DevHeads.net

Increasing Internal security

Hi All
We had an auditor to an internal pentest for our network. The result for our Postfix box was (My Words) Although your SMTP server prevents relay in some circumstances, it still allows email from an empty domain. I am aware that the empty domain <> is needed for bounce messages. Is there a way to prevent an initial email out form an empty domain but still allow Postfix to use it internally for bounce messages?

Thanks and Regards
SI

Comments

Re: Increasing Internal security

By Wietse Venema at 05/15/2019 - 15:07

Peter Fraser:
Postfix does not give 'relay permission' based on the ENVELOPE
SENDER address.

Instead, Postfix gives relay permission based in the SMTP client
IP address.

Wietse

Re: Increasing Internal security

By Noel Jones at 05/15/2019 - 13:24

On 5/15/2019 11:24 AM, Peter Fraser wrote:

No.

This sounds as if they are complaining because you accept bounces -
"from an empty domain". This has nothing to do with open relay or
security, and is required for proper operation of any mail system.

In case I'm misunderstanding, it might be better if you explain more
fully exactly how this particular test is conducted, and what they
expect to happen. Postfix logs of the "failed" test, or an SMTP
recording would be helpful.

-- Noel Jones

RE: Increasing Internal security

By Peter Fraser at 05/15/2019 - 13:29

I believe what happened is the testing software they used tried to send an email out using an empty domain and Postfix accepted it. I did it manually to verify from the commandline
MAIL FROM: <>
RCPT TO: an email address
DATA
Blablabla
.
Postfix queued up this email and sent it out.

Regards
SI

On 5/15/2019 11:24 AM, Peter Fraser wrote:

No.

This sounds as if they are complaining because you accept bounces -
"from an empty domain". This has nothing to do with open relay or
security, and is required for proper operation of any mail system.

In case I'm misunderstanding, it might be better if you explain more
fully exactly how this particular test is conducted, and what they
expect to happen. Postfix logs of the "failed" test, or an SMTP
recording would be helpful.

-- Noel Jones

Re: Increasing Internal security

By Viktor Dukhovni at 05/15/2019 - 15:16

Why shouldn't it be sent? If an inbound message fails to be
delivered to the user's mailbox, the outgoing bounce MUST have
an empty envelope sender address. For the same reason (avoiding
loops) the envelope sender address of MDNs (read-receipts and
the like) MUST also be <>:

<a href="https://tools.ietf.org/html/rfc3798#section-3" title="https://tools.ietf.org/html/rfc3798#section-3">https://tools.ietf.org/html/rfc3798#section-3</a>

The envelope sender address (i.e., SMTP MAIL FROM) of the MDN MUST be
null (<>), specifying that no Delivery Status Notification messages
or other messages indicating successful or unsuccessful delivery are
to be sent in response to an MDN.

A message disposition notification MUST NOT itself request an MDN.
That is, it MUST NOT contain a Disposition-Notification-To header.

If an auditor thinks that messages with <> as an envelope sender are
invalid, find an auditor who's less clueless.

Re: Increasing Internal security

By Wietse Venema at 05/15/2019 - 15:08

Peter Fraser:
And Postfix would be the same if you had specified a different
sender address.

Wietse

Re: Increasing Internal security

By Noel Jones at 05/15/2019 - 13:51

On 5/15/2019 12:29 PM, Peter Fraser wrote:
Insufficient data.

If the recipient is one of your users, this is required operation.
<a href="https://tools.ietf.org/html/rfc5321" title="https://tools.ietf.org/html/rfc5321">https://tools.ietf.org/html/rfc5321</a>

If the recipient is some random external user, we need more
information. Note that testing must be done from an IP *not* listed
in $mynetworks.
<a href="http://www.postfix.org/DEBUG_README.html#mail" title="http://www.postfix.org/DEBUG_README.html#mail">http://www.postfix.org/DEBUG_README.html#mail</a>

-- Noel Jones