performing an email-validation results in the following being exposed to the world: 220 usa.myhostname.tld ESMTP Postfix (Ubuntu)
instead of just myvirtualdomain.com
Surely this is a Security Risk?
Is there somewhere I can edit it?
It happens for any virtual server on the box and for any valid user email AND for any server that has a catch-all defined. I was only expecting genuine user emails to be shown as valid and have the correct server name (not the hostname! and certainly not the Postfix or OS
It is available to everyone on the net and just like exposing an IP or full email address it presents a target just knowing the OS (Ubuntu) in this case the email-validator is a publicly available NodeJS application provided through Github and can be simply made to run on any system/localhost and is used by probably 1000’s of other websites maybe some of those suggested in other forums for checking domains and mail boxes.
Thanks for the pointer to the file. I presume changing this to something else (like a blank empty value) will not break any of the mail boxes on any of the servers. Of course it would be better to be able to change this to the correct domain for each virtual server.
PS I have done a bit more digging and see that for another test the response is 220 eu-smtp-1.mimecast.com ESMTP; Thu, 09 Mar 2023 14:02:50 +0000
The hostname should be set to the primary domain of the server… This is also the domain that should be setup with your provider as the “reverse lookup” for the IP address to ensure you don’t end up getting blacklisted for them not matching.
It’s never set to the hostname of the sending domain (domain sending a message), as you’ll see if you ever test against other people’s email addresses. This is not how it’s intended to work.
Try these commands to see what I mean:
dig mx look.net
This will reveal the MX domain is eml1.look.net
dig a eml1.look.net
This will reveal the IP address 64.227.96.129
dig -x 64.227.96.129
This will reveal the domain eml1.look.net
telnet eml1.look.net 25
This will reveal 220 eml1.look.net ESTMP Postfix (Ubuntu)
This is a properly setup server.
*** this is a REAL server, go ahead and try to abuse it ***
*** TRY because well, we’ve got lots of good security measures in place to prevent it from being ***
This server hosts dozens of domains, and all pointing to it would result in the same hostname being used.
Well that did get rid of the "Postfix (Ubuntu)" but replacing $myhostname with $mydomain didn’t seem to change anything so I just left it as “ESMTP” and email still seem to arrive OK
I have just tested on a few (3) other domains I own that are email + website on other servers (not Virtualmin) and they show the mx.domain or mail.domain of that server 220 mxint.1and1.com (mxcorp101) ESMTP Thu, 09 Mar 2023 16:55:01 +0100 220 mx.google.com ESMTP fl10-20020a05600c0b8a00b003eb39122fadsi179163wmb.155 - gsmtp
If the smtpd_banner = is set to empty “” this looks even better
Yes, in most cases the MX domain is also the hostname of the machine… But the point I was conveying as that it won’t be the domain you’re sending email from, it’ll be a universal domain used for all email sent from that server. In a more complex setup like Google, if you do some research it could be a number of different hostnames to the scale of their network.
The banner on the other hand, as you’ve realized can be changed to nearly anything…
Anyways, looks like you’re reached a satisfactory solution, and hopefully have learned a few things along the way. Cheers!
@tpnsolutions Thanks again. Yes the banner seems an interim solution. It was never about the domain of the sending domain (which I would guess has other implications) and never about revealing the “exchanges” or IP address of the domain - it was about revealing the same hostname for every domain on the box. in that banner. I would rather that only the domain name gets revealed for a specific user@email as this is an email validator (so a FAIL should be the outcome if the user/alias doesn’t exist)
You have an interesting understanding of risk. You have to provide some name to SMTP servers you connect to. It is mandatory. And, if you want your mail to be delivered, it must be a name that resolves to the correct IP of the server. Likewise, the IP is public information. You can’t hide it from the mail servers you are connecting to.
There is nothing sensitive about the hostname or IP of a public server. If you want to use a different hostname, that’s fine. But, you should not put sensitive information in any hostname.
@Joe, I’m sorry but I think there is a language problem here!
I don’t care about my IP or mx addresses list or domain name being exposed. But I do care that the hostname usa.myhostname.tld which has nothing to do with the domain name or details about the operating system or mail program being exposed. I do have a valid domain myhostname.tld it was used when I set up Virtualmin (I don’t do that any more - I now use a non-existent FQDN to add my live domains as virtual servers. The issue was that the myhostname.tld was being returned to every enquiry to any and all user email addresses (including catch-all) on any of the genuine domains. This is so very misleading: an enquiry for nobody@genuinedomain.com or nobody@genuinedomain2.com or nobody@myhostname.tld would all display “success” usa.myhostname.tld instead of the correct mail.address for the correct domain.
It is not just the smtpd_banner that is being displayed by this utility as under the hood it is firing multiple SMTP commands to each mx.address for a bunch of “default” users - effectively seeking out “alternative” users/aliases so you might have a user set up as eg joe@ but it would seek out admin@ sales@ postmaster@ etc effectively ignoring bounces until if finds a mailbox to spam or worse.
Making the smtpd_banner blank does sortof fix the problem of exposing the OS and “Postfix” being exposed and the FQDN of the box but it would be nicer and more correct to see the $mydomain of the appropriate domain displayed. Like a postfix main.cf for each domain?
Wow that is going back a bit. All I can remember is that it was a clean box (as recommended) with a hostname as required by DO (I used a genuine valid FDQN (from a different VPN) as it was being moved from Ionos to me.) I then added Virtualmin using the basic install (LEMP version) plus several other domains as virtual servers, added Node and other programs that were required by the websites being transferred and the certificates and finally users. They are all working.
I then learnt my original mistake of using a genuine domain as FQDN for virtualmin so I changed it to “usa.myhostname.tld” literally (which obviously does not exist) and creating a virtual server for theoriginalexistingdomain.com
I have just added another new domain and as expected it also gets the same default $myhostname. From what I can deduce from the Postfix docs (minimal reading) it should be getting $mydomain from somewhere
When naming a server, you should use a “real” doman, but not the “naked” domain (ex. domain.com) but rather prefix with a “hostname” (ex. host.domain.com). The domain used should match the "reverse lookup for the IP address, especially when it comes to hosting email as third-party servers often check the “reverse lookup” against the “forward lookup” to ensure they match. If not, you could become a victim of being labeled a SPAMMER. Ugh…
In any event, by your own admission you did at some point set the domain “usa.myhostname.tld”… So unfortunately, you created your own situation, at least if I read the above correctly.
Regardless, hopefully this thread has helped you learn a bit more about setting up a server correctly.
In my own infrastructure, I actually delegated a domain specifically for the task of setting up server hostnames called “tpnservers.com”…
Each of my servers get a “role-based” hostname such as:
I guess you are saying if you telnet domainA.com 25 postfix would return something like 220 domain.com ESMTP Mail Server
and for domainB.com postfix would return something like 220 domainB.com ESMTP Mail Server
if that is the case, the only way I have managed this was to set each domain on it’s own IP address. For whatever reason I have a few IP’s setup in vmin for different domains and postfix just returns the domain name of that IP but if I have miss read what you are asking ignore this
Yes (I’m guessing that email validator is using telnet under the hood) but you are correct.
Setting Virtualmin up for each domain sort of defeats the object of it as far as I can see. And given the large number of domains would require massive commitment in time (years I don’t have) neither do I have the time or inclination to become an expert in Postfix.
I assumed (wrongly) that each virtual domain created would add a supplementary override $mydomain to Postfix to handle the banner so display as above.
looking through postfix main.cf I see virtualmin has a variable $DOMAIN the line mailbox_command = /usr/bin/procmail-wrapper -o -a $DOMAIN -d $LOGNAME perhaps that could be used ? I am no postfix expert just a thought
Sadly not as it just returns an “error in main.cf” and if “domain” is used it literally uses the literal word “domain” I guess the $DOMAIN is somehow interpreted later. The docs seem to talk about $mydomain but that either is not set anywhere or also of no use here.
@Stegan - why do you keep saying it was a mistake to use a valid FQDN for the host, since this is what you should do?
Especially in this context, with email deliverability in question.
It’s like you want to re-write the RFC for SMTP, as it clearly recommends the hostname mentioned to be valid. It also states that it’s normal to add software and version information as this is handy for multiple purposes.
It’s not considered a security risk, and anybody who connects to your server already knows the hostname, so what would you benefit from this excersize?
Of course anyone who knows a user on a domain or visits a domain using a browser knows the domain name! - you must think me stupid?
The issue is that anyone who uses this public node module (or presumably telnet) gets the banner of the hostname Which is NOT the name of the server they would expect. It would be like you telnet asking for postmaster@microsoft.com and getting back the address mx1.google.com hardly what you would expect and in such a case I would expect the domain to quickly be black listed.
All the domain names are valid. Which is why I am happy for them to be displayed in the banner of their own domain not some other person’s domain. (even if it may be valid) It seems daft to display mail.google.com in the banner when it is not valid for any virtual domain.
The other problem I indicated above is that this module effectively pings many aliases of the domain seeking out possible valid users; as a result of getting a “success” on the exchange. I believe the alias list can be edited to effectively hammer any server.
***