Check authenticated user/identity before sending

For example,

  • user: first.user@example.com
  • pseudonym: info@example.comfirst.user@example.com

The user wants to send a message as first.user@example.com: it works for both first.user@example.com and first.user SMTP/AUTH login names.

But, if the user wants to send a message as info@example.com the regexp does not match.

The regexp is a good generic/fallback rule but we need a table where this record exists too:

info@example.com     first.user@example.com,first.user

I’d like to simplify the table, by not requiring ,first.user too… :thinking:

1 Like

we can force roundcubemail to use sasl=login

-$config['smtp_server'] = '127.0.0.1';
+$config['smtp_server'] = 'tls://127.0.0.1';

// SMTP port (default is 25; use 587 for STARTTLS or 465 for the
// deprecated SSL over SMTP (aka SMTPS))
$config['smtp_port'] = 587;

// SMTP username (if required) if you use %u as the username Roundcube
// will use the current username for login
-$config['smtp_user'] = '';
+$config['smtp_user'] = '%u';

// SMTP password (if required) if you use %p as the password Roundcube
// will use the current user's password for login
-$config['smtp_pass'] = '';
+$config['smtp_pass'] = '%p';

// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
// best server supported one)
-$config['smtp_auth_type'] = '';
+$config['smtp_auth_type'] = 'LOGIN';

after that we must respect the smtpd_sender_login_maps

workable with pseudonym @davidep :slight_smile:

I did and it is ok

Dec 13 17:23:01 ns7loc14 postfix/smtpd[5997]: connect from localhost[127.0.0.1]
Dec 13 17:23:03 ns7loc14 postfix/smtpd[5997]: NOQUEUE: reject: RCPT from localhost[127.0.0.1]: 553 5.7.1 <zorro@nethservertest.org>: Sender address rejected: not owned by user stephane@nethservertest.org; from=<zorro@nethservertest.org> to=<stephane@nethservertest.org> proto=ESMTP helo=<ns7loc14.nethservertest.org>
Dec 13 17:23:03 ns7loc14 postfix/smtpd[5997]: disconnect from localhost[127.0.0.1]

with the smtpd_sender_login_maps only known identities are allowed (pseudonym or real account)

https://sogo.nu/bugs/view.php?id=31

no TLS/SSL encryption in SOGO :cry:

A workaround is to use stunnel :frowning:

@mark_nl what do you think, we need tls to authenticate with sasl, at least my first tries without failed

Sorry, do not know what this is about… Will try to understand / read-in soon :hushed:

1 Like

We want to follow a strict policy for sender address and allow only the good from address. The challlenge here is that SOGo do not allow to send email with sasl authentication with TLS…

Either I am wrong (please shoot), or it is really incredible :smiley:

when you add : SOGoSMTPAuthenticationType = PLAIN;

you cannot anymore send email, until you modify in your postfix configuration

-smtpd_tls_auth_only = yes
+smtpd_tls_auth_only = no

and you restart the service

But smtp of sogo doesn’t connect to the same server (127.0.0.1) to send mail? It’s really necessary to use TLS/SSL?

1 Like

I think so yes :cry:

No way for stunnel to localhost!

TLS is required to protect the clear text password exchange from the client to the server side.

If both sides are bound to 127.0.0.1 tls is not required anymore.

Slapd can be configured for both cases. I’d expect Postfix allows the same.

One possible solution could be defining a dedicated smtpd instance listening on 127.0.0.1:587 (or another local ip?) with a specific option that allows clear text password exchange.

1 Like

you stated this :smiley:

we could think for this later, I would like to start a P.O.C with a table with user account (address email with also pseudonym). We could have workable remote smtp, webtop5 and roundcubemail

What do you think ?

Ok let’s see a working prototype configuration for roundcube and postfix

1 Like

Sorry it took a while, this is not my territory of expertise.

found this which en-lighted me:

I tend to agree with this, although i see the problem it’s hard to implement without breaking clients by closing one of the default smtp-ports (ie 25, 465, 587) with the firewall.

What about an extra custom port for postfix (ie 4465 ??) with localhost access restriction for PLAIN text login / auth ?

yes it is probably the only good solution, get another smtp service running on localhost with authentication but without TLS

I am not too much concerned now, this will be optional so we have time to think for it after

I not sure if another smtpd is a needed; just an extra listing port. Set the global setting to may (smtpd_tls_security_level=may) but enforce it on the default ports. restrict acces to the customport to 127.0.0.0/8 but do not enforce tls.

Pseudo config:

25      inet  n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=yes
  -o smtpd_sasl_auth_enable=yes
4465    inet  n       -       -       -       -       smtpd
  -o  mynetworks=127.0.0.0/8
  -o smtpd_tls_security_level=may
2 Likes

second PR, we are coming

1 Like

I installed the PR RPM and I come with some questions

  1. what is the expected behavior of a shared mailbox? If I can read (and modify?) a shared mailbox content, should I be allowed to send a message with its email address? For instance

    user: first.user, member of grp1
    shared mailbox: shmbx1, shared with grp1, email alias shared1@aliasdom.example.com

  2. what is the expected behavior of an alias address with multiple recipients? Should be the recipients allowed to send a message with the alias? For instance

    given email alias address sales@example.com expanded to first.user@example.com, second.user@example.com,
    can second.user set sales@example.com as message sender?

my /etc/postfix/login_maps expanded
# fully qualified aliases (address@domain)

master@dpnet.nethesis.it		admin,admin@dpnet.nethesis.it,
shared2@dpnet.nethesis.it		vmail+shmbx2,vmail+shmbx2,
# generic aliases expansion (address@)

chief@aliasdom.example.com		admin,admin@dpnet.nethesis.it,
chief@dpnet.nethesis.it		admin,admin@dpnet.nethesis.it,
external@aliasdom.example.com		user.external,user.external@nethesis.it,
external@dpnet.nethesis.it		user.external,user.external@nethesis.it,
info@aliasdom.example.com		vmail+shmbx2,vmail+shmbx2,
info@dpnet.nethesis.it		vmail+shmbx2,vmail+shmbx2,
postmaster@aliasdom.example.com		root,root,
postmaster@dpnet.nethesis.it		root,root,
shared1@aliasdom.example.com		vmail+shmbx1,vmail+shmbx1,
shared1@dpnet.nethesis.it		vmail+shmbx1,vmail+shmbx1,

@stephdl, my proposal for the implementation is

  • treat shared mailbox as “receive-only” address: we can’t obtain the group members list dynamically (so question 1: no)
  • to consider only Account= values with a @domain suffix matching the machine domain. Other entries seem redundant (so question 2: yes)
  • the values have to be list both with and without the @domain suffix (as from your PR)
1 Like

Actually this is what I did

  • alias of an email :
    steph@domain.com (first email) can send with steph@domain.org if we set this email as its alias, or any domain of the server if the alias exists for each domain.

  • alias for group of people
    lets set group@domain.com (or group@) of three users, user1 user2 user3 for one domain or each domain of the server. Each member of this group can send with its email and the identity group@domain.com, group@domain.org (if domain.org exists on the server).

Obviously when the sender identity is enabled, you cannot anymore use an identity which is not relevant of /etc/postfix/login_maps and /etc/postfix/login_maps.pcre

For the sharedmailbox, I thought first that it is to receive email, and I did nothing, I probably missed to make a logic to exclude them of /etc/postfix/login_maps, even if it should not hurt.

To @all, do you see some missing feature for you, @saitobenkei what do you need more ?

1 Like

On testing :doughnut::cookie::birthday::cake::cupcake::pie::chocolate_bar::candy::lollipop::ice_cream::shaved_ice::icecream::takeout_box:

my PR is accepted :slight_smile:

3 Likes

A post was split to a new topic: Enable SMTP Login/Sender address validation