Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Apr 2020 12:46:10 -0400 (EDT)
From: Wietse Venema <>
To: Solar Designer <>
 PromiseLabs Pentest Research <>, 
 Wietse Venema <>
Subject: Re: spoofing of local email sender via a
 homoglyph attack

Solar Designer:
> On Thu, Apr 23, 2020 at 05:32:15PM +0300, PromiseLabs Pentest Research wrote:
> > To follow up on your questions:
> Thanks!  Now this is specific.
> > The current configuration actually blocks any non-authorized requests as 
> > explained in the description. The use-case of this (from my perspective) 
> > is that it could be used to advance a social-engineer attack into 
> > tricking the recipients believing that they are getting an email from a 
> > high-level position at the company.
> > 
> > It's related to the from header.
> > 
> > Issuing a regular unauthenticated request, trying to send an email from 
> > john.doe, which is a high-level user at the company:
> > $ nc -v *** OMITTED *** 25
> > Connection to *** OMITTED *** 25 port [tcp/smtp] succeeded!
> > 220 *** OMITTED *** ESMTP Postfix
> > mail from:
> > 250 2.1.0 Ok
> > rcpt to:
> > 553 5.7.1 <>: Sender address rejected: not logged in
> > 
> > As you can see, the mail server rejects the request as the existing user 
> > hasn't authenticated himself.

There is only one place on Postfix that says "Sender address
rejected: not logged in". See code at end; it has not changed
in a decade.

Yoour Postfix SMTP server has been configured to require that an
SMTP client can send mail with envelope sender
ONLY if the client is logged in as the 'owner' of that address.

    smtpd_sender_login_maps = hash:/etc/postfix/sender_login

    # sender address    authorized logins sasluser1, sasluser2, ...

Sending email with a different envelope sender address, not in the
above table, would not be blocked by the smtpd_sender_login_maps
feature (but might still be blocked for other reasons).

So your concern has nothing to do with whether the addess is a valid email address. Instead you're
probing the smtpd_sender_login_maps table.

Additionally, Postfix will reply with 5.1.1 User unknown if a local
recipient address is known to not exist. This is because the
alternative would be to accept all such email and silently discard
it, which violates RFCs, violates legislation in some countries
where rejecting email is allowed but accept+discard is not, and
which would saturate everyone's network with a continuous flood of
bogus email.


static int reject_unauth_sender_login_mismatch(SMTPD_STATE *state, const char *sender)
    const RESOLVE_REPLY *reply;

     * Reject if the client is not logged in and the sender address has an
     * owner.
    if (smtpd_sender_login_maps && !state->sasl_username) {
        reply = smtpd_resolve_addr(state->recipient, sender);
        if (reply->flags & RESOLVE_FLAG_FAIL)
            reject_dict_retry(state, sender);
        if (check_mail_addr_find(state, sender, smtpd_sender_login_maps,
                                 STR(reply->recipient), (char **) 0) != 0)
            return (smtpd_check_reject(state, MAIL_ERROR_POLICY, 553, "5.7.1",
                   "<%s>: Sender address rejected: not logged in", sender));
    return (SMTPD_CHECK_DUNNO);

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.