How to stop forged mail from authenticated SASL users?

[pinguinet]

Hello,

I've a postfix 2.5 server + amavisd-new + spamassassin + clamav working for 7 years.

This week one infected user PC lan send a lot of forged mail using her mail account. External PC user do the same with his user mail account.

postfix/smtpd[7912]: F3F9F82B4A: client=mail.wrcjobs.com[216.47.209.113], sasl_method=LOGIN, sasl_username=lmorales@mydomain.com <-- This is the spammer!!

How can I prevent authenticated users to send forged mail?

I mean, my users must send mail only from my domain.com and not other domains.

I've tried:

--main.cf:

smtpd_restriction_classes =
check_for_valid_sender
check_for_valid_sender =
check_sender_access hash:/etc/postfix/firmados
reject
smtpd_sender_restrictions = check_client_access hash:/etc/postfix/access

smtpd_recipient_restrictions =
# permit_mynetworks,
reject_unlisted_sender,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_address,
reject_non_fqdn_hostname,
reject_unauth_destination,
reject_rbl_client zen.spamhaus.org

smtpd_data_restrictions =
reject_unauth_pipelining
permit_mynetworks
permit_sasl_authenticated
check_client_access regexp:/etc/postfix/filter-catchall.regexp
.
.
.

--firmados:
mydomain.com OK


--access:
192.168.100.3 check_for_valid_sender

It's not working for me. Where I'm wrong? Any help would be appreciated.

Thank you

Raul

 

[Noway2]

The first thing I would recommend is that you address the issue of the compromised host, directly. If this host is on your LAN, which means it will be accepted for mail sending via the permit mynetworks, or if it is a remote user using SASL authentication, via permit sasl_authenticated, YOU ARE RESPONSIBLE for the spam! Terminate their access, block it with iptables, or whatever you must do until that machine is cleared and the passwords have been changed. If this is not a machine under your control and it is a compromised password, changing the password to one that is sufficiently strong should stop the problem.

Regarding your attempts to block this host in Postfix configuration, I believe you have the right idea. I think your problem is the ORDER in which you have listed the checks. Postfix will search for a matching criteria, starting with the first check. If it receives a pass on that check, it will stop looking. Consequently, if you have permit sasl_authenticated and / or permit mynetworks ABOVE check_client_access, which you do, then you access list won't be effective.

 

[Noway2]

Also, be sure you restart Postfix after making any changes or they won't take effect.

 

[pinguinet]

Noway2,

Thank you by your reply and suggestions.

Local and remote PCs has been repaired, account passwords has been changed.

Regarding Postfix, I've tried different order on checks. Keep trying.
AS I know, Postfix' restriction stages are as follows, and are processed in the
following order:
smtpd_client_restrictions
smtpd_helo_restrictions
smtpd_sender_restrictions
smtpd_recipient_restrictions
smtpd_data_restrictions
regardless of the order in which they're listed in main.cf.

I'll try:

smtpd_data_restrictions =
reject_unauth_pipelining
check_client_access hash:/etc/postfix/access
permit_mynetworks
permit_sasl_authenticated
check_client_access regexp:/etc/postfix/filter-catchall.regexp

which, must be processed after permit_sasl_authenticated from smtpd_recipient_restrictions.

Best Regards!

Raul