search

hardware / mailserver

:warning: UNMAINTAINED - Simple and full-featured mail server using Docker
https://store.docker.com/community/images/hardware/mailserver
MIT License
1.29k stars 322 forks source link

Slightly lift sender restriction for mynetworks #348

Closed DrMurx closed 4 years ago

DrMurx commented 5 years ago

Description

This PR slightly lifts the sender restrictions for IPs in mynetworks in a reasonable way.

With the current smtpd_sender_restrictions, containers with IPs listed in the existing configuration variable $RELAY_NETWORKS are forced to use a fully authenticated and existing user to send out emails. This could cause issues with some services which expect local delivery to work without authentication. Also, the administrator might not want to create a dedicated mailbox user for the outgoing email address of a mail-sending service, but use an alias to process answers and bounces.

Therefore, this PR lifts the restrictions by adding permit_mynetworks to smtpd_sender_restrictions.

I groups a couple of restrict_ directives before permit_mynetworks to force the administrator to work cleanly and use a properly crafted sender address for their internal services.

Type of change

Status

How has this been tested ?

Setup:

1) Spin up a container A (a mail-sending program) 2) Spin up mailserver with $RELAY_NETWORKS=ip_of_A 3) In postfixadmin, setup mailboxes src@example.com and dest@example.com

Test 1:

Make A send an emails from nobody@example.com (unauthorized) to dest@example.com and dest@outside-domain.com. Both should work.

Test 2:

Make A send an email from src@example.com to dest@example.com and dest@outside-domain.com. Both should work but only if sender is properly authenticated.

sknight80 commented 5 years ago

It looks like you need to update a couple of tests. Second, are you sure this will be okay? If you have a container next to the mail containers like WordPress container and a bot, start sending email from your WordPress container through your mail server container with this pr the bot will be able to send out emails. Am I right?

DrMurx commented 5 years ago

@sknight80 Actually I don't believe the scenario you'd describe is an issue. If your wordpress container has an internal connection to the mailserver container and its IP is in RELAY_NETWORKS, it's probably for the purpose of allowing wordpress to send emails. In the current setup, it would require you to configure WP Mail SMTP Plugin with a valid credentials for the mailserver. A malicious bot script sneaked into wordpress would probably already be crafted to use these credentials anyway, or even abuse the plugin directly.

sknight80 commented 5 years ago

@DrMurx looks like we either need to update the failed test case or we need to revisit your changes. Can some of you review this PR, please? @michael-k @ksylvan or @xvello

DrMurx commented 5 years ago

@sknight80 Yes, I'll rewrite the test cases, just right now I'm low on free time.

sknight80 commented 5 years ago

Let me know when I can review them.

prometheanfire commented 5 years ago

ping? I'd like this as well, using this as a mail relay for my internal network is broken without it.

prometheanfire commented 5 years ago

as an aside, the following should work as well (in custom.conf)

smtpd_sender_restrictions=reject_non_fqdn_sender,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch,permit_mynetworks,reject_unauthenticated_sender_login_mismatch,reject_unlisted_sender,reject_rhsbl_sender dbl.spamhaus.org

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.