Email server vulnerable to local email spoofing attack

To figure why you call it a vulnerability, would you please explain what user exactly can spoof e-mails? Is it a regular user or admin or even root?

• If you learn/find out an employee’s email to a given domain, you can hook into the corresponding server via a telnet connection on port 25 and thus be able to send emails to other users of the same domain without being authenticated.

• If the server is “shared” hosting and there are other domains on that server, you will also be able to send emails to them if you know an email account that is to another domain on the same server.

Does the user belong to domain A and can spoof domain B?

• yes, if they are hosted on the same server.

Configuring postfix via “virtualmin-config-system -i Postfix”
does not add restrictions to the smtpd_sender_restrictions directive

Why would it? I stand corrected but as far as I recall Postfix is being installed with an empty smtpd_sender_restrictions line by default, hence it allows everything.

If you want *min devs to change that, open a pull request on GitHub or suggest in the Blue Skies forum.

https://www.postfix.org/postconf.5.html#smtpd_sender_restrictions

This is just one set of tests done on an email.

But if there is an extra layer of security here and someone gives me a solution and why I would add it to my setup.

In my previous comment I provided the postfix configuration after a fresh install. This directive is not described/present in postfix config.

Forgive me but I’m feeling a tad lost here. None of the configs you pasted sport smtpd_sender_restrictions which is exactly what Postfix ships: A config with an empty smtpd_sender_restrictions line.

In addition, I don’t understand why would it be *min’s responsibility to change that behaviour unless for good reason?

There is no an empty smtpd_sender_restriction line in both postfix configs. It’s not described at all… i can’t understand you.
Not in default one which comes with postfix installation, not even in edited postfix config after you run
virtualmin-config-system -i Postfix

The panel is their product.
I think that having ability to send spoofed emails even if they are local without being authenticated is enough to put additional measures in place to prevent this.

open an issue on github in the webmin repository, this will bring it to the attention of the devs

Why when it already has their attention (see @tpnsolutions posts above)

Like me, they are probably confused about what really is the real problem here - what has actually changed - and why are we all not being hit by the problem.

If we are all vulnerable don’t you think we would all be crying out loud?

Just because it is not in the config does not mean it does not exist. There are default values defined like compatibility level that are defined in the code but con be overridden in the config file, if I remember right, it has been a while so I must give this as an advisory.

# See actual values
postconf
postconf | grep smtpd_sasl_security_options

# See default values
postconf -d
postconf -d | grep smtpd_sasl_security_options

# Show only configuration parameters that have explicit name=value settings in main.cf. (i.e. changed by the config file)
postconf -n
postconf -n | grep smtpd_sasl_security_options

http://www.postfix.org/postconf.1.html

It’s Postfix’s config. If they decide to ship a config without even adding a commented line, then it’s up to them, not the *min devs.

See my previous comment.

*min is a panel that helps you configuring stuff that already is there. Why would the *min devs add opinionated configurations the majority of users would reject?

There’s a reason why Postfix ships smtpd_sender_restriction blank. If you want to change that, talk to them or open a PR on GH to the *min devs to suggest adding an option to configure this option in a panel view.

So tpsolutions is a dev ? I assumed tpnsolutions as a forum moderator rather than a dev, so it could be said there maybe a breakdown in communication between forum staff and virtualmin staff

@jimr1,

No, I am not a “dev”. I am a moderator, and respected third-party who is quite familiar with Linux, Virtualmin and SysAdmin work.

I am though trying to wrap my head around this alleged issue that was brought up, as technically anyone can spoof anyone in theory, that’s part of the reason DMARC was invented alongside DKIM and SPF verification.

In said telnet communications with SMTP port (25), are you “actually” able to send a message, or simply communicate with Postfix…?

The reason I ask is, Postfix (SMTP server) will respond to certain requests by design. This could be misunderstood as it being an “open relay”, which by default even without the Virtualmin installer involved it should be configured NOT to be.

So, if affected parties here could provide evidence that a the ability to “send” a spoofed message from the outside then perhaps someone (myself or others) could provide further assistance.

While the “devs” are welcome to chime into this conversation at anytime, and I’m sure at some point one of them will (if deemed necessary), we first need to establish that this is actually a Virtualmin issue as not all issues actually pertain to a bug or misconfiguration from Virtualmin.

*** I’ll go as far as saying if you can clearly convince me, I’ll push the issue upstream to make sure it does get reviewed and/or resolved. However ATM, I am trying to understand whether this is a real issue or a misunderstanding. ***

Just going by the thread title.

I moved my domains to a private server. The old provider, that I did not choose, had hundreds of accounts all lumped into a ‘hosted’ plan. Any of those domains could spoof my email address because they were all the same address.

I can’t count how many extortion attempts I received because any of the emails on those accounts could send as ‘me’. 'As you see I have access to your email (and therefore I have compromised your computer, blah, blah, blah…)

All same mail server so…

@ID10T,

Were all the accounts using using the same “DKIM” signature?

An interesting read about DKIM, SPF, DMARC…

Hard to say. I can’t go back and check. For the first few months I basically had root (full cPanel/WHM functionality) on the system before they figured out their mistake. From that you can assume it was just a xiss poor, badly maintained and configured system.

But, to everyone’s disappointment, that’s what landed me here.

We know how sender restrictions work. But, it’s not something I think is generally worth the effort to make more restrictive. Or, at least, I haven’t considered it worth the trade off in the past.

Adding restrictions makes it harder for local users and applications to send mail. Sending mail is already one of our biggest support burdens (search the forum for “can’t send mail”).

Our assumption is that your users are generally somewhat trustworthy and you’re keeping an eye out to make sure they aren’t doing something dumb and/or nefarious. You have their billing information (name, address, whatever), at the very least. You know who they are. And, for people doing mass-hosting, they probably handle mail in a different way (something centralized for efficiency).

And, this thread is also full of a lot of misunderstandings.

Mail to other users on the system is supposed to be accepted, whether from other local users or remote! It’s the mail server for those users, it is supposed to receive mail addressed to them. (Incoming mail should be checked for SPF and DKIM and whatever other spam filtering tools you’re using, of course!)

Even authenticated users can do tricky things with the From: address, and it’s kind of complicated to avoid that. The From: address does not come from the username used to log in to the mail server. From: comes from an email header added by the mail client or the script sending the mail. A user sending mail is not necessarily sending mail with their username. It is merely convention in a Virtualmin system that your email address and username match, and you can change it in mail you send. Again, it’s a bit more complexity than I like to prevent that.

All that said, it may be time to consider adding more restrictions on sending. I hate to think of how many more support requests about sending mail, especially from applications, we’ll get. But, when people’s expectations and mental model of how things work isn’t how things actually work, it gets ugly. (We can’t always fix the mental model, because nobody reads documentation, but maybe we can make things work a little more closely to how people expect.)

In short: No one should be surprised by the current behavior. It’s how mail has worked on Linux/UNIX systems forever. It is only vaguely a security issue; if you have malicious users, they can send mail from the system, and any mail from the system for domains hosted on the system will have an SPF record that looks legit (which is one a few reasons SPF isn’t sufficient, though it is helpful).

Nothing is stopping anyone from making it more restrictive, and there are several ways to do it, though I think some of the threat models being discussed here are kinda off-target and maybe wasting time fixing things that aren’t likely to be a problem. If you do have a user that is abusing the trust local users have to send mail, I would argue you should get rid of the user ASAP and with prejudice. It’s a good litmus test for a good citizen on a shared system.

@Joe,

Well said, well said

this should have been directed to @rtk , I don’t have any issues with the defaults

It is definately worth considering because I would think that the username and password for one emails address could only send emails from that specific account. I know I can remove permit_mynetworks to stop clients on local networks being authorised for sending.

NB: I need to see if I have added any networks in to permit_mynetworks, it has been a whikle since I set these up.

This is my current Postfix policy

smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unknown_recipient_domain
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_data_restrictions = reject_unauth_pipelining
disable_vrfy_command = yes
smtpd_tls_auth_only = yes
smtpd_helo_required = yes