domain$/ OK

Doesn’t do the job, and still allows unauthenticated sending from the A class subnet, to the entirety of my.domain.