Spam using non existing users, or system service names

[Terrance McMinn]

Debian + Dovecot + Spamassassin + Fail2ban + Clamav + Postfix + Virtual mailboxes (MySQL)

Problem:
Major spam email getting through using non existing users, or system service names such as clamav.

I am not trusting that permit_mynetworks is allowing through unauthenticated users.

I have turned off helo as a number of valid servers (including government email services) were being rejected.

I have changed my served name in this post to mail.xxxxxxx.com.au. Also xxxxxxx is used in the mydestination list.

I have system generated emails (user www-data) from web services plus client emails (authenticated). There are no unix users, generating emails.

Should I have both
smtp_sasl_auth_enable = yes
smtpd_sasl_auth_enable = yes

Removing the ‘smtp_sasl_auth_enable = yes’ line fixed the non sending if emails, but may have opened some other loophole.

Any suggestions would be welcome.

System specifications:

Postfix Version: 3.4.14
Hostname www
System Linux www 5.10.0-19-amd64 #1 SMP Debian 5.10.149-2 (2022-10-21) x86_64 GNU/Linux

main.cf

non-default parameters
alias_maps hash:/etc/aliases
append_dot_mydomain no
biff no
broken_sasl_auth_clients yes
compatibility_level 2
default_destination_recipient_limit 10
disable_vrfy_command yes
mailbox_command procmail -a "$EXTENSION"
mailbox_size_limit 0
message_size_limit 30720000
milter_default_action accept
mime_header_checks regexp:/etc/postfix/mime_header_checks
mydestination $myhostname, xxxxxxx, localhost.localdomain, localhost
myhostname mail.xxxxxxx.com.au
mynetworks 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks_style subnet
myorigin /etc/mailname
non_smtpd_milters $smtpd_milters
policyd-spf_time_limit 3600
readme_directory no
recipient_delimiter +
smtp_destination_recipient_limit 10
smtp_tls_CApath /etc/ssl/certs
smtp_tls_ciphers high
smtp_tls_exclude_ciphers MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_ciphers high
smtp_tls_mandatory_exclude_ciphers MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtp_tls_mandatory_protocols TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_protocols TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtp_tls_security_level may
smtp_tls_session_cache_database btree:${data_directory}/smtp_scache
smtp_use_tls yes
smtpd_data_restrictions reject_unauth_pipelining
smtpd_helo_restrictions permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_helo_hostname, check_helo_access hash:/etc/postfix/helo_access, permit
smtpd_milters unix:opendkim/opendkim.sock
smtpd_recipient_restrictions permit_sasl_authenticated reject_unauth_destination reject_unauth_pipelining reject_non_fqdn_sender reject_non_fqdn_recipient reject_invalid_hostname reject_unknown_sender_domain reject_unknown_recipient_domain reject_unknown_recipient_domain reject_unverified_recipient check_sender_access hash:/etc/postfix/sender_checks check_client_access hash:/etc/postfix/rbl_override check_policy_service unix:private/policyd-spf permit_mynetworks permit
smtpd_relay_restrictions permit_sasl_authenticated, reject_unlisted_sender, reject_unauth_destination, check_sender_access hash:/etc/postfix/sender_checks
smtpd_sasl_auth_enable yes
smtpd_sasl_local_domain xxxxxxx.com.au
smtpd_sasl_path private/auth
smtpd_sasl_tls_security_options noanonymous
smtpd_sasl_type dovecot
smtpd_sender_login_maps mysql:/etc/postfix/mysql-virtual-email2email.cf
smtpd_sender_restrictions permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unverified_sender, reject_unknown_reverse_client_hostname, reject_unknown_client_hostname, check_sender_access hash:/etc/postfix/restrict_senders, check_sender_access hash:/etc/postfix/sender_checks, permit_mynetworks
smtpd_tls_auth_only yes
smtpd_tls_cert_file /etc/letsencrypt/live/mail.xxxxxxx.com.au/fullchain.pem
smtpd_tls_ciphers high
smtpd_tls_exclude_ciphers MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_key_file /etc/letsencrypt/live/mail.xxxxxxx.com.au/privkey.pem
smtpd_tls_mandatory_ciphers high
smtpd_tls_mandatory_exclude_ciphers MD5, DES, ADH, RC4, PSD, SRP, 3DES, eNULL, aNULL
smtpd_tls_mandatory_protocols TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_protocols TLSv1.2, TLSv1.1, !TLSv1, !SSLv2, !SSLv3
smtpd_tls_security_level encrypt
smtpd_use_tls yes
tls_preempt_cipherlist yes
virtual_alias_maps mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-virtual-email2email.cf
virtual_mailbox_domains mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_limit 0
virtual_mailbox_maps mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport lmtp:unix:private/dovecot-lmtp

main.cf

parameters defined as per defaults
alias_database hash:/etc/aliases
command_directory /usr/sbin
daemon_directory /usr/lib/postfix/sbin
data_directory /var/lib/postfix
html_directory /usr/share/doc/postfix/html
inet_interfaces all
inet_protocols all
mail_owner postfix
mailq_path /usr/bin/mailq
manpage_directory /usr/share/man
meta_directory /etc/postfix
newaliases_path /usr/bin/newaliases
queue_directory /var/spool/postfix
sample_directory /etc/postfix
sendmail_path /usr/sbin/sendmail
setgid_group postdrop
shlib_directory /usr/lib/postfix
smtpd_banner $myhostname ESMTP $mail_name
smtpd_helo_required no
smtpd_reject_unlisted_recipient yes
smtpd_reject_unlisted_sender no

master.cf

service type private unpriv chroot wakeup maxproc command + args
smtp inet n - y - - smtpd
submission inet n - y - - smtpd
-o content_filter=spamassassin
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_sender_restrictions=reject_sender_login_mismatch,permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o smtpd_relay_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
pickup unix n - y 60 1 pickup
cleanup unix n - y - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - y 1000? 1 tlsmgr
rewrite unix - - y - - trivial-rewrite
bounce unix - - y - 0 bounce
defer unix - - y - 0 bounce
trace unix - - y - 0 bounce
verify unix - - y - 1 verify
flush unix n - y 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - y - - smtp
relay unix - - y - - smtp
-o syslog_name=postfix/$service_name
showq unix n - y - - showq
error unix - - y - - error
retry unix - - y - - error
discard unix - - y - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - y - - lmtp
anvil unix - - y - 1 anvil
scache unix - - y - 1 scache
postlog unix-dgram n - n - 1 postlogd
maildrop unix - n n - - pipe
flags=DRXhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp unix - n n - - pipe
flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail unix - n n - - pipe
flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp unix - n n - - pipe
flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix - n n - 2 pipe
flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman unix - n n - - pipe
flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user}
spamassassin unix - n n - - pipe
flags=R
user=spamd argv=/usr/bin/spamc -f -e /usr/sbin/sendmail -oi -f ${sender} ${recipient}
smtp-amavis unix - - y - 1 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o disable_dns_lookups=yes
-o max_use=20
127.0.0.1:10025 inet n - y - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_restriction_classes=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
autoresponder unix - n n - - pipe
flags=Fq user=autoresponse argv=/usr/local/sbin/autoresponse -s ${sender} -r ${recipient} -S ${sasl_username} -C ${client_address}
policyd-spf unix - n n - - spawn
user=nobody argv=/usr/bin/policyd-spf

[Michał Dąbrowski]

On Wednesday, January 18, 2023 at 4:24:56 PM UTC+1, Terrance McMinn wrote:
> Debian + Dovecot + Spamassassin + Fail2ban + Clamav + Postfix + Virtual mailboxes (MySQL)
>
> Problem:
> Major spam email getting through using non existing users, or system service names such as clamav.
>
> I am not trusting that permit_mynetworks is allowing through unauthenticated users.
>
> I have turned off helo as a number of valid servers (including government email services) were being rejected.
>
> I have changed my served name in this post to mail.xxxxxxx.com.au. Also xxxxxxx is used in the mydestination list.
>
> I have system generated emails (user www-data) from web services plus client emails (authenticated). There are no unix users, generating emails.
>
> Should I have both
> smtp_sasl_auth_enable = yes
> smtpd_sasl_auth_enable = yes
>
> Removing the ‘smtp_sasl_auth_enable = yes’ line fixed the non sending if emails, but may have opened some other loophole.
>
> Any suggestions would be welcome.

Since:
"smtp - The SMTP daemon process for delivering mail out to the world."
and
"smtpd - The SMTP daemon process for handling incoming mail and delivering to the appropriate internal location."

you should configure (IMO!):
smtp_sasl_auth_enable = no
smtp_tls_security_level = may [if you have certificates configured correctly] - it translates to "use tls if possible"

and for smtpd:
smtpd_sasl_auth_enable = yes [you can then use "permit_sasl_authenticated" - check https://www.postfix.org/postconf.5.html#smtpd_sasl_auth_enable]
smtpd_tls_security_level = [encrypt | may] - depending on your system-generated emails (i.e. one of the systems I use was unable to authenticate properly so I had to turn it down to may)
+ other security options if you wish

* It's a quick response to your 2 questions, I have no time today to read your config :]