Need guidance; domain allowlist

MiaB is rejecting email from what I think is GoDaddy’s server for DMARC messages. The domain is iphmx.com. Every time, the error is something like “450 4.1.8 MAILER-DAEMON@esa4.commscope.iphmx.com: Sender address rejected: Domain not found; from=MAILER-DAEMON@esa4.commscope.iphmx.com to=<dmarc@…”
The email address is usually different from iphmx.com.

I thought I was supposed to put iphmx.com in the postgrey/whitelist_clients ; I did but it does not change the outcome.

Keith.

I search: MAILER-DAEMON@esa4.commscope.iphmx.com and came across the IETF Mail Archive.

When I upload the xml file from their site to dmarcian.com, you can see that the provider of that report is: commscope.com
DMARC_PROVIDER

It seems that the correct domain to add to the allowlist is commscope.com and not iphmx.com.

Try adding commscope.com to the allowlist.

Still not working with both domains in the Postgres/whitelist_clients file.
Here is the most recent error message:

NOQUEUE: reject: RCPT from esa.hc681-85.ap.iphmx.com[139.138.45.99]: 450 4.1.8 MAILER-DAEMON@esa2.hc681-85.ap.iphmx.com: Sender address rejected: Domain not found; from=MAILER-DAEMON@esa2.hc681-85.ap.iphmx.com to=<dmarc@

Should I be putting “*.iphmx.com” or “iphmx.com” on a single line in the postgrey/whitelist_clients file?

Disclaimer:

I’ll be as clear as possible, the following solution will make your MiaB vulnerable to phishing, spam, spoofing attacks and maybe other security risks, as it will let all emails that meet the filter criteria pass through.
I will not take responsibility for any problems that may arise as a result of using the proposed solution.
If you continue, you’ll do it on your own risk.


Now that it’s out of the way, let’s review what we have.

As per the emails attached in your messages:

Postfix rejections are legit as those domains don’t have a valid DNS A or DNS MX records which leads to “Sender address rejected: Domain not found”.

This happens because the filter smtpd_sender_restrictions is set as follow in MiaB:

smtpd_sender_restrictions=
    reject_non_fqdn_sender,
    reject_unknown_sender_domain,
    reject_authenticted_sender_login_mismatch,
    reject_rhsbl_sender dbl.spamhaus.org

The way Postfix checks it’s filters is, first hit and your out (email rejected by postfix), as you can see reject_unknown_sender_domain is set as filter number 2, so if the sender hits that filter he’s been rejected.

By the way, the gray list filter isn’t set here, it’s set at smtpd_recipient_restrictions.
So, it doesn’t matter what we put in Postgrey whitelist_clients, because the sender will hit the smtpd_sender_restrictions and not the smtpd_recipient_restrictions.

To bypass the second filter we can add this filter check_sender_access before it.
The check_sender_access checks the “MAIL FROM” header part, so we will create a filter to “Allow” specific domains to pass even if they don’t have a valid DNS A or DNS MX record.

To figure out how this filter should look like, I’ve downloaded a list of the past two years of DMARC reports send to the IETF, only the domains ending with iphmx.com, and came up with a list of 116 entries.
Now that I have some idea of the pattern of those domains, I came up with a filter that will match at least all of the domains in the list with as little room for error (fingers crossed).


Before we’ll create the bypass filter, lets see the reject_unknown_sender_domain in action,
We’ll use telnet on MiaB to do this:

  1. Start telnet on localhost:

    telnet 127.0.0.1 25
    

    Output:

     Trying 127.0.0.1...
     Connected to 127.0.0.1.
     Escape character is '^]'.
     220 box.domain.tld ESMTP
    
  2. Introduce BAD domain using the EHLO command:

    ehlo esa4.commscope.iphmx.com
    

    Output:

     250-box.domain.tld
     250-PIPELINING
     250-SIZE 134217728
     250-VRFY
     250-ETRN
     250-STARTTLS
     250-ENHANCEDSTATUSCODES
     250-8BITMIME
     250-DSN
     250 CHUNKING
    
  3. Set “mail from” as the BAD email address:

    mail from: MAILER-DAEMON@esa4.commscope.iphmx.com
    

    Output:

     250 2.1.0 Ok
    
  4. Set the recipient email address to a legitimate email that exists on your server:

    rcpt to: admin@box.domain.tld
    

    Output:

     450 4.1.8 <MAILER-DAEMON@esa4.commscope.iphmx.com>: Sender address rejected: Domain not found
    
  5. Escape telnet:
    Ctrl+]

    Output:

     ^]
     telnet> 
    
  6. Exit telnet:

    quit
    

Cool, the “error” is there, we can proceed to create the filter.

Remember to backup your settings as they will be overwritten every time there is a new update of MiaB.


How to enable access for unresolved domains:

  1. Make a backup of the original main.cf file:

    sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.orig
    
  2. Open main.cf with nano

    sudo nano /etc/postfix/main.cf
    
  3. Search for the filter: smtpd_sender_restrictions.
    Ctrl+w
    Enter your search term: smtpd_sender_restrictions
    Enter

  4. Add check_sender_access regexp:/etc/postfix/cisco_dmarc_sender_access before reject_unknown_sender_domain, don’t forget to put a , at the end of the new line you just added.

    Before edit:

    smtpd_sender_restrictions=
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_authenticated_sender_login_mismatch,
        reject_rhsbl_sender dbl.spamhaus.org
    

    After edit:

    smtpd_sender_restrictions=
        reject_non_fqdn_sender,
        check_sender_access regexp:/etc/postfix/cisco_dmarc_sender_access,
        reject_unknown_sender_domain,
        reject_authenticated_sender_login_mismatch,
        reject_rhsbl_sender dbl.spamhaus.org
    
  5. Save changes and exit nano.
    Ctrl+x
    y
    Enter

  6. Now we will create the access file: cisco_dmarc_sender_access.

    sudo touch /etc/postfix/cisco_dmarc_sender_access
    
  7. Open the file using nano:

    sudo nano /etc/postfix/cisco_dmarc_sender_access
    
  8. Paste the following text:

    # Cisco Secure Email Threat Defense (DMARC domains)
    /esa[0-9]*\.?[acehimnops0-9]*[-]?[0-9]*\.?[acps23]*\.iphmx\.com/i PERMIT
    
  9. Save changes and exit nano.
    Ctrl+x
    y
    Enter

  10. Validating the cisco_dmarc_sender_access file.
    Valid domain:

    sudo postmap -q "MAILER-DAEMON@esa.hc3512-62.iphmx.com" regexp:/etc/postfix/cisco_dmarc_sender_access
    

    Output:

    PERMIT
    

    Invalid domain:

    sudo postmap -q "MAILER-DAEMON@esa.HC3512-62.iphmx.com" regexp:/etc/postfix/cisco_dmarc_sender_access
    

    Output:

    There is no output.
    
  11. Create the database file from cisco_dmarc_sender_access file.

    postmap cisco_dmarc_sender_access
    
  12. Apply changes to Postfix.

    systemctl restart postfix.service
    

Finally, we’ll use telnet again, to check if the email will go through this time:

  1. Start telnet on localhost:

    telnet 127.0.0.1 25
    

    Output:

     Trying 127.0.0.1...
     Connected to 127.0.0.1.
     Escape character is '^]'.
     220 box.domain.tld ESMTP
    
  2. Introduce BAD domain using the EHLO command:

    ehlo esa4.commscope.iphmx.com
    

    Output:

     250-box.domain.tld
     250-PIPELINING
     250-SIZE 134217728
     250-VRFY
     250-ETRN
     250-STARTTLS
     250-ENHANCEDSTATUSCODES
     250-8BITMIME
     250-DSN
     250 CHUNKING
    
  3. Set “mail from” as the BAD email address:

    mail from: MAILER-DAEMON@esa4.commscope.iphmx.com
    

    Output:

     250 2.1.0 Ok
    
  4. Set the recipient email address to a legitimate email that exists on your server:

    rcpt to: admin@box.domain.tld
    

    Output:

     250 2.1.5 Ok
    
  5. Run data command:

    data
    

    Output:

     354 End data with <CR><LF>.<CR><LF>
    
  6. Paste the following text:

    subject: DMARC bypass test
    
    Just sent an email from a BAD domain
    
    Thanks,
    SysAdmin
    .
    

    Output:

     250 2.0.0 Ok
    
  7. Terminate the session with the quit command:

    quit
    

    Output:

     221 2.0.0 Bye
     Connection closed by foreign host.
    

Check the email you entered in step 4 and see if you have received a new mail.
If everything went well, all emails that apply the filter pattern should go through.


How to disable the filter

In case you’ve decided you don’t need the filter anymore and want to remove it, here’s how to do it.

  1. Open main.cf with nano

    sudo nano /etc/postfix/main.cf
    
  2. Search for the filter: smtpd_sender_restrictions
    Ctrl+w
    Enter your search term: smtpd_sender_restrictions
    Enter

  3. Remove check_sender_access regexp:/etc/postfix/cisco_dmarc_sender_access.

    Before edit:

    smtpd_sender_restrictions=
        reject_non_fqdn_sender,
        check_sender_access regexp:/etc/postfix/cisco_dmarc_sender_access,
        reject_unknown_sender_domain,
        reject_authenticated_sender_login_mismatch,
        reject_rhsbl_sender dbl.spamhaus.org
    

    After edit:

    smtpd_sender_restrictions=
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
        reject_authenticated_sender_login_mismatch,
        reject_rhsbl_sender dbl.spamhaus.org
    
  4. Save changes and exit from nano.
    Ctrl+x
    y
    Enter

  5. Delete the files cisco_dmarc_sender_access and cisco_dmarc_sender_access.db.

    sudo rm /etc/postfix/cisco_dmarc_sender_access*
    
  6. Applay changes to Postfix.

    sudo systemctl restart postfix.service
    
1 Like

Dude! Thank you so much for the suggestion. I learn several things from this. Thank you, thank you, thank you.

Could I mitigate some of the risk you outline by rearranging the order a bit?
Such as;
smtpd_sender_restrictions=
reject_non_fqdn_sender,
reject_rhsbl_sender dbl.spamhaus.org,
check_sender_access regexp:/etc/postfix/cisco_dmarc_sender_access,
reject_authenticated_sender_login_mismatch,
reject_unknown_sender_domain

It might mitigate it a bit as it will enable dbl.spamhaus.org to block any listed domain before it gets to the cisco_dmarc filter.