Necesito solucion rapida please! Seguridad en mi postfix

[hugo]

Eso es curioso, el atributo reject_sender_login_mismatch no lleva argumentos. Lo que sí depende es de smtpd_sender_login_maps así que quizás sea eso. De todas maneras prueba marcando ese atributo con un comentario a ver si el resto camina.

En cuanto a smtpd_relay_restrictions: de acuerdo a la documentación oficial, desde Postfix 2.1, para definir quien puede hacer relay debería preferirse esta opción sobre smtpd_recipient_restrictions, y debe aparecer primero en el archivo de configuración.

Dicho sea de paso, he notado que colocas las opciones en orden alfabético y esto en ocasiones puede generar problemas, porque hay reglas que requieren cierto orden para funcionar.

Edición:
Prueba con esta ligera variación donde he vuelto a poner el atributo reject_authenticated_sender_login_mismatch y modificado el orden de las reglas para dar más prioridad a las restricciones (pon este bloque exactamente como lo ves, cerciorándote de eliminar previamente las entradas del mismo tipo que tengas en tu configuración para que no hayan duplicados, pues en ese caso los valores que se toman son los últimos):

Código: Seleccionar todo

smtpd_client_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_unknown_client_hostname,
 reject
smtpd_relay_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 reject_unauth_destination
smtpd_sender_restrictions =
 reject_non_fqdn_sender,
 reject_unknown_sender_domain,
 reject_unlisted_sender,
 reject_authenticated_sender_login_mismatch,
 check_sender_access hash:/etc/postfix/lists/domain_users
smtpd_recipient_restrictions =
 reject_non_fqdn_recipient,
 reject_unlisted_recipient,
 reject_rbl_client zen.spamhaus.org,
 reject_rhsbl_helo dbl.spamhaus.org,
 reject_rhsbl_sender dbl.spamhaus.org,
 check_recipient_access hash:/etc/postfix/lists/domain_users

Por cierto, revisa bien lo que estás declarando con tu virtual_alias_maps no vaya a ser que los alias corrientes no estén funcionando por algo que tienes ahi.

[JuancaDJ]

Vuelvo a postear mi main.cf ya que sufrio cambios y lo que me estas dando para mi solucion genera errores

Código: Seleccionar todo

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = xxx.xxx.xx
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
#myorigin = /etc/mailname
myorigin = xxx.xxx.xx
mydestination =
relayhost = [xxx.xxx.xx.xx]
always_bcc = xxxxx@xxx.xxx.xx
message_size_limit = 10240000
#mynetworks = 127.0.0.1 127.0.0.0/8 192.168.0.0/24 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks = 127.0.0.0/8 192.168.0.0/32 172.16.0.0/32
#relay_domains = $mynetworks, $myhostname
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
relay_domains = proxy:mysql:/etc/postfix/virtual/relay_domains.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual/alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual/mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual/mailbox_maps.cf
virtual_mailbox_base = /var/mail/vmail
virtual_minimum_uid = 8
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
virtual_uid_maps = static:8
virtual_gid_maps = static:8
transport_maps = hash:/etc/postfix/transport
smtpd_reject_unlisted_sender = yes 
mailbox_command = /usr/bin/procmail

##SASL
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = 
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination

##MIOS
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes

##
smtpd_recipient_restrictions = reject_sender_login_mismatch, permit_sasl_authenticated
smtpd_recipient_restrictions = permit_mynetworks,reject_authenticated_sender_login_mismatch,reject_non_fqdn_recipient,permit_sasl_authenticated,reject_unauth_destination,reject_rbl_client zen.spamhaus.org,reject_rhsbl_helo dbl.spamhaus.org,reject_rhsbl_sender dbl.spamhaus.org
smtpd_sender_restrictions = permit_mynetworks,reject_unknown_sender_domain,reject_authenticated_sender_login_mismatch
smtpd_helo_restrictions = permit_mynetworks,reject_invalid_helo_hostname
smtpd_data_restrictions = permit_mynetworks,reject_unauth_pipelining,reject_multi_recipient_bounce,permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
disable_vrfy_command = no
milter_default_action = accept
smtpd_milters = unix:/clamav/clamav-milter.ctl, unix:/spamass/spamass.sock


#Control Mensajeria Nacional-Internacional

smtpd_restriction_classes =
   internat,
   national,

smtpd_recipient_restrictions = 
    permit_mynetworks,	
    permit_auth_destination,
    header_checks = regexp:/etc/postfix/lists/header_checks
    check_recipent_access regexp:/etc/postfix/lists/filtro_nac_in
    reject	
	
smtpd_sender_restrictions =
     permit_auth_destination,
     check_sender_access hash:/etc/postfix/lists/domain_users
     reject_unlisted_sender
     reject

internat = permit
national = check_recipient_access regexp:/etc/postfix/lists/filtro_nac, 
               reject

Ya me diras que tengo mal y que me falta pero entre mas leo y cambio la solución no llega

[hugo]

Lo estoy revisando pero lo primero que salta a la vista es que hay inconsistencias porque hay opciones repetidas pero con valores diferentes.

[JuancaDJ]

Ohh vaya pues bueno espero puedas ayudarme a solucionar esos detalles mas la solución al problema que planteo, porque la verdad a todo el que le pregunto desde que monte el servidor nadie sabe nada y las soluciones que me dan no funcionan
Y todo lo que he logrado lo he hecho quemándome los ojos y bajando hasta de peso con tanto estress ajajajaja

[hugo]

Intenta con esto a ver si te funciona:

Código: Seleccionar todo

biff = no
disable_vrfy_command = yes
mynetworks = 127.0.0.0/8, 172.16.0.0/24, 192.168.0.0/24
mydomain = midominio.cu
myhostname = miservidor.$mydomain
smtp_helo_name = $myhostname
smtpd_banner = $myhostname ESMTP $mail_name
myorigin = $myhostname
mydestination = $myorigin, localhost, localhost.$mydomain
relayhost = [1.2.3.4]
always_bcc = archivo@midominio.cu
append_dot_mydomain = no
strict_rfc821_envelopes = yes
message_size_limit = 10485760
mailbox_size_limit = 0
virtual_mailbox_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
alias_maps = hash:/etc/aliases
alias_database = $alias_maps
smtpd_helo_required = yes
smtpd_delay_reject = yes
delay_warning_time = 4h
smtpd_reject_unlisted_recipient = yes
smtpd_reject_unlisted_sender = yes
notify_classes = bounce, 2bounce, delay, policy, resource, software
header_checks = regexp:/etc/postfix/lists/header_checks
relay_domains = proxy:mysql:/etc/postfix/virtual/relay_domains.cf
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual/alias_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/virtual/mailbox_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual/mailbox_maps.cf
virtual_mailbox_base = /var/mail/vmail
virtual_minimum_uid = 8
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
virtual_uid_maps = static:8
virtual_gid_maps = static:8
transport_maps = hash:/etc/postfix/transport
mailbox_command = /usr/bin/procmail
smtpd_tls_security_level = encrypt
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain =
broken_sasl_auth_clients = yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_exceptions_networks = $mynetworks
smtpd_sasl_tls_security_options = noanonymous
milter_default_action = accept
smtpd_milters = unix:/clamav/clamav-milter.ctl, unix:/spamass/spamass.sock
smtpd_restriction_classes = internat, national
internat = permit
national = check_recipient_access regexp:/etc/postfix/lists/filtro_nac, reject
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, reject
smtpd_helo_restrictions = permit_mynetworks,reject_invalid_helo_hostname
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unlisted_sender, reject_authenticated_sender_login_mismatch, check_sender_access hash:/etc/postfix/lists/domain_users, permit_auth_destination, reject
smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_unlisted_recipient, reject_rbl_client zen.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, check_recipient_access regexp:/etc/postfix/lists/filtro_nac_in, permit_auth_destination, reject
smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce

[JuancaDJ]

Primer error al intentar enviar correo via webmail

Error SMTP (530): No se ha podido asignar el emisor "xxx@xxx.xxx.xx" (5.7.0 Must issue a STARTTLS command first).

Errores en la consola una vez inciado el servicio

Código: Seleccionar todo

service postfix start
[....] Starting Postfix Mail Transport Agent: postfixpostconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination                          
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

[hugo]

Intenta comentando la linea que dice:
smtpd_tls_security_level = encrypt

[JuancaDJ]

Y aqui tenemos el resultado:

Código: Seleccionar todo

service postfix restart
[....] Stopping Postfix Mail Transport Agent: postfix/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
. ok 
[....] Starting Postfix Mail Transport Agent: postfixpostconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination                          
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination                          
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination                          
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination                          
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination                          
/usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: smtpd_relay_restrictions=permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination          

Ademas de que cuando le intentas enviar un correo a alguien simplemente se queda ahi enviando pero nunca llega a enviarse

[hugo]

Quizas sea mejor intentar con una configuración básica e ir agregando opciones de seguridad poco a poco.

[JuancaDJ]

Bueno de momento mi conf trabaja bien el unico detalle es ese no logro autenticacion via smtp lo que representa suplantacion de identidad asegurada
Ahora me puedes ayudar a solucionar un detalle, en mis reglas puedes darte cuenta que tengo declarada 2 clases internat y national y dentro del fichero domain_users tengo asi
pepito@ttt.cu internat
fulanito@ttt.cu national
O sea pepito tiene entrada y salida internacional pero fulanito no, pero tengo un big problem y es que esa regla se aplica bien al envio pero todo el mundo sigue recibiendo correo internacional y por mas que quito y cambio no soluciono ese problema
Ayuda please!