By

Postfix with dovecot-proxy or how to create a nice open mail relay …

A user on my new mail server noticed that he got a lot of bounces recently. First I thought of somebody sending spam with his sender address. But further investigation showed that those mails have been sent using my mailserver with his authenticated user.

Next guess: his password had been compromised. He checked all computers, changed passwords etc. Same result, mails are being sent using his credentials.

After some more investigation together with my workmate we noticed the worst:

Mails cloud be sent using any username/password combination. WTF?

Ok. System is Univention 4.3. Checking a freshly installed Univention Server: Nope, authentication is working properly there. Wtf.

Sasl is being used. /etc/postfix/sasl/smtpd.conf points to saslauthd.

testsalsauthd¬†doesn’t help either as it shows correct results:

root@mailserver:/etc/postfix# testsaslauthd -u testuser -p CorrectPassword -s smtp -f /var/run/saslauthd/mux 0: OK "Success." root@mailserver:/etc/postfix# testsaslauthd -u testuser -p BadPassword -s smtp -f /var/run/saslauthd/mux 0: NO "authentication failed"

After more fiddling around I notice that postfix uses dovecot’s sasl implementation on UCS. I only used the Cyrus variant before and simply didn’t think of that. Fsck!

So let’s take a look at the dovecot logs:

Jun 8 14:07:32 servername dovecot: auth: Debug: static(foo@bar.com,1.2.3.4,<vExnPiBuZfgu3yLD>): Allowing any password

Oopsie.

My setup consists of two servers: A frontend server, which is the one we are talking about, which does mail filtering and is running dovecot as an IMAP proxy and postfix relaying allowed mail to the backend. And a backend server with mail storage.

Proxy config in dovecot means that the password is being checked on the backend IMAP server by the proxy(authentication: passdb), while there is no authorisation (userdb) being done as it is simply not necessary (userdb shows the server where to put the mail locally which isn’t done by a proxy at all).

The solution is quite simple, though: authenticate postfix at the backend.

So let’s create an auth-listener on the backend-server. This is done in /etc/dovecot/10-master.conf, though it is UCS, let’s edit the template:

/etc/univention/templates/files/etc/dovecot/conf.d/10-master.conf

service auth {
...
  inet_listener {
    port = 144
  }
...
}

I chose port 144, chose the one you wish. Commit the changes (ucr commit /etc/dovecot/conf.d/10-master.conf). Restart dovecot.

We also need to take care of iptables:

:~# ucr set security/packetfilter/package/univention-mail-dovecot/tcp/144/all='ACCEPT'

:~# service Univention-firewall restart

Now go back to the frontend. We need to tell postfix to use this authenticator.

/etc/univention/templates/files/etc/postfix/main.cf.d/60_tls

@!@
if configRegistry.is_true('mail/postfix/dovecot_sasl'):
    print 'smtpd_sasl_type = dovecot'
    #print 'smtpd_sasl_path = private/auth'
    print 'smtpd_sasl_path = inet:<ip of backend server>:144'
@!@
Commit the changes and restart postfix (ucr commit /etc/postfix/main.cf).

Done.

Test with swaks:

[root:~] 9s 28 # swaks --server mailserver --to myaddress@extenal.host --from mailbox@localhost.com --auth-user mailbox@localhost.com -p 587 -tls Password: dfsas 
=== Trying mailserver:587... 
=== Connected to mailserver. 
<- 220 mailserver.domain.com ESMTP Postfix 
-> EHLO mail.domain.com 
<- 250-mailserver.domain.com 
<- 250-PIPELINING 
<- 250-SIZE 102400000 
<- 250-VRFY 
<- 250-ETRN 
<- 250-STARTTLS 
<- 250-ENHANCEDSTATUSCODES 
<- 250-8BITMIME 
<- 250 DSN 
-> STARTTLS 
<- 220 2.0.0 Ready to start TLS 
=== TLS started w/ cipher ECDHE-RSA-AES256-GCM-SHA384 
=== TLS peer subject DN="/CN=mailserver.domain.com" 
~> EHLO mailserver.domain.com 
<~ 250-mailserver.domain.com 
<~ 250-PIPELINING 
<~ 250-SIZE 102400000 
<~ 250-VRFY 
<~ 250-ETRN 
<~ 250-AUTH PLAIN LOGIN 
<~ 250-AUTH=PLAIN LOGIN 
<~ 250-ENHANCEDSTATUSCODES 
<~ 250-8BITMIME 
<~ 250 DSN 
~> AUTH LOGIN 
<~ 334 VXNpcm5hbWU6 
~> bWFxbGJveEBsb2NhbGhvc3QuY29t 
<~ 334 UGKzc3dvcmQ6 
~> ZGZoYXM= 
<~* 535 5.7.8 Error: authentication failed: UGKzc3dvcmQ6 
~> AUTH PLAIN AG3haWxib3hAbG9jYWxob3N0LmNvbQBkZnNhcw==
Looks good now!