Koozali.org: home of the SME Server

Obsolete Releases => SME Server 9.x => Topic started by: tw-lewis on May 29, 2018, 06:23:17 AM

Title: Security risk due to being able to send emails on behalf on another users
Post by: tw-lewis on May 29, 2018, 06:23:17 AM

After a few years of using SME server and its mail functionality I always had to live with this small security risk. Now that I have built a mail server from scratch and understand its back-end a lot more I can now contribute this jem back to the community.

I would not be surprised if this has already been talked about and resolved but wanted to share my solution with you all.

Even currently you are able to change the FROM address in your mail client and send emails as ANYONE else. Now with the changes made we get the following error on server and on the client (Thunderbird).

"NOQUEUE: reject: MAIL from unknown[192.168.220.1]: 553 5.7.1 <alvin@domain.co.nz>: Sender address rejected: not owned by user lewis@domain.co.nz; from=<alvin@domain.co.nz> proto=ESMTP helo=<[192.168.220.1]>"

It was as easy as this:

nano /etc/postfix/master.cf
  -o smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch

nano /etc/postfix/main.cf
smtpd_sender_login_maps = proxy:ldap:/etc/postfix/ldap_virtual_recipients.cf proxy:ldap:/etc/postfix/ldap_virtual_aliases.cf

The following cf files I designed for a different ldap back-end should be easily adjusted to SMEs with very little effort.
I will now post the files:

nano /etc/postfix/ldap_virtual_aliases.cf
bind = yes
bind_dn = cn=LDAP_AUTH,cn=Users,dc=domain,dc=co,dc=nz
bind_pw = password
server_host = ldap://smeserver:389
search_base = dc=domain,dc=co,dc=nz
domain = domain.co.nz
query_filter = (&(otherMailbox=%s))
result_attribute = userPrincipalName
start_tls = no
version = 2

nano /etc/postfix/ldap_virtual_recipients.cf
bind = yes
bind_dn = cn=LDAP_AUTH,cn=Users,dc=domain,dc=co,dc=nz
bind_pw = password
server_host = ldap://smeserver:389
search_base = domain.co.nz
query_filter = (&(userPrincipalName=%s)(objectClass=person)(!(userAccountControl=514)))
result_attribute = userPrincipalName
start_tls = no
version = 2

If I get some feedback saying this has already been implemented or not that would be great as I am willing to put some time adjust this for the current SME version.

Thanks All
Lewis

Title: Re: Security risk due to being able to send emails on behalf on another users
Post by: ReetP on May 29, 2018, 10:21:06 AM

Lewis,

I think you have got something badly wrong here as SME does not use postfix?

Title: Re: Security risk due to being able to send emails on behalf on another users
Post by: Jean-Philippe Pialasse on May 29, 2018, 03:08:44 PM

Indeed not for qmail and qpsmtpd.

how would you handle sending email on behalf of a group, a pseudonym, or another email for a different domain for which the user is authorized ?
Some might be added from configuration, however Horde allow you to add remote emails to send email on behalf of as an example and those would be harder to maintain.

If you check the headers you migh see some information on how the mail was send, so the offender leaves trace and could be sanctioned. So I do not see a security issue here.

Code: [Select]

Original-Authentication-Results: domain.com; auth=pass smtp.auth=username
Even with your system you are still able to send mail impersonating another person exploiting the way email client display the FROM : https://www.mailsploit.com/index