Check authenticated user/identity before sending

inoutchina · 2017-08-19 09:03:42 UTC

NethServer Version: 7.3.1611
Module: Mail

I have setup a NethServer with 2 user (user1, user2). After that I installe the mail module and roundcube. All works fine. Now when I log into roundcube with user1 I can create a identity with the mail address of user2. With this I can send mails as user2. Of course if the mail gets answered to it will end up in the mailbox of user2. Nevertheless it seems the mail server only checks if the user (in my case user1) is authenticated but not if the mailadress that is used to send a mail is actually “mapped” to the logged in user.

Could anybody verify if that is really true or if I messed up the settings somewhere along the way?

Thanks in advanced for your help. This is my first post so please if I made a mistake or missed to mention something do not hesitate to correct me.

PS: I use ldap for usermanagement

Cheers
Dan

filippo_carletti · 2017-08-19 09:12:45 UTC

This is the expected behaviour. There is an enhancements request to add a checkbox somewhere to enforce sendder=authenticated user (I can’t find a reference to the issue now).

inoutchina · 2017-08-19 10:04:59 UTC

Hi there,

Thank you for your fast reply. Do I understand that correctly that there is a request for that feature? Is it possible to sponsor such a feature?

“This is the expected behaviour”? Isn’t that very problematic that user can send mails as anyone else on the server? Seems to me like a big security risk.

Happy Weekend
Dan

alefattorini · 2017-08-22 10:55:55 UTC

We should use this postfix parameter:
reject_authenticated_sender_login_mismatch

I can’t find the issue, just another request: Restricting Sending external Mails

More info about that.

http://www.postfix.org/RESTRICTION_CLASS_README.html#external

filippo_carletti · 2017-08-22 12:33:27 UTC

Or, maybe, reject_sender_login_mismatch.
Some research is needed.

inoutchina · 2017-08-23 09:07:01 UTC

I am not sure if that solution would solve my particular problem. I will look into it a bit more. It would solve the problem at hand but for my purposes it will probably cause new ones.

The problem is that my users have multiple mailaddresses which they need to receive and send messages. So one user can have mutltiple addresses that they send from. As of now, they can send as all users.

Sidenote: I am open for discussion to sponsor such a feature. If there is a way to support the project in that way and fastforward a featuer I need then I am very open to it.

alefattorini · 2017-08-23 10:39:28 UTC

Thanks for your willingness, we don’t have a clear path for that.
We can try again with BountySource.

Other communities are used to set up a sort of marketplace category. Not just for development purposes but also in order to set up a new NethServer installation and support it

inoutchina · 2017-08-24 18:53:44 UTC

Thanks for the reply. I was trying bountysource. But I didn’t figure out how to open an issue and set a bounty. Seems to be complicated or well, lack of intelligence on my part. If you could open the issue regarding my mail problem I could set a bounty.

filippo_carletti · 2017-08-25 06:39:25 UTC

If you are willing to research the problem, come up with a solution and test the code, I will sponsor the feature.
The main issue here is how to “map” user accounts to email addresses.
Describe how you would like to have it, please.

saitobenkei · 2018-01-31 15:27:50 UTC

Hi,

I would like to configure Nethserver NG 7.x to allows to send mails only if the sender ("From: ") is the same of the autenticated user or he/she have some allowed identities.

I tried with this article:

https://superuser.com/questions/1037395/how-can-i-prevent-that-an-user-sends-mail-like-another-user-on-postfix

that it’s seems to do what I want, but I can’t make it work.

The identities may be differents from the user’s email domain.

Example:

my account in the server is saitobenkei@domain.tld and I want to be allow to send mails from my account only if in the "From: " field I put saitobenkei@domain.tld (my e-mail address) or some identities as pippo@domain.tld, saitobenkei@anotherdomain.tld, othermail@newdomain.tld (these are only identity that I allowed to use wit my account).

Some clue/help?

Thankyou.

giacomo · 2018-01-30 15:47:31 UTC

I managed to have a working implementation, but it is just for fun
Creating a simple panel to configure this behavior would be complex.

Before proceed, you need to understand how it works, otherwise some users will not be able to send any mail. Take a look at: https://blog.felipe-alfaro.com/2006/02/19/block-sender-address-spoofing-with-smpt-auth/
So, let’s start.

Configuration

1. Create a template-custom

Execute:

mkdir -p /etc/e-smith/templates-custom/etc/postfix/master.cf

Content of /etc/e-smith/templates-custom/etc/postfix/master.cf/40restrictions:

{
    push @submission_smtpd_options, 'smtpd_sender_restrictions=reject_authenticated_sender_login_mismatch';
    push @submission_smtpd_options, 'smtpd_sender_login_maps=hash:/etc/postfix/smtpd_sender_login_maps';

    '';
}

2. Create a map between users and allowed addresses

Content of /etc/postfix/smtpd_sender_login_maps:

u1@local.neth.eu u1
@local.neth.eu u2

3. Apply the configuration

Execute:

postmap /etc/postfix/smtpd_sender_login_maps

signal-event nethserver-mail-server-update

Testing

You can test it with curl.

This should be allowed:

curl -k -n --ssl-reqd --url "smtps://localhost:465" --mail-from u2@local.neth.eu --mail-rcpt u2@local.neth.eu --upload-file /dev/null -u u2:Nethesis,1234 -v

This should be denied:

curl -k -n --ssl-reqd --url "smtps://localhost:465" --mail-from u2@local.neth.eu --mail-rcpt u2@local.neth.eu --upload-file /dev/null -u u1:Nethesis,1234 -v

saitobenkei · 2018-01-31 08:23:43 UTC

@giacomo

Also in this case Webtop 5 doesn’t care of the configuration and it sends mail with any identity is configured in the account.

It seems isn’t a 587 port “fault” because SMTP on Thunderbird, configured to use 587 port, works correctiy as expected.

giacomo · 2018-01-31 08:52:06 UTC

I confirm that the port 587 honors the configuration, you can check it with:

curl -k -n --ssl-reqd --url "smtp://localhost:587" --mail-from u2@local.neth.eu --mail-rcpt u2@local.neth.eu --upload-file /dev/null -u u1:Nethesis,1234 -v

This is a completely different topic, each client can use its own configuration to set the “mail from” field (which could be completely different than “From:” header inside the message).

saitobenkei · 2018-01-31 10:06:19 UTC

Webtop 5 seems to not honour configurations made here:

davidep · 2018-01-31 10:15:56 UTC

Thank you for pointing out this issue: it can be a validation point for the final implementation. i.e.:

“Can WT5 honor the sender address policy?”

How WT5 can implement it depends also on how NS implements it. We must see where this #feature request can lead us.

giacomo · 2018-02-01 08:38:09 UTC

Just to make it clear, @saitobenkei do you want to force the envelope sender to be the same as the header one? See this link for an explanation

Please, also bear in mind that web applications installed on the mail server usually don’t use any authentication for sending mail, so no forced check cannot be done unless clients can be explicitly configured to act differently.

saitobenkei · 2018-02-01 08:56:13 UTC

I would like that all applications (expecially those the are a standard in the distribution) work in a coherent manner…

If I need to set up that the account you send is the same as the one with which I authenticate myself, it must work with any software provided in the distribution.

(Same applies to blocking user-level mail/groupware access from untrusted networks).

davidep · 2018-02-01 12:55:14 UTC

I’d rather say “it should work”: some software could not allow to implement this feature by now.

saitobenkei · 2018-03-22 09:14:06 UTC

if there’s the rspamd module installed, the last command should be:

signal-event nethserver-mail2-server-update

stephdl · 2018-03-22 09:24:08 UTC

no nethserver-mail should have the same event nethserver-mail-server-save