This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mail to Postmaster with forged sender Adress from own Domain is accepted

By default the UTM accepts email to postmaster@* without any checks in place.

This includes SPF, Blacklisting, DKIM and so on.

SPF should NEVER be excluded on checks.

We got an E-Mail today that was sent from postmaster@our-domain to postmaster@our-domain and it marched right through the UTM not triggering any checks at all.

This is an absolutly dangerous behavior on the UTM side. At least minimal checks like SPF and Virus checks should always be performed.

RFC 5321 states in 4.5.1:

   SMTP systems are expected to make every reasonable effort to accept
   mail directed to Postmaster from any other system on the Internet.
   In extreme cases -- such as to contain a denial of service attack or
   other breach of security -- an SMTP server may block mail directed to
   Postmaster.  However, such arrangements SHOULD be narrowly tailored
   so as to avoid blocking messages that are not part of such attacks.

Forging the sender address to our own postmaster address from our own domain i do consider "breach of security".

The following log was actually me testing this behaviour of the UTM.

The Testserver is NOT listed in the SPF entry so should be rejected.

All IPs and Hostnames are redacted for security reasons.

2021:07:08-21:50:00 gw-2 exim-in[15320]: 2021-07-08 21:50:00 SMTP connection from [my-test-server]:44502 (TCP/IP connection count = 1)
2021:07:08-21:50:00 gw-2 exim-in[3391]: 2021-07-08 21:50:00 [my-test-server] F=<postmaster@mydomain> R=<postmaster@mydomain> Accepted: to postmaster
2021:07:08-21:50:00 gw-1 exim-out[18999]: 2021-07-08 21:50:00 Start queue run: pid=18999
2021:07:08-21:50:00 gw-1 exim-out[18999]: 2021-07-08 21:50:00 End queue run: pid=18999
2021:07:08-21:50:00 gw-2 exim-in[3391]: 2021-07-08 21:50:00 1m1a24-0000sh-1J Greylisting: my-test-server is a known retry host
2021:07:08-21:50:00 gw-2 exim-in[3391]: 2021-07-08 21:50:00 1m1a24-0000sh-1J <= postmaster@mydomain H=my-test-server [my-test-server]:44502 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=1308
2021:07:08-21:50:00 gw-2 exim-in[3391]: 2021-07-08 21:50:00 SMTP connection from my-test-server [my-test-server]:44502 closed by QUIT
2021:07:08-21:50:01 gw-2 smtpd[15312]: QMGR[15312]: 1m1a24-0000sh-1J moved to work queue
2021:07:08-21:50:10 gw-2 smtpd[3542]: SCANNER[3542]: 1m1a2E-0000v8-6J <= postmaster@mydmain R=1m1a24-0000sh-1J P=INPUT S=5
2021:07:08-21:50:10 gw-2 smtpd[3542]: SCANNER[3542]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="my-test-server" from="postmaster@mydomain" to="postmaster@mydomain" subject="Test" queueid="1m1a2E-0000v8-6J" size="5"
2021:07:08-21:50:10 gw-2 smtpd[3542]: SCANNER[3542]: 1m1a24-0000sh-1J => work R=SCANNER T=SCANNER
2021:07:08-21:50:10 gw-2 smtpd[3542]: SCANNER[3542]: 1m1a24-0000sh-1J Completed
2021:07:08-21:50:10 gw-2 exim-out[3546]: 2021-07-08 21:50:10 1m1a2E-0000v8-6J [internal-exchange] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=xxxxxxx
2021:07:08-21:50:10 gw-2 exim-out[3546]: 2021-07-08 21:50:10 1m1a2E-0000v8-6J [internal-exchange] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=xxxxxxx
2021:07:08-21:50:10 gw-2 exim-out[3545]: 2021-07-08 21:50:10 1m1a2E-0000v8-6J => postmaster@mydomain P=<postmaster@mydomain> R=static_route_hostlist T=static_smtp H=internal-exchange [internal-exchange]:25 X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no C="250 2.6.0 <0982173c-d3f9-46ce-a1c7-a31af0a496aa@internal-exchange> [InternalId=884763263009, Hostname=internal-exchange] 2940 bytes in 0.103, 27,750 KB/sec Queued mail for delivery"
2021:07:08-21:50:10 gw-2 exim-out[3545]: 2021-07-08 21:50:10 1m1a2E-0000v8-6J Completed

Therefore the UTM exim.conf should be designed in such a way that at least basic checks like anti virus or SPF checks are always performed before the postmaster validation. This would tremendously help customers not voiding their warranty if they edit the file themselfes to secure a "security" product...



This thread was automatically locked due to age.
  • Dear lord.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Let's see how long it takes......

  • And before anybody chimes in "oh its JUST the postmaster..."

    Its the postmaster that usually goes to some IT Department/Guy. Combine that with an "on Display" Exploit in Outlook (which aren't that uncommon...) on an IT Workstation and you are begging for a desaster to happen.

  • I am not aware of any special exceptions for the postmaster address.

    Have you checked that this behavior could not be caused by the configuration settings you have chosen for the Email Protection in your Sophos UTM?

  • It actually is specific to postmaster.

    There are no exceptions present for recipients.

    Tests with other Adresses and the exim.conf confirms that.

    If i change the recipient from postmaster to anything else in the same domain with the same sender adress i get spf rejected.

    ACLs in exim.conf are evaluated top to bottom and in the order that follows.

    Exceptions > Postmaster@IP Exception > TLS Enforce > Sender Blacklist > Relay Allow > Reject non local domains > Postmaster@domain exception > Host Blacklist > RNDS Check > Strict RDNS Check >  HELO > RBL > BATV > Recipient Callout > SPF Check

    I changed the conf so that SPF actually checks right after the Exceptions before anything else.

    If somebody forges his sender address to something that they are not allowed to use i call this malicious intent and i have no intention of talking to those

  • I found several indicators of works as design for years. As the RFC is from 2008, i assume this was revisit plenty of times over the years by Astaro and by Sophos. 

    https://community.sophos.com/sophos-xg-firewall/f/discussions/109299/spf-check-funktioniert-fur-postmaster-mydomain-xy-nicht

    https://community.sophos.com/utm-firewall/f/mail-protection-smtp-pop3-antispam-and-antivirus/49822/spf-and-rdns-check-passing-spoofed-email/182809

    And other references. 

    The online help explicitly confirms the compliance to the RFC: 

    Postmaster address: Specify the email address of the postmaster of Sophos UTM to whom messages are to be forwarded that are sent in the form of postmaster@[192.168.16.8], where the IP  literal address is one of the IP addresses of Sophos UTM. Accepting such messages is an RFC  requirement.

    If you disagree with this point of view, you should create a support case to get an investigation started. 

    You could also contact your local federal agency about guidelines (In Germany BSI) about current security perspectives and best practices.

    __________________________________________________________________________________________________________________

  • Guys, it doesn't make any difference who the sender is, only the recipient.  If someone has setup a situation where any random bad guy can send something to the postmaster and cause a security breach, shame on them.

    If you don't want to receive mail ostensibly sent by your postmaster to your postmaster, does putting "postmaster@domain.com" in 'Sender Blacklist' solve the problem?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA