wez
commented
1 month ago How about something like this for the queue helper?
[tenant.'mytenant']
require_authz = ["mytenant"]
allowed_domains = ["mytenant.com"]When queue_helper:apply(msg) is called, if allowed_domains is set for the tenant that is determined for the current message, then the MAIL FROM and From: must both match values from that list, otherwise the message will be rejected.
If you have:
default_tenant = "default-tenant"
[tenant."default-tenant"]
allowed_domains = []that will effectively prevent unknown/unspecified tenants from sending mail.
For this to work effectively, every valid tenant must have require_authz and allowed_domains configured.
As a mailops engineer operating an environment that allows for direct connection by users, and leveraging the policy helpers, I need to mitigate certain potential attacks.
1) A malicious user connects and properly authenticates. They know the sending domain of a peer on the same shared IPs as them and use that domain either as their MAIL FROM or their friendly from header, allowing them to pass SPF. 2) A malicious user connects and properly authenticates. They know the signing domain of a peer on the same server as them and use that domain as their MAIL FROM, allowing them to sign DKIM. 2) A malicious user connects and properly authenticates. They know the name of the tenant header and are able to guess the content of the header for a peer, allowing them to identify themselves as that tenant and use the tenant's dedicated IPs.
While these scenarios can be handled in Lua, those using our helpers may not have the skillset needed to mitigate these security concerns.