By default the UTM accepts email to postmaster@* without any checks in place.
This includes SPF, Blacklisting, DKIM and so on.
SPF should NEVER be excluded on checks.
We got an E-Mail today that was sent from postmaster@our-domain to postmaster@our-domain and it marched right through the UTM not triggering any checks at all.
This is an absolutly dangerous behavior on the UTM side. At least minimal checks like SPF and Virus checks should always be performed.
RFC 5321 states in 4.5.1:
SMTP systems are expected to make every reasonable effort to accept
mail directed to Postmaster from any other system on the Internet.
In extreme cases -- such as to contain a denial of service attack or
other breach of security -- an SMTP server may block mail directed to
Postmaster. However, such arrangements SHOULD be narrowly tailored
so as to avoid blocking messages that are not part of such attacks.
Forging the sender address to our own postmaster address from our own domain i do consider "breach of security".
The following log was actually me testing this behaviour of the UTM.
The Testserver is NOT listed in the SPF entry so should be rejected.
All IPs and Hostnames are redacted for security reasons.
2021:07:08-21:50:00 gw-2 exim-in[15320]: 2021-07-08 21:50:00 SMTP connection from [my-test-server]:44502 (TCP/IP connection count = 1)
2021:07:08-21:50:00 gw-2 exim-in[3391]: 2021-07-08 21:50:00 [my-test-server] F=<postmaster@mydomain> R=<postmaster@mydomain> Accepted: to postmaster
2021:07:08-21:50:00 gw-1 exim-out[18999]: 2021-07-08 21:50:00 Start queue run: pid=18999
2021:07:08-21:50:00 gw-1 exim-out[18999]: 2021-07-08 21:50:00 End queue run: pid=18999
2021:07:08-21:50:00 gw-2 exim-in[3391]: 2021-07-08 21:50:00 1m1a24-0000sh-1J Greylisting: my-test-server is a known retry host
2021:07:08-21:50:00 gw-2 exim-in[3391]: 2021-07-08 21:50:00 1m1a24-0000sh-1J <= postmaster@mydomain H=my-test-server [my-test-server]:44502 P=esmtps X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=1308
2021:07:08-21:50:00 gw-2 exim-in[3391]: 2021-07-08 21:50:00 SMTP connection from my-test-server [my-test-server]:44502 closed by QUIT
2021:07:08-21:50:01 gw-2 smtpd[15312]: QMGR[15312]: 1m1a24-0000sh-1J moved to work queue
2021:07:08-21:50:10 gw-2 smtpd[3542]: SCANNER[3542]: 1m1a2E-0000v8-6J <= postmaster@mydmain R=1m1a24-0000sh-1J P=INPUT S=5
2021:07:08-21:50:10 gw-2 smtpd[3542]: SCANNER[3542]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="my-test-server" from="postmaster@mydomain" to="postmaster@mydomain" subject="Test" queueid="1m1a2E-0000v8-6J" size="5"
2021:07:08-21:50:10 gw-2 smtpd[3542]: SCANNER[3542]: 1m1a24-0000sh-1J => work R=SCANNER T=SCANNER
2021:07:08-21:50:10 gw-2 smtpd[3542]: SCANNER[3542]: 1m1a24-0000sh-1J Completed
2021:07:08-21:50:10 gw-2 exim-out[3546]: 2021-07-08 21:50:10 1m1a2E-0000v8-6J [internal-exchange] SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=xxxxxxx
2021:07:08-21:50:10 gw-2 exim-out[3546]: 2021-07-08 21:50:10 1m1a2E-0000v8-6J [internal-exchange] SSL verify error: depth=0 error=unable to verify the first certificate cert=/CN=xxxxxxx
2021:07:08-21:50:10 gw-2 exim-out[3545]: 2021-07-08 21:50:10 1m1a2E-0000v8-6J => postmaster@mydomain P=<postmaster@mydomain> R=static_route_hostlist T=static_smtp H=internal-exchange [internal-exchange]:25 X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no C="250 2.6.0 <0982173c-d3f9-46ce-a1c7-a31af0a496aa@internal-exchange> [InternalId=884763263009, Hostname=internal-exchange] 2940 bytes in 0.103, 27,750 KB/sec Queued mail for delivery"
2021:07:08-21:50:10 gw-2 exim-out[3545]: 2021-07-08 21:50:10 1m1a2E-0000v8-6J Completed
Therefore the UTM exim.conf should be designed in such a way that at least basic checks like anti virus or SPF checks are always performed before the postmaster validation. This would tremendously help customers not voiding their warranty if they edit the file themselfes to secure a "security" product...
This thread was automatically locked due to age.
