Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connections from IP addresses not listed in mynetworks are not being rejected #38

Closed
pedroetb opened this issue Oct 21, 2020 · 2 comments
Closed

Connections from IP addresses not listed in mynetworks are not being rejected #38

pedroetb opened this issue Oct 21, 2020 · 2 comments

Comments

@pedroetb
Copy link

Hi! I'm testing your image and got an unexpected behaviour.

Note: example.org is not the real domain I'm using. With that domain, some MX record failures come around. But with a proper DNS configuration of the real domain, the example works like explained.

Running the relay in a device with 10.0.0.100 IP address:

docker run --rm --name postfix \
  -e "ALLOWED_SENDER_DOMAINS=example.org" \
  -e POSTFIX_mynetworks=192.168.0.0/16 \
  -p 587:587 \
  boky/postfix:v2.0.1

And then, sending an email from a local device with 10.0.0.103 IP address:

$ cat email.txt
From: postmaster <postmaster@example.org>
To: recipient <recipient@example.org>
Subject: email test
Date: Wed, 21 Oct 2020 21:44:16

Test content.

$ curl smtp://10.0.0.100:587 --no-progress-meter --mail-from postmaster@example.org --mail-rcpt recipient@example.org --upload-file email.txt
# no error output

# relay logs
2020-10-21T20:56:22.523859+00:00 INFO    postfix/smtpd[121]: connect from unknown[10.0.0.103]
2020-10-21T20:56:22.604897+00:00 INFO    postfix/smtpd[121]: 939BB74778B: client=unknown[10.0.0.103]
2020-10-21T20:56:22.605868+00:00 INFO    postfix/cleanup[125]: 939BB74778B: message-id=<>
2020-10-21T20:56:22.610470+00:00 INFO    postfix/qmgr[120]: 939BB74778B: from=<postmaster@example.org>, size=327, nrcpt=1 (queue active)
2020-10-21T20:56:22.610943+00:00 INFO    postfix/smtpd[121]: disconnect from unknown[10.0.0.103] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
...

Accepts connection and sends email, but only 192.168.0.0/16 was allowed. So this shouldn't be possible.

I'm using POSTFIX_smtpd_client_restrictions=permit_mynetworks,reject as a workaround, and works like expected:

docker run --rm --name postfix \
  -e "ALLOWED_SENDER_DOMAINS=example.org" \
  -e POSTFIX_mynetworks=192.168.0.0/16 \
  -e POSTFIX_smtpd_client_restrictions=permit_mynetworks,reject \
  -p 587:587 \
  boky/postfix:v2.0.1
$ curl smtp://10.0.0.100:587 --no-progress-meter --mail-from postmaster@example.org --mail-rcpt recipient@example.org --upload-file email.txt
curl: (55) RCPT failed: 554

# relay logs
2020-10-21T20:59:40.689023+00:00 INFO    postfix/smtpd[119]: connect from unknown[10.0.0.103]
2020-10-21T20:59:40.689564+00:00 INFO    postfix/smtpd[119]: NOQUEUE: reject: RCPT from unknown[10.0.0.103]: 554 5.7.1 <unknown[10.0.0.103]>: Client host rejected: Access denied; from=<postmaster@example.org> to=<recipient@example.org> proto=ESMTP helo=<email.txt>
2020-10-21T20:59:40.689814+00:00 INFO    postfix/smtpd[119]: disconnect from unknown[10.0.0.103] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
...

Maybe this smtpd_client_restrictions=permit_mynetworks,reject should be set by default in postfix configuration? Thanks!
@bokysan
Copy link
Owner

bokysan commented Oct 22, 2020

Thank you for your report. I will look into it and try to set up a test case.

bokysan added a commit that referenced this issue Oct 24, 2020
@bokysan
Fix for #38
51173d3 
The postfix configuration was a bit too permissive with `mynetworks`.

This commit:
- adds `reject` at the end of `*restrictions` list
- adds tests for this feature
@bokysan
Copy link
Owner

bokysan commented Oct 24, 2020

This should be resolved in the latest master.

@bokysan bokysan closed this as completed Oct 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pedroetb @bokysan