Security Issue.

Postfix + Cyrus + SASL AUTH mail server,

I have noticed that users can send mail in other users name just by setting
Outlook mail client email address and display name.
I have enable SASL AUTH but Postfix relays mails as any user so long as you
are authenticated.

I can send mail in any users name by just setting Outlook with any other
user's address and display name and authenticating with my login name and
password!

How can I stop this?
Please help.

Regards,

Clifford Gonsalves

you don't trust your users?

"Clifford Gonsalves" <cgonsalves@hotmail.com> wrote in message
news:cd9cus$pqc2@news-dxb.emirates.net.ae...
> Postfix + Cyrus + SASL AUTH mail server,
>
> I have noticed that users can send mail in other users name just by
> setting
> Outlook mail client email address and display name.
> I have enable SASL AUTH but Postfix relays mails as any user so long as
> you
> are authenticated.
>
> I can send mail in any users name by just setting Outlook with any other
> user's address and display name and authenticating with my login name and
> password!
>
> How can I stop this?
> Please help.
>
> Regards,
>
> Clifford Gonsalves
>
>
>

have a look at the postfix configuration parameters....

http://www.postfix.org/postconf.5.ht...r_restrictions

maybe adding a "reject_sender_login_mismatch" to the
"smtpd_sender_restrictions" parameter in your postfix main.cf is what you're
looking for.


Markus

"Clifford Gonsalves" <cgonsalves@hotmail.com> schrieb im Newsbeitrag
news:cd9cus$pqc2@news-dxb.emirates.net.ae...
> Postfix + Cyrus + SASL AUTH mail server,
>
> I have noticed that users can send mail in other users name just by
setting
> Outlook mail client email address and display name.
> I have enable SASL AUTH but Postfix relays mails as any user so long as
you
> are authenticated.
>
> I can send mail in any users name by just setting Outlook with any other
> user's address and display name and authenticating with my login name and
> password!
>
> How can I stop this?
> Please help.
>
> Regards,
>
> Clifford Gonsalves
>
>
>

Hi Clifford!

Clifford Gonsalves wrote:
> I have noticed that users can send mail in other users name just by
> setting Outlook mail client email address and display name.

It's not a bug, it's a feature :-).

I really need this feature for my mail accounts. Think about mails with your
office-address, sent via a private account. Or vice-versa.

Of course, on the other hand this becomes an issue, where spammers use this
feature. It's a really bad idea to bounce suspicous mail to the address in
the From:-field.

But you're using authentication, so it should be unable to relay mails from
untrusted senders.

Do your users send mails with their colleagues names?

Greetings, Michael.

Hello Michael,

Well this can cause a serious loss to us, if someone plays around and sends
mail in his manager's name!

I want to stop this.......
Users must authenticate to the server, also the senders email address and
SASL login name must match, and if any user wants to send a mail in his
colleagues name then let then share their passwords.

I checked the
http://www.postfix.org/postconf.5.ht...r_restrictions Markus
posted but I could not understand, I will try and put some more time on this
serious issue tomorrow.

Thanks for all your help. If you have any more links please post.

Regards,

Clifford Gonsalves





"Michael Holtermann" <spamnov2003@gmx.de> wrote in message
news:rkvms1-a5e.ln1@spinnacker.mholti.homelinux.net...
> Hi Clifford!
>
> Clifford Gonsalves wrote:
> > I have noticed that users can send mail in other users name just by
> > setting Outlook mail client email address and display name.
>
> It's not a bug, it's a feature :-).
>
> I really need this feature for my mail accounts. Think about mails with
your
> office-address, sent via a private account. Or vice-versa.
>
> Of course, on the other hand this becomes an issue, where spammers use
this
> feature. It's a really bad idea to bounce suspicous mail to the address in
> the From:-field.
>
> But you're using authentication, so it should be unable to relay mails
from
> untrusted senders.
>
> Do your users send mails with their colleagues names?
>
> Greetings, Michael.

Hello!

Clifford Gonsalves wrote:
> Well this can cause a serious loss to us, if someone plays around and
> sends mail in his manager's name!

I see. The parameter "reject_unauthenticated_sender_login_mismatch" could be
what you are searching for, but I'm not sure.

HTH, Michael.