3

My server has been hacked and was sending lots of spam over the Internet. The first thing I did is shutdown postfix, close the outgoing port 25 and take the time to clean the website, the postfix queues, and to re-setup postfix completely.

I enabled lots of restrictions on the Postfix SMTPD, like forcing SASL authentification and TLS.

But I'm just thinking, PHP mail() function doesn't care about SMTPD, because it calls sendmail, whose emails end in the maildrop queue, and finally in the incoming queue (and bypass all of my SMTPD protections).

I made a small sketch of Postfix daemons and queues for myself, in order to understand better how it works. Postfix overview

I would like following setup:

  • Prevent sendmail from delivering emails to outside recipients, but allow it to deliver emails to local users, and allow it to follow mappings in /etc/aliases even if it is an "ouside" mapping.

My aim is that at the end, users have no other choice than contact local SMTPD directly, thus forced to login thanks to my smtpd_client_restrictions = permit_sasl_authenticated, reject configuration.

Fox
  • 670
  • 1
  • 6
  • 11
  • Why not disable the `mail()` function? – Ignacio Vazquez-Abrams Jul 14 '13 at 23:06
  • 1
    Disable mail function is not enough. They could use `exec("sendmail")` (yes, I could disable this too!) ; local SSH users could still use `sendmail` I really want to prevent sendmail from sending emails over the Internet. PHP may not be the only user of sendmail on the machine. Many programs could call it. – Fox Jul 14 '13 at 23:12
  • Thanks! :-) I have to say, postfix seams so complicated at first that it was worth taking the time to read the documentation and draw up a small sketch. – Fox Jul 15 '13 at 13:36
  • If they hack you, how do you prevent them from undoing your changes? Not saying it's not a good idea, but you may want to raise some additional barriers outside the environment an attacker can gain control over. – tripleee Jul 16 '13 at 06:33
  • 2
    Yes, I have already done this (like `open_basedir`, disable dangerous functions, use of suhosin, PHP-fastcgi with suexec, etc., but I still want to restrict "sendmail". Because even I'm not hacked, but there are other users on the server. It is a common practice that we "never should trust users". For example I'd like to apply some smtpd_***_restrictions but on sendmail. I don't want a local user to send email with a strange `MAIL FROM:` address. I don't know whether restrict sendmail like smtpd is possible or not (except `authorized_submit_users`). – Fox Jul 16 '13 at 13:44

1 Answers1

2

This is only a partial answer.

Here is how to decide which local user is allowed to use sendmail.

  • Create a file /etc/postfix/sendmailAllowedUsers, put "user OK" on a line for each allowed user.
  • Add authorized_submit_users = hash:/etc/postfix/sendmailAllowedUsers in main.cf
  • Run postmap /etc/postfix/sendmailAllowedUsers
  • Run postfix reload

This is only a partial answer to my question, because this completely removes access to sendmail and mail command for non-listed users, which is not what I wanted to do.

I wanted that every one can use sendmail, but only for local recipients.

Fox
  • 670
  • 1
  • 6
  • 11
  • Did you find any other appropriate solution? Also can your share the exact sample content of the file sendmailAllowedUsers – Joshi Sep 28 '17 at 20:48
  • 1
    I think you need to use `postmap /etc/postfix/sendmailAllowedUsers` before you reload postfix to have the data available as soon as you start. – Alexis Wilke Aug 15 '22 at 15:24
  • Thanks @AlexisWilke, answer edited! – Fox Sep 02 '22 at 15:08