config/ENV: improve Postfix config for spoof protection

[georglauterbach]

Description

Make SPOOF_PROTECTION=1 the default and improve Postfix configuration to eliminate the currently shown warning.

Reviewing commit-by-commit advised.

Fixes #3117

Type of change

• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation (README.md or the documentation under docs/)
• If necessary I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes

[georglauterbach]

Just FYI: This and #3137 should have high prio for review, and they should be merged next.

[polarathene]

This commit message has more detail regarding changes in this PR, probably should have been part of the PR description for better visibility 😅

The changes in master.cf and related scripts to disable that config seems to over-complicate config management.

I touched on the naming convention from upstream in prior discussions, I'd rather we use those or adopt some convention / section for main.cf where custom settings are more obvious. Upstream advice is to have the submission services configured with mua prefix instead of smtpd:

#     Instead of specifying complex smtpd_<xxx>_restrictions here,
#     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
#     here, and specify mua_<xxx>_restrictions in main.cf (where
#     "<xxx>" is "client", "helo", "sender", "relay", or "recipient").
#  -o smtpd_client_restrictions=
#  -o smtpd_helo_restrictions=
#  -o smtpd_sender_restrictions=
#  -o smtpd_relay_restrictions=
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

So for us that'd be:

### master.cf:
-o smtpd_sender_restrictions=$mua_sender_restrictions


### main.cf:
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain, reject_unknown_client_hostname

# Custom settings for submission ports 587 and 465:
mua_sender_restrictions = reject_authenticated_sender_login_mismatch, $smtpd_sender_restrictions


### target/scripts/startup/setup.d/security/spoofing.sh:
_log 'debug' 'Disabling spoof protection'
postconf 'mua_sender_restrictions = $smtpd_sender_restrictions'

That last change to use postconf with main.cf instead of sed on master.cf seems like a much better approach I think?

If we needed more control for the opposite of adding substrings, there was an example helper I discussed here (alternatively postconf -h can read in the current value too, but needs to invoke _adjust_mtime_for_postfix_maincf()).

[polarathene]

Let's delay the SPOOF_PROTECTION=1 change to a future major release please.

There is still good changes in this PR that look fine to approve, but feedback from my previous message should be addressed (and adapted for the inverse since SPOOF_PROTECTION=0 would be the default).

---

Justification to delay SPOOF_PROTECTION=1 by default

I don't think we're ready to switch to SPOOF_PROTECTION=1 by default? Not without some caveats at least..

Overview of notes in #2819

• Section: SPOOF_PROTECTION=1 handling for smtpd_sender_login_maps:
  • unionmap config table - Inconsistency between LDAP and non-LDAP setups.
  • /etc/postfix/regexp always created at startup.
  • Sending via an alias must be permitted for the actual SASL account (of which there could be multiple to an alias, or an alias of an alias 😵 ). Login via an alias apparently logs in via the aliased account (unclear how that's determined if the alias is 1 to many? eg marketing@example.com).
  • End of section, link and mention of eventual plan to make SPOOF_PROTECTION=1 the default.
• Section: Additional Notes:
  • SPOOF_PROTECTION=1 with a wildcard / catch-all alias @example.com could receive but not send mail. /etc/postfix/regexp feature added to resolve it.
    • Potentially a fix for the recent user report with same problem (user need to report back if it worked, and docs need to cover the use-case well).
  • A mention about support for LDAP users, linking several issues for reference.
  • Documented format and gotchas of the smtpd_sender_login_maps file, including regex support.
  • A mention of the SPOOF_PROTECTION=1 ENV docs warn about extension delimiters no longer being usable (breaking). Changelog should highlight this in particular.
• Section: SPOOF_PROTECTION=1 only restricts the envelope FROM sender address, spoofing still feasible?:
  • ENV name is not the most appropriate for what it does. A breaking change might as well adopt a better suited name.
  • FROM (mail envelope) protected from spoofing, not from: (mail message) header. The latter protection is handled separately from this feature.
  • magcks/milterfrom provides a Postfix milter that checks both FROM and from: are the same.
• Section: Related:
  • Potential concern for send-only addresses such as noreply@external-domain.com which have no mail storage and shouldn't be managed by Postfix, but with SPOOF_PROTECTION=1 was causing issues.
  • A concern that if SPOOF_PROTECTION=1 is enabled by default, that we should first support an alternative table, with improvements to docs.
  • Another scenario related to LDAP with a noreply account being affected.
  • A reference to docs about a workaround documented for SPOOF_PROTECTION=1 with using intermediate aliases.

---

Beyond that, there is the Task Overview section prior to all that, which summarizes what should ideally be tackled before defaulting to SPOOF_PROTECTION=1.

Given the concerns from past me, and the large amount of changes we're introducing into v12 release, I'm inclined to say that I can't hand-wave away the SPOOF_PROTECTION=1 change concerns. Neither of us have time to tackle those, and it would complicate any bug reports that arise from all other changes.

[georglauterbach]

I applied PR feedback and rebased the PR accordingly.

[polarathene]

Oops, just noticed the failed test suite 😅

[polarathene]

Hope you don't mind me committing this directly to test in CI as my local system isn't in good shape to try locally.

EDIT: Ok that appears to resolve it. Maybe that is what you were asking about earlier? 😅

I'll update main.cf once more.

[georglauterbach]

Hope you don't mind me committing this directly to test in CI as my local system isn't in good shape to try locally.

Absolutely not - good thing you did :)

EDIT: Ok that appears to resolve it. Maybe that is what you were asking about earlier? 😅

👍🏼

---

Now this PR only needs review :)

[polarathene]

I added some comments if helpful, but the dms_ prefix kinda makes it clear that it's not an upstream parameter setting.

To avoid duplication, smtpd_sender_restrictions will reference the same value and this avoids Postfix getting confused (I would have thought it'd just expand what was in main.cf and not complained 🙄 sorry about that!)

[github-actions]

Documentation preview for this PR is ready! 🎉

Built with commit: 177bcf5