DevHeads.net

question about envelop from.

Hai,
 
Im reading through rfc's but the following is still not clear for me.
 
E-mail is rejected base on the envelop-from adres from a mail-daemon with postfix + postfix-policyd-spf
 
I saw the following in the postfix logs.
Feb  7 00:00:16 hostname postfix/smtpd[31726]: Untrusted TLS connection established from smtp1.xxxxxxxx.nl[x.xx.xxx.xx]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Feb  7 00:00:16 hostname postfix/policy-spf[31766]: Policy action=PREPEND Received-SPF: none (apmcsqa01.poort: No applicable sender policy available) receiver=hostname.domain.nl; identity=mailfrom; envelope-from="MAILER- ... at apmcsqa01 dot poort"; helo=smtp1.xxxxxxxx.nl; client-ip=x.xx.xxx.xx]
Feb  7 00:00:16 hostname postfix/smtpd[31726]: NOQUEUE: reject: RCPT from smtp1.xxxxxxxx.nl[x.xx.xxx.xx]]: 450 4.1.8 <MAILER- ... at apmcsqa01 dot poort>: Sender address rejected: Domain not found; from=<MAILER- ... at apmcsqa01 dot poort>
 
about this:
envelope-from="MAILER- ... at apmcsqa01 dot poort"
 
Im looking for the correct rfc where its described that the part @apmcsqa01.poort  should be @thesendingdomain.tld
where thesendingdomain.tld is also a resolvable domain, because not it does not make sence because the now mailer-daemon wil never be accepted because its non resolveable
 
If some can point me to the correct rfc. ( and chapter ) that would be great.
 
 
Thanks!
 
Louis
 
 
 

Comments

RE: question about envelop from.

By =?windows-1252?... at 03/13/2018 - 09:53

Hello Victor,

Yes, i've set smtpd_tls_ask_ccert to yes.

I do also have Anonymous messages
Anonymous TLS connection established from mail187-16.suw11.mandrillapp.com[198.2.187.16]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must be a miss on my side after the switch from 2.10 to 3.1 postfix.

I need ssl verification, in not running a high volume site and i just enabled DKIM SPF TLSA and DANE for this server.
Any tips on my config. Im running this config atm, postfix 3.1.8 (Debian) ( config below )

Best regards,

Louis

### General Defaults
smtpd_banner = $myhostname ESMTP Ready
mail_version = 007
biff = no
append_dot_mydomain = no
delay_warning_time = 4h
readme_directory = no
compatibility_level = 2
mailbox_size_limit = 0
recipient_delimiter = +
empty_address_recipient = MAILER-DAEMON

### Limit the info given to outside servers
show_user_unknown_table_name = no

### no one needs to ask our server who is on it
disable_vrfy_command = yes

#### user!domain != user@domain
swap_bangpath = no

#### user%domain != user@domain
allow_percent_hack = no

### Tarpit until RCPT TO: to reject the email for nagios compatability
smtpd_delay_reject = yes

### Tarpit those bots/clients/spammers who send errors or scan for accounts
smtpd_error_sleep_time = 20
smtpd_soft_error_limit = 1
smtpd_hard_error_limit = 3
smtpd_junk_command_limit = 2

### Tranports and slowdown delivery to per domain are set here also.
transport_maps = hash:/etc/postfix/personal/transport_maps.map
## Transports Tuning outgoing connections ! Esa max concurrent connections (polite)
## see also transport file and master.cf
# Throttle limit policy mail (global)
smtp_destination_concurrency_limit = 5
smtp_extra_recipient_limit = 2

# Polite policy
polite_destination_concurrency_limit = 3
polite_destination_rate_delay = 0
polite_destination_recipient_limit = 5

# Turtle policy
turtle_destination_concurrency_limit = 2
turtle_destination_rate_delay = 1s
turtle_destination_recipient_limit = 2
##
###

## 100 Mb size limit
message_size_limit = 102400000

# Postfix before 3.0 by default permits non-ASCII content in headers and addresses.
strict_7bit_headers = yes

2bounce_notice_recipient = <a href="mailto: ... at somedomain dot tld"> ... at somedomain dot tld</a>
2bounce_notice_recipient = <a href="mailto: ... at somedomain dot tld"> ... at somedomain dot tld</a>
bounce_notice_recipient = <a href="mailto: ... at somedomain dot tld"> ... at somedomain dot tld</a>
delay_notice_recipient = <a href="mailto: ... at somedomain dot tld"> ... at somedomain dot tld</a>
error_notice_recipient = <a href="mailto: ... at somedomain dot tld"> ... at somedomain dot tld</a>
notify_classes = bounce, resource, software

## Being strict to the RFC not only stops unwanted mail,
## it also blocks legitimate mail from poorly-written mail applications.
## default = no
strict_rfc821_envelopes = yes

###############
# SASL disabled, its not use on this server.
broken_sasl_auth_clients = no
smtp_sasl_auth_enable = no
smtpd_sasl_auth_enable = no

################# TLS parameters
# Disable SSL compression
tls_ssl_options = NO_COMPRESSION

# cipherlists, defaults are ok.
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom

# TLS Client outgoing
smtp_tls_CAfile = /etc/ssl/certs/Intermediate.cer
smtp_tls_cert_file = /etc/ssl/certs/cert-2017-cert.pem
smtp_tls_key_file = /etc/ssl/private/key-2017.key
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
## detect a mail hijacking attack based on a TLS protocol vulnerability (CVE-2009-3555)
smtp_tls_block_early_mail_reply = yes

# only offer authentication after STARTTLS
smtpd_tls_auth_only = yes

# TLS SERVER incomming
smtpd_starttls_timeout = 300s
smtpd_use_tls=yes
smtpd_enforce_tls = no
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_ccert_verifydepth = 2
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
smtpd_tls_always_issue_session_ids = no
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_CAfile = /etc/ssl/certs/Intermediate.cer
smtpd_tls_cert_file = /etc/ssl/certs/cert-2017-cert.pem
smtpd_tls_key_file = /etc/ssl/private/key-2017.key
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_ciphers = high
smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES

# Enable EECDH key exchange for Forward Security
smtpd_tls_eecdh_grade=ultra

# The 512-bit parameter file won't be used if you've disabled "EXPORT"
# ciphers by setting "smtpd_tls_ciphers = medium" as recommended above.
#smtpd_tls_dh512_param_file = /etc/ssl/private/dhparams2048.pem
# enableing it :
# which would likely result in handshake failure if a DHE EXPORT
# cipher were negotiated, which is arguably a safety feature.
smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams2048.pem

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

############### Host/Ip/ADS related
# ! see : /etc/postfix/main-mynetworks.cidr for your ipranges.
myhostname = mail.somedomain.tld
myorigin = mail.somedomain.tld
mydomain = mail.somedomain.tld
mydestination = mail.somedomain.tld, localhost
mynetworks = cidr:/etc/postfix/personal/mynetworks.cidr
inet_interfaces = all
inet_protocols = ipv4

relay_domains = hash:/etc/postfix/personal/relay_domains.map
masquerade_domains = hash:/etc/postfix/personal/masquerade_domains.map

sender_canonical_maps = hash:/etc/postfix/personal/sender_canonical.map
recipient_canonical_maps = hash:/etc/postfix/personal/recipient_canonical.map

header_checks = pcre:/etc/postfix/personal/checks_header.pcre
body_checks = pcre:/etc/postfix/personal/checks_body.pcre

alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ads2local-aliases.cf
alias_database = hash:/etc/aliases
virtual_alias_maps = ldap:/etc/postfix/ads2local-redirects.cf

################################

### Reject codes == 554
access_map_reject_code = 554
#invalid_hostname_reject_code = 554
#maps_rbl_reject_code = 554
multi_recipient_bounce_reject_code = 554
#non_fqdn_reject_code = 554
#plaintext_reject_code = 554
#reject_code = 554
relay_domains_reject_code = 554
#unknown_address_reject_code = 554
#unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 554
unknown_relay_recipient_reject_code = 554
unknown_virtual_alias_reject_code = 554
unknown_virtual_mailbox_reject_code = 554
unverified_recipient_reject_code = 554
unverified_sender_reject_code = 554

# SPF Policy
policyd-spf_time_limit = 3600s

# For dualdelivery - double delivery to multiple mail servers
# dualdelivery in the variable name is the name of the transport from master.cf
# without this setting, mail will not be delivered if the email was sent immediately
# multiple users
dualdelivery_destination_recipient_limit = 1

################## Restrictions/anti-spam Strict RFC !
## in order of processing.
## Restrictions/anti-spam Strict RFC !
#
smtpd_delay_reject = yes
#
smtpd_client_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_client_access cidr:/etc/postfix/personal/check_client_access-allow.cidr,
check_client_access cidr:/etc/postfix/personal/check_client_access-reject.cidr,
reject_non_fqdn_hostname,
reject_unknown_hostname,
reject_invalid_hostname,
reject_unauth_pipelining
##
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_helo_access pcre:/etc/postfix/personal/check_helo_access-hostname-checks.pcre,
check_helo_access hash:/etc/postfix/personal/check_helo_access-allow.map,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_unauth_pipelining
##
smtpd_sender_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/personal/check_sender_access-allow.map
check_sender_access hash:/etc/postfix/personal/check_sender_access-deny.map
reject_non_fqdn_sender,
reject_unknown_sender_domain,
reject_unknown_address,
reject_unauth_pipelining
##
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
check_policy_service unix:private/policyd-spf,
check_recipient_access hash:/etc/postfix/personal/check_recipient_access-allow.map
check_recipient_access hash:/etc/postfix/personal/check_recipient_access-deny.map
check_recipient_access pcre:/etc/postfix/personal/check_recipient_access-deny-syntax.pcre
reject_multi_recipient_bounce,
reject_unlisted_recipient,
reject_unverified_recipient
##
smtpd_relay_restrictions =
permit_mynetworks,
reject_unauth_destination,
check_policy_service unix:private/policyd-spf,
check_recipient_access hash:/etc/postfix/personal/check_recipient_access-allow.map
reject_multi_recipient_bounce,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_invalid_helo_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
defer_unauth_destination
##
smtpd_data_restrictions =
reject_unauth_pipelining,
reject_multi_recipient_bounce
##
smtpd_etrn_restrictions =
permit_mynetworks,
reject
##

### Before-220 tests (postscreen / DNSBL)
postscreen_greet_banner =
$myhostname, checking blacklists, please wait.
# Drop connections if other server is sending too quickly
postscreen_greet_action = drop
#postscreen_greet_action = enforce #testing actioin = drop.
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/personal/postscreen_access_list.cidr,
pcre:/etc/postfix/personal/postscreen_access_list-reject.fqrdns.pcre
cidr:/etc/postfix/personal/postscreen_access_list-drop.spamhaus-lasso.cidr
postscreen_whitelist_interfaces = $mynetworks, static:all
postscreen_blacklist_action = drop
postscreen_dnsbl_reply_map = pcre:/etc/postfix/personal/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_action = enforce
postscreen_dnsbl_ttl = 2h
postscreen_dnsbl_threshold = 4
postscreen_dnsbl_sites =
zen.spamhaus.org*4
b.barracudacentral.org*4
bad.psky.me*4
dnsbl.cobion.com*2
bl.spameatingmonkey.net*2
fresh.spameatingmonkey.net*2
cbl.anti-spam.org.cn=127.0.8.2*2
dnsbl.kempt.net*1
dnsbl.inps.de*2
bl.spamcop.net*2
srn.surgate.net=127.0.0.2
spam.dnsbl.sorbs.net*2
rbl.rbldns.ru*2
psbl.surriel.com*2
bl.mailspike.net*2
rep.mailspike.net=127.0.0.[13;14]*1
bl.suomispam.net*2
bl.blocklist.de*2
ix.dnsbl.manitu.net*2
dnsbl-2.uceprotect.net
dnsbl.justspam.org=127.0.0.2*2
all.s5h.net=127.0.0.2*2
hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
rbl.abuse.ro=127.0.0.[2;4]*2
dnsbl.spfbl.net=127.0.0.[2;4]*2
# No RDNS
dnsbl.spfbl.net=127.0.0.3*1
hostkarma.junkemailfilter.com=127.0.0.3*1
# whitelists
swl.spamhaus.org*-6
dnswl.spfbl.net=127.0.0.[2;3;4]*-3
list.dnswl.org=127.0.[0..255].[2;3]*-4
rep.mailspike.net=127.0.0.[17;18]*-1
rep.mailspike.net=127.0.0.[19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-4
nobl.junkemailfilter.com=127.0.0.5*-4
#
### End of before-220 tests
### After-220 tests
### WARNING -- See "Tests after the 220 SMTP server greeting" in the
### Postscreen Howto and *UNDERSTAND* it *BEFORE* you enable the
### following tests! This basically enables some kind of greylisting!
#postscreen_bare_newline_action = enforce
#postscreen_bare_newline_enable = yes
#postscreen_non_smtp_command_enable = yes
#postscreen_pipelining_enable = yes
### ADDENDUM: Any one of the foregoing three *_enable settings may cause
### significant and annoying mail delays.

###### Added for OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:localhost:8892
non_smtpd_milters = inet:localhost:8892

Re: question about envelop from.

By Viktor Dukhovni at 03/13/2018 - 10:17

You almost certainly don't need this.

"Verified" is not possible with smtpd(8). "Trusted" could happen when the client
certificate is signed by a trusted CA:

<a href="http://www.postfix.org/FORWARD_SECRECY_README.html#status" title="http://www.postfix.org/FORWARD_SECRECY_README.html#status">http://www.postfix.org/FORWARD_SECRECY_README.html#status</a>

but, typically, you should not be requesting client certificates that
serve no purpose.

Not for incoming traffic, there just supporting STARTTLS is all you need.

Don't duplicate default settings.

These are obsolete

You don't need these. I see no evidence of any meaningful use of
client certs. At least not on port 25 via main.cf.

This is the default.

Second time this is set.

It is much better to have all the required intermediates in
your certfile, and leave this field empty.

This is unwise, the (default in supported releases) "medium" is better, see:

<a href="https://tools.ietf.org/html/rfc7435" title="https://tools.ietf.org/html/rfc7435">https://tools.ietf.org/html/rfc7435</a>

This too is unwise. Remove this setting.

With OpenSSL 1.0.2 or later and Postfix >= 3.2, you're far
better off with the default of "auto".

<a href="http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade" title="http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade">http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade</a>

Re: question about envelop from.

By LuKreme at 03/13/2018 - 10:36

On Mar 13, 2018, at 09:17, Viktor Dukhovni <postfix- ... at dukhovni dot org> wrote:
In general, or these specific exclusions?

I've had

smtpd_tls_exclude_ciphers = MD5, SEED, IDEA, RC2, RC4

For a pretty long time now

Re: question about envelop from.

By Viktor Dukhovni at 03/13/2018 - 13:49

Mostly in general. Why do cleartext with clients that can't do strong ciphers,
let them encrypt with their medium ciphers.

That said, the above are fine to exclude, they are just unnecessary
attack surface, with the exception of "RC4" nobody needs these for
interoperability at this time. And even "RC4" use is vanishingly
small.

Re: question about envelop from.

By John at 03/14/2018 - 21:48

Too complicated? How could this be improved?

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = DES, MD5, RC2, RC4, RC5, IDEA, SRP, PSK,
aDSS, kECDhe, kECDhr, kDHd, kDHr, SEED, LOW, EXPORT
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, high
smtp_tls_protocols = !SSLv2, !SSLv3

smtpd_sasl_auth_enable = no

smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = auto
smtpd_tls_exclude_ciphers = $smtp_tls_exclude_ciphers
smtpd_tls_protocols = $smtp_tls_protocols
smtpd_tls_mandatory_protocols = $smtp_tls_mandatory_protocols

Re: question about envelop from.

By Viktor Dukhovni at 03/15/2018 - 00:06

Fine.

OK, but medium is perhaps sufficient.

With "high" or "medium" you don't need to exclude "EXPORT" or "LOW".
You're also misspelling some of the cipher names, they are case-sensitive.
Try:

smtp_tls_exclude_ciphers = MD5, RC2, RC5, IDEA, SEED, aDSS, kECDHe, kECDHr, kDHd, kDHr

You can exclude RC4 and 3DES, but it is not essential, and some very
small number of systems will now only be able to receive from you in
the clear.

Where did you get the idea that "high" was a TLS protocol version?

I would also suggest "medium" here.

This requires (and is recommended for) Postfix 3.2 or later.

Not necessarily a good idea. The server should perhaps be more
liberal.

Re: question about envelop from.

By John at 03/15/2018 - 16:45

Thanks for the help.

John A

Re: question about envelop from.

By Matus UHLAR - f... at 03/13/2018 - 11:00

On 13.03.18 09:36, LuKreme wrote:
I have:

smtpd_tls_ciphers=high
smtpd_tls_mandatory_ciphers=high
smtpd_tls_exclude_ciphers=aNULL

Re: question about envelop from.

By Viktor Dukhovni at 03/13/2018 - 13:51

My recommendation is:

smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = high

There's not much need to exclude any additional ciphers, but if you must,
see the previous post...

Re: question about envelop from.

By Viktor Dukhovni at 03/13/2018 - 09:27

In addition to not being resolvable, the envelope sender address here is also
problematic because "MAILER-DAEMON@" should only ever appear in the message
headers and NEVER as the envelope sender. The correct envelope sender for
bounces is the empty (or null) sender:

MAIL FROM:<>

not

MAIL FROM:<MAILER- ... at example dot net>

Sure, some domain could in theory have an actual user mailbox named
"mailer-daemon", but that is most unlikely. It is rather clear that
the server in question is generating backscatter with a non-empty
envelope sender address, thus potentially leading to mail loops.

It is good that your server is rejecting this traffic.

Finally, it seems you may be requesting client certificates on port 25,
(incoming TLS status is "Untrusted" rather than "Anonymous") I wonder
why...

<a href="http://www.postfix.org/FORWARD_SECRECY_README.html#status" title="http://www.postfix.org/FORWARD_SECRECY_README.html#status">http://www.postfix.org/FORWARD_SECRECY_README.html#status</a>

do you have "smtpd_tls_ask_ccert = yes"?

RE: question about envelop from.

By =?windows-1252?... at 03/13/2018 - 08:13

Hai Matus,
Thank you for the reply, most apriciated.

No, but its a "government" server, so i need to be very sure.. ;-)
Thanks, i was looking in the wrong rfc.

Best regards,

Louis

Re: question about envelop from.

By Matus UHLAR - f... at 03/13/2018 - 08:05

On 13.03.18 13:54, L.P.H. van Belle wrote:
who and why configured non-existing domain name there?

RFC 5321, section 2.3.5. Domain Names:

Only resolvable, fully-qualified domain names (FQDNs) are permitted
when domain names are used in SMTP.

correct. that is the expected behaviour.
do you expect someone to accept mail from non-existing (invalid) addresses?