Bug #2814

Relay denied to SMTP clients both in local networks and submission_whitelist

Added by Davide Principi over 5 years ago. Updated about 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-mail-server
Target version:v6.5
Security class: Resolution:
Affected version:v6.5-final NEEDINFO:No

Description

  • Add a subnet S in "Local networks" page
  • Add client C in S to submission_whitelist
  • C cannot relay messages on port 25

Packages:

postfix-2.10.3-1.el6.x86_64
nethserver-mail-common-1.3.3-1.ns6.noarch
nethserver-mail-server-1.7.0-1.ns6.noarch

Associated revisions

Revision 8ad1ad7d
Added by Davide Principi about 5 years ago

main.cf: smtpd_relay_restrictions set to empty value. Refs #2814

Revision 078f5da8
Added by Davide Principi about 5 years ago

main.cf: enforce submission_whitelist on client, helo and sender restrictions. Refs #2814

Revision 2c0aec50
Added by Davide Principi about 5 years ago

postfix/main.cf: adapted legacy policy to submission_whitelist changes in mail-common. Refs #2814

Revision ba000efe
Added by Davide Principi about 5 years ago

main.cf: new postfix/AccessPolicies prop. Refs #2814

The AccessPolicies prop is a comma separated list of policy
identifiers. An access policy is expected to change the access
restrictions enforced by smtpd and/or submission processes.

An access policy implementation is a function added to the
%access_policies global hash in main.cf template.

Functions are invoked by 10access_policy fragment. See
01access_policy_smtpauth for instance.

Moreover this change:

- Obsoletes postfix/SubmissionPolicyType prop applying a migration
fragment.

- Imported policies from nethserver-mail-server into
01access_policy_*.

- Activates smtpauth policy on migration-import event

Revision a5e2e2d8
Added by Davide Principi about 5 years ago

postfix/main.cf: obsoleted submission policy in mail-common. Refs #2814

Revision 9377a217
Added by Davide Principi about 5 years ago

mynetworks template: grant access from trusted networks if explicitly requested. Refs #2814

Revision c49a6f86
Added by Davide Principi about 5 years ago

Template "submission_whitelist" obsoleted by "access" table. Refs #2814

The old submission_whitelist template-custom fragments are still
included into access, to retain backward compatibility.

Revision 96efd9b9
Added by Davide Principi about 5 years ago

Changed mynetworks table format to cidr: Refs #2814

Revision 9c0643d8
Added by Davide Principi about 5 years ago

network-create, delete events: force reload to read mynetworks table. Refs #2814

Revision 13b63240
Added by Davide Principi about 5 years ago

amavisd.conf: read /etc/postfix/mynetworks.cidr. Refs #2814

Fixes trusted networks definition for amavisd.

History

#1 Updated by Davide Principi over 5 years ago

Since postfix-2.10 smtpd_relay_restrictions changed behaviour.

With Postfix versions before 2.10, the rules for relay permission and spam blocking were combined under smtpd_recipient_restrictions, resulting in error-prone configuration. As of Postfix 2.10, relay permission rules are preferably implemented with smtpd_relay_restrictions, so that a permissive spam blocking policy under smtpd_recipient_restrictions will no longer result in a permissive mail relay policy.

Our config has smtpd_relay_restrictions at default value from Postfix, and probably does not fit.

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
  defer_unauth_destination

smtpd_recipient_restrictions = check_client_access hash:/etc/postfix/submission_whitelist, 
  reject_non_fqdn_recipient, check_recipient_access hash:/etc/postfix/internal_access, 
  permit_sasl_authenticated, reject_unauth_destination, reject_unverified_recipient

#2 Updated by Davide Principi over 5 years ago

Moreover nethserver-mail-server actions/templates are not bound to network-* events!

#3 Updated by Davide Principi about 5 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#4 Updated by Davide Principi about 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

In branch b2750

#5 Updated by Davide Principi about 5 years ago

  • Description updated (diff)

#6 Updated by Davide Principi about 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Packager note

The submission_whitelist template is now obsoleted by access. Changed nethserver-mail-common, and nethserver-mail-server wiki pages accordingly.

Install nethserver-mail-dev package to execute test cases.

Test case 1 - access by template-custom

  • Upgrade to modified version
  • Check mail relay is denied to foreign domain outside.tld:
     smtptest --ehlo vboxnet1.tld --from primo.utente@vboxnet1.tld --to davide@outside.tld --addr 192.168.88.2 --port 25
    
  • Add client IP to access table:
    mkdir -p /etc/e-smith/templates-custom/etc/postfix/access
    echo "192.168.88.2 OK" >> /etc/e-smith/templates-custom/etc/postfix/access/20testcase
    
  • Check mail relay is now allowed (repeat previous command).

Test case 2 - access by trusted network

  • Upgrade to modified version
  • Check mail relay is denied to foreign domain outside.tld:
     smtptest --ehlo vboxnet1.tld --from primo.utente@vboxnet1.tld --to davide@outside.tld --addr 192.168.99.2 --port 25
    
  • Enable trustednetworks access policy:
    config setprop postfix AccessPolicies trustednetworks
    signal-event nethserver-mail-common-save
    
  • From server-manager, add 192.168.99.0/24 to "Trusted networks"
  • Check mail relay is now allowed (repeat previous command).

Reset AccessPolicy AccessPolicies to empty string and repeat signal-event to cleanup.

Test case 3

Repeat case 1 and 2 changing port --port 587 in smtptest command.

#7 Updated by Davide Principi about 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-mail-common-1.3.3-1.19git5aeec2c.ns6.noarch.rpm
nethserver-mail-server-1.7.0-1.9git836d38e.ns6.noarch.rpm
nethserver-mail-filter-1.1.6-5.0git2ea5d3e8.ns6.noarch.rpm

#8 Updated by Giacomo Sanchietti about 5 years ago

  • Assignee set to Giacomo Sanchietti

#9 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90
Test case 1
  • Without access template, relay is denied
  • After template modification, relay is allowed:
    mkdir -p /etc/e-smith/templates-custom/etc/postfix/access
    echo "192.168.1.22 OK" >> /etc/e-smith/templates-custom/etc/postfix/access/20clients
    signal-event nethserver-mail-common-save
    signal-event nethserver-mail-server-save
    
Test case 2
  • Without policy, relay is denied
  • After setting the policy, relay is allowed
    config setprop postfix AccessPolicies trustednetworks
    signal-event nethserver-mail-server-save
    
Test case 3
  • Same as test case 1 and 2
Also tested:
  • whitelist with old template (/etc/postfix/submission_whitelist)
  • access policy smtpauth:
    config setprop postfix AccessPolicies smtpauth
    signal-event nethserver-mail-server-save
    

NOTE
Please add documentation to Administrator and Developer manual before release.

#10 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-mail-server-1.8.0-1.ns6.noarch.rpm
  • nethserver-mail-common-1.4.0-1.ns6.noarch.rpm
  • nethserver-mail-filter-1.2.0-1.ns6.noarch.rpm
New documentation:

Also available in: Atom PDF