Mailcow allows sender spoofing

[func0der]

Contribution guidelines

• I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• ... I have understood that answers are voluntary and community-driven, and not commercial support.
• ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

You can spoof an email from an external server from an existing mail to an existing mailbox.

I guess this is because of missing `reject_sender_login_mismatch` `smtpd_sender_restrictions` settings, which would ensure that you can not send emails for existing email address without a valid SASL authentication.

Logs:

postfix-mailcow-1  | Jun  7 00:11:23 b1179c11bf27 postfix/postscreen[357]: CONNECT from [1.1.1.1]:48322 to [172.22.1.253]:25
postfix-mailcow-1  | Jun  7 00:11:23 b1179c11bf27 whitelist_forwardinghosts: Look up 1.1.1.1 on whitelist, result 200 DUNNO
postfix-mailcow-1  | Jun  7 00:11:24 b1179c11bf27 postfix/postscreen[357]: PASS OLD [1.1.1.1]:48322
postfix-mailcow-1  | Jun  7 00:11:24 b1179c11bf27 postfix/smtpd[376]: connect from mail.someexternalmailserver.de[1.1.1.1]
postfix-mailcow-1  | Jun  7 00:11:24 b1179c11bf27 postfix/smtpd[376]: discarding EHLO keywords: CHUNKING
postfix-mailcow-1  | Jun  7 00:11:24 b1179c11bf27 postfix/smtpd[376]: TLS SNI mail.mymailserver.com from mail.someexternalmailserver.de[1.1.1.1] not matched, using default chain
postfix-mailcow-1  | Jun  7 00:11:24 b1179c11bf27 postfix/smtpd[376]: Anonymous TLS connection established from mail.someexternalmailserver.de[1.1.1.1]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256
postfix-mailcow-1  | Jun  7 00:11:24 b1179c11bf27 postfix/smtpd[376]: discarding EHLO keywords: CHUNKING
postfix-mailcow-1  | Jun  7 00:11:24 b1179c11bf27 postfix/smtpd[376]: 785EB12860F9: client=mail.someexternalmailserver.de[1.1.1.1]
postfix-mailcow-1  | Jun  7 00:11:24 b1179c11bf27 postfix/cleanup[380]: 785EB12860F9: message-id=<FrYevkvBIDY4x4sA1zUJrldclkk9cIYU78mjR3d8Es@mail.someexternalmailserver.de>
postfix-mailcow-1  | Jun  7 00:11:25 b1179c11bf27 postfix/qmgr[353]: 785EB12860F9: from=<user1@mymailserver.com>, size=773, nrcpt=1 (queue active)
postfix-mailcow-1  | Jun  7 00:11:26 b1179c11bf27 postfix/smtpd[376]: disconnect from mail.someexternalmailserver.de[1.1.1.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
postfix-mailcow-1  | Jun  7 00:11:26 b1179c11bf27 postfix/lmtp[381]: 785EB12860F9: to=<user2@mymailserver.com>, relay=dovecot[xxx]:24, delay=1.6, delays=1.5/0.01/0/0.07, dsn=2.0.0, status=sent (250 2.0.0 <user2@mymailserver.com> CBhyOw00YmbzxQAAWves7g Saved)
postfix-mailcow-1  | Jun  7 00:11:26 b1179c11bf27 postfix/qmgr[353]: 785EB12860F9: removed

Steps to reproduce:

1. Setup mailcow instance
2. Configure domain.com
3. create mailbox user1@
4. create mailbox user2@
5. Connect from an external server via telnet or whatever
6. Mail From: user1@domain.com
7. RCPT TO: user2@domain.com

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Docker

Server/VM specifications:

unrelated

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

Docker version:

26.0.1

docker-compose version or docker compose version:

2.26.1

mailcow version:

2024-04-1-g468e9a47

Reverse proxy:

nginx

Logs of git diff:

-

Logs of iptables -L -vn:

-

Logs of ip6tables -L -vn:

-

Logs of iptables -L -vn -t nat:

-

Logs of ip6tables -L -vn -t nat:

-

DNS check:

-

[esackbauer]

What did rspamd or postfix say to this spoofed mail? It should check your SPF record and either reject or at least mark as spam.

[dragoangel]

Not the case.

[dragoangel]

The fact that postfix accepted email doesn't says anything. No confirmation or diffs provided. Mailcow have spoofed aunauth with score of 50. This effectively reject all mail. If you have quarantine it will be accepted and puttes there. Without details from rspamd scan results ticket is not finished. It's question for support, not for github issues.

[func0der]

Why would postfix accept emails for sending that are coming from an unauthorized sender from a domain that it itself manages?

Do you see rspamd responsible for rejecting not properly authorized mails in the mailcow setup? If so, why? Why not postfix?

If rspamd is responsible, the issue is a different one.

It's question for support, not for github issues.

Maybe if we can clarify on intended setup and who and what is responsible for spoof prevention, the 'issue' becomes more apparent. At least for me, postfix should not allow it. As for you, I am not sure yet until the role of 'rspamd' is clarified.

What did ... postfix say to this spoofed mail?

The log for the specific email is in the first post.
If there should be more, please let me know where to find it.

It should check your SPF record and either reject or at least mark as spam.

If a mail is spoof sent from and to the same domain and is marked as "spam", a user would have it in their inbox or better their "spam" folder in most case. Barely anyone can allow themselves to "lose' mail, so it will be deliverd on way or another. In the spam folder the is no 'scale' of spam. It is either 'spam' or a 'false positive'. That is what users have learned.
Let's say you are in a company setting. People would check their spam folder from time to time and find an email from their boss. If the claim is not too outrageous they would automatically assume that the mail is not spam and take it as a 'false positive'.

This does not seem to be a save way to go about spoofed emails, does it?

I will produce some rspamd logs and attach them asap.

[dragoangel]

Postfix is not capable for such checks in general, please check what you asking before writing a bug reports. There is no bugs you speaking about. For mail system it's totally fine to be distributed and it's totally valid case when server A sends mail to server B with envelope from that already exist on server B. I not willing to explain SMTP basics in the github issues, you missing basic knowledge about how SMTP authentication working unfortunately.

[func0der]

Postfix is not capable for such checks in general,

What is smtpd_sender_restrictions with reject_sender_login_mismatch when not that then?
How is it valid, even in a distributed case, that a mail server without any allow list, just accepts mails for domains that is is responsible for without a proper authentication or authorization?
Isn't that just an open relay?

I have setup servers that do not allow for existing mail boxes to be used as the From if there is not a valid SASL authentication. There was no rspamd or similar in the mix, just plain postfix.

If you do not want to explain it, I would appreciate a pointer into appropriate documentation. :) Because from what I read from the postfix docs, it is possible.
I do want to understand :D

P.S.: Ich nehme es auch auf Deutsch, wenn das einfacher ist :)

[dragoangel]

You have for example sendgrid or anything else that allowed to send as your domain validly to your own domain, and you have your MX pointed to mailcow, mail to you will go to MX, so to mailcow, why they have to be rejected?

If dmarc is passing - mail should be accepted, in mailcow it is stricter then even this, emails only from trusted or whitelisted hosts are allowed. Spoofing is handled for mime from, envelope from isn't matter, as users don't care about it. To pass dmarc at least spf or dkim should exist, this has nothing to do with sasl auth and this what postfix can't check by itself, and this what rspamd is verifying. Please do not throw stuff about open relay, this totally not fits here, as open reay is https://en.m.wikipedia.org/wiki/Open_mail_relay - server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users. If you want to holywar, let's continue in community.

I still not see your diffs and rspamd logs.

[dragoangel]

mailcow-dockerized/data/conf/rspamd/local.d/composites.conf

Lines 24 to 28 in 36b5ccc

	# Spoofed header from and broken policy (excluding sieve host, rspamd host, whitelisted senders, authenticated senders and forward hosts)
	SPOOFED_UNAUTH {
	expression = "!MAILCOW_AUTH & !MAILCOW_WHITE & !RSPAMD_HOST & !SIEVE_HOST & MAILCOW_DOMAIN_HEADER_FROM & !WHITELISTED_FWD_HOST & -g+:policies";
	score = 50.0;
	}

[dragoangel]

I have setup servers that do not allow for existing mail boxes to be used as the From if there is not a valid SASL authentication. There was no rspamd or similar in the mix, just plain postfix.

And by this you break RFC and many valid usecases which are working in mailcow. Plus from what you speaking you don't see difference between envelop and mime from, which is totally different things.

[func0der]

If Rspamd is responsible for these kind of things, this issue is obsolete. I have disabled it for this test, because I wanted to isolate the issue. Obviously not the right thing to do :)
Thanks for your time.

[dragoangel]

Sorry, but this not even fun. You continue to contr argument after I in the second message clearly said it's rspamd responsibility and you can't say you dropped one of the core modules? Such things should be said in the description.

[func0der]

I will do better next time :) Thanks for your continued feedback.