Hello, we have one customer who was victim of a CEO fraud. Some of his employees got a message from the email address of the CEO with the order to send xx money to a specific bank account. Now we found out that it is possible to send email with sendmail at centos/blueonyx (also other distributions) from an existing email address to an existing email address. Example: telnet 208.77.xx.xx 25 MAIL FROM:[email protected] 250 2.1.0 [email protected]... Sender ok RCPT TO: info@xxx.net 250 2.1.5 [email protected]... Recipient ok DATA Some content for example send money to yx . 250 2.0.0 w0PBbxN1026335 Message accepted for delivery QUIT 221 2.0.0 sol.xxx closing connection Connection closed by foreign host. Unfortunately it is not only possible from the same to the same user. It is also possible from an (at the server existing) email address to an (at the server existing) email address. Does someone else did see something similar. In my opinion in days with CEO fraud it is a security issue.
Although this is not a real security issue, it is related to the way postfix is configured on your server. There is a quite easy way to get rid of this: Create a file called /etc/postfix/mysql-virtual_domains_inverted.cf with contents Code: user = ispconfig password = xxxxxxxxxxxxxx dbname = dbispconfig hosts = 127.0.0.1 query = SELECT 'REJECT' FROM mail_domain WHERE domain = '%d' AND active = 'y' require_result_set = no take the credentials for the db connection from the other mysql-****.cf files. Then add , check_sender_access mysql:/etc/postfix/mysql-virtual_domains_inverted.cf directly after permit_sasl_authenticated in your main.cf file on the smtpd_sender_restrictions, so the settings looks similar to: Code: smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access mysql:/etc/postfix/mysql-virtual_domains_inverted.cf, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf Then restart postfix and your problem should be solved.
Server security is not affected by this, you can neither gain access to the server nor are you able to elevated user permissions or start programs, so this is not a server security issue. A mail system has to accept emails for local mailboxes and the email service traditionally has no strong verification mechanisms to verify if an email sender is really the person that he claims to be. You should use technologies like dkim, spf and dmarc to get a better verification if an email is really sent by an authorized person. And @Croydon posted a snippet above if you want to disallow that an unauthenticated FROM address is a local domain.
yes its not a server isue but it is a way to sent email to someone looking to be his boss (in this case) im using a seperate mailserver, when testing im getting Sender address rejected: Access denied so it looks like the code @crydon works i tested a contactform from a website and that still works so it look it is not harming my clients to use it. Ore did i miss something.
What will no longer work is the following case: A contact form on a separate web server that sends out an email with From: and To: both being addresses on the (separate) mail server. This is because the mail is no longer "mynetwork" and in addition not "authenticated". Use case: Your client has domain mydomain.com on your mail server and sends out contact form emails (from the webserver) with from [email protected] to recipient [email protected] - won't work anymore unless he uses smtp auth on the contact form.
