Mailcow-dockerized: Privacy: Prevent user enumeration

Created on 25 Apr 2019  路  4Comments  路  Source: mailcow/mailcow-dockerized

Is your feature request related to a problem? Please describe.
Currently mailboxes can be enumerated in mailcow. This is a privacy risk for people who use an alias per website, i.e. [email protected], [email protected], etc, or for companies to find out if a specific person is working there max.[email protected].

Describe the solution you'd like
I'm not too familiar with Postfix, maybe it has already some settings to prevent this attack, for example return same response for existing and non-existing mailboxes so they are in-distinguishable and no information is leaked. Other solution I can think of is to limit the amount of tries and then banning the attacker.

Additional context
To test this, connect to the mail server of domain.tld:
telnet mailserver.domain.tld 25

helo some.hostname (important: with valid ptr record!)
mail from: <[email protected]>
rcpt to: <[email protected]>

Postfix will return 250 2.1.5 Ok if mailbox exists, otherwise 550 5.1.1 Recipient address rejected: User unknown in virtual mailbox table

picture MaxXor

All 4 comments

Doesn't every mail server validate the address after receiving the "RCPT TO"? You might be able to somehow configure Postfix to wait until the message is completed before doing that, but at that point it would still need to return an error and thus allow enumeration of users.

You could construct a fail2ban rule that catches these attempts, but you will occasionally block legitimate mail senders.

mkuron picture mkuron on 25 Apr 2019
👍1

I agree with @mkuron, we cannot start to accept every mail and silently drop it if the mailbox does not exist.

It would be a legally problematic to silently drop all mail without valid rcpt.

andryyy picture andryyy on 25 Apr 2019
👍1

According to the RFC validation of RCPT is not required. So silently ignoring non-existing mailboxes and just accept them with "2.1.5 OK" seems okay according to the RFC.

Therefore, a "250 OK" response to a RCPT does not necessarily imply that the delivery address(es) are valid. Errors found after message acceptance will be reported by mailing a notification message to an appropriate address (see Section 5.3.3).

https://www.freesoft.org/CIE/RFC/1123/92.htm

MaxXor picture MaxXor on 25 Apr 2019

silently ignoring non-existing mailboxes and just accept them with "2.1.5 OK" seems okay according to the RFC.

It's not ok for the following reason:

Errors found after message acceptance will be reported by mailing a notification message to an appropriate address

We can't do that because it would be considered backscatter spam. Of course, that wasn't a concern back when the RFC was written in 1989, but nowadays we have to check before accepting the message.

mkuron picture mkuron on 25 Apr 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Adorfer picture Adorfer  路  3Comments
starcraft0429 picture starcraft0429  路  3Comments
damdinsharav picture damdinsharav  路  3Comments
poldixd picture poldixd  路  3Comments
zkryakgul picture zkryakgul  路  3Comments