Hello, I have a few users that are often hit by a trojan virus that steals e-mail user and password. Having a very little (if not null) power on their machines, I need to be able to block the outgoing mail wich is handled by postfix via dovecot SASL. Blocking it at dovecot level would be optimal, for the virus doesn't necessarily use the e-mail of the user as its from, just the user and password for the authentication phase. Is it feasible? AdvThanksAnce, Luciano. -- /"\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL / E-MAIL: posthamster at sublink.sublink.ORG / \ AND POSTINGS / WWW: http://www.lesassaie.IT/
The things that occur to me are 1) Ensure that the sender domain is authorized by doing a rule in main.cf for send_restrictions. Then at least they won't be sending things with faked from=. 2) Do some work with rate limiting. http://steam.io/2013/04/01/postfix-rate-limiting/ 3) Look at something like fail2ban. On 2/24/2015 10:28 AM, Luciano Mannucci wrote:> Hello, > > I have a few users that are often hit by a trojan virus that steals > e-mail user and password. Having a very little (if not null) power on > their machines, I need to be able to block the outgoing mail wich is > handled by postfix via dovecot SASL. > Blocking it at dovecot level would be optimal, for the virus doesn't > necessarily use the e-mail of the user as its from, just the user and > password for the authentication phase. > > Is it feasible? > > AdvThanksAnce, > > Luciano.-- George Sexton *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Am 24.02.2015 um 18:28 schrieb Luciano Mannucci:> I have a few users that are often hit by a trojan virus that steals > e-mail user and password. Having a very little (if not null) power on > their machines, I need to be able to block the outgoing mail wich is > handled by postfix via dovecot SASL. > Blocking it at dovecot level would be optimal, for the virus doesn't > necessarily use the e-mail of the user as its from, just the user and > password for the authentication phase. > > Is it feasible?not sure what you try to achieve * if you cahnge the pwd SASL auth is taken away * if you don't want enforce SASL per IP mynetworks is your friend but nobody really wants to place foreign machines in mynetworks and allow to send mail unauthenticated from a machine he don't own - and if it si only because in most configurations more restrictions than with SASL are bypassed it's anyways not a dovecot question -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150224/cab42898/attachment.sig>
On February 24, 2015 6:30:53 PM Luciano Mannucci <luciano at vespaperitivo.it> wrote:> Is it feasible?no, when this happend disable smtp auth, but not login, then send a mail why smtp auth is disabled
Am 24.02.2015 um 18:28 schrieb Luciano Mannucci:> for the virus doesn't necessarily use the e-mail of the > user as its from, just the user and password for the > authentication phaseso you allow random envelope senders on your servers? why? smtpd_recipient_restrictions = permit_mynetworks reject_non_fqdn_recipient reject_non_fqdn_sender reject_unlisted_sender reject_authenticated_sender_login_mismatch permit_sasl_authenticated reject -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150224/dcf0cc0a/attachment.sig>
Hello, take a look at postfwd, especially "rate limit examples": http://postfwd.org/ -- Best regards, Adrian Minta
On Tue, 24 Feb 2015 18:56:03 +0100 Reindl Harald <h.reindl at thelounge.net> wrote:> * if you cahnge the pwd SASL auth is taken awayTrue. But this way the user will be unable to read his/her mail, including my message saying "Hey, you've got a new virus!". Thanks anyway, luciano. -- /"\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL / E-MAIL: posthamster at sublink.sublink.ORG / \ AND POSTINGS / WWW: http://www.lesassaie.IT/
On Tue, 24 Feb 2015 19:00:09 +0100 Benny Pedersen <me at junc.eu> wrote:> no, when this happend disable smtp auth, but not login, then send a mail > why smtp auth is disabledThis way, I'll block everybody, not only the troyan victims. luciano. -- /"\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL / E-MAIL: posthamster at sublink.sublink.ORG / \ AND POSTINGS / WWW: http://www.lesassaie.IT/
On Tue, 24 Feb 2015 19:00:32 +0100 Reindl Harald <h.reindl at thelounge.net> wrote:> so you allow random envelope senders on your servers? > why?I know it is not necessarily a good idea... :) It is basicaly to allow fake home addresses from the office for some managers. Thanks for the smtpd_recipient_restrictions list, it sounds interesting! Luciano. -- /"\ /Via A. Salaino, 7 - 20144 Milano (Italy) \ / ASCII RIBBON CAMPAIGN / PHONE : +39 2 485781 FAX: +39 2 48578250 X AGAINST HTML MAIL / E-MAIL: posthamster at sublink.sublink.ORG / \ AND POSTINGS / WWW: http://www.lesassaie.IT/