Re: postfix security configuration

To: Marcel Weber <mmweber@ncpro.com>
Cc: debian-security@lists.debian.org
Subject: Re: postfix security configuration
From: Tarjei Huse <tarjei@nu.no>
Date: Mon, 11 Aug 2003 16:55:44 +0200
Message-id: <[🔎] 1060613743.11377.94.camel@elprinsessekaja.mail.nu.no>
Reply-to: tarjei@nu.no
In-reply-to: <[🔎] 29DCBE4B-CBF0-11D7-9F2D-00050285B655@ncpro.com>
References: <[🔎] 29DCBE4B-CBF0-11D7-9F2D-00050285B655@ncpro.com>

This might help:


http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt

On Mon, 2003-08-11 at 13:37, Marcel Weber wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Am Montag, 11.08.03, um 12:59 Uhr (Europe/Zurich) schrieb Tomasz 
> Papszun:
> >>
> >
> > If you want to prevent them from using non existing sender addresses
> > from your domain, you can do it by creating a file (lookup table) for
> > postmap(1), containing all allowed addresses with "OK" and another
> > table containing your domainname with "REJECT".
> >
> > If you want to prevent them from using sender addresses from other
> > domain, it's also possible with properly prepared config.
> >
> > If you want to prevent them from using other (not their own) sender
> > addresses from your domain, you must use SMTP AUTH, I'm afraid.
> >
> > -- 
> >  Tomasz Papszun   SysAdm @ TP S.A. Lodz, Poland  | And it's only
> >  tomek@lodz.tpsa.pl   http://www.lodz.tpsa.pl/   | ones and zeros.
> >
> >
> > -- 
> > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact 
> > listmaster@lists.debian.org
> >
> 
> Theoretically there is another possibility. Actually pop-before-smtp 
> does nothing than watching the log file, picking the ip address of the 
> pop client and putting this address for a certain time into a postmap 
> for postfix. If you would use the user's email address as his pop3 
> login name (within a sql or ldap db, for example), one could take this 
> information and write it into another postmap file. This would 
> necessite some modification of the pop-before-smtp script, but I think 
> it wouldn't be too hard to implement. It wouldn't be perfect, though: 
> Imagine two users logged in at the same time. Under this situation each 
> user could "abuse" the other user's email address.
> 
> For a really secure system, there is no way around smtp auth. 
> pop-before-smtp relies on ip addresses. But what about NAT? Users 
> coming from a private masqueraded network, could misuse your server at 
> their pleasure, if one user from this network has logged into his pop3 
> account.
> 
> Regards
> 
> Marcel
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iD8DBQE/N3/y1EXMUTKVE5URAjPsAKD1sVpkeqHSIcYnungYkuF/fNyumgCg7pmF
> o2GTZhfgn7NnZ63P8HLSpEI=
> =B+0b
> -----END PGP SIGNATURE-----
>

Reply to:

Follow-Ups:
- Re: postfix security configuration
  - From: Marcel Weber <mmweber@ncpro.com>

References:
- Re: postfix security configuration
  - From: Marcel Weber <mmweber@ncpro.com>

Prev by Date: Re: DSA-361-2
Next by Date: Re: postfix security configuration
Previous by thread: Re: postfix security configuration
Next by thread: Re: postfix security configuration
Index(es):
- Date
- Thread