EFA displaying firewall/router LAN IP as from address

Questions and answers about how to do stuff
Post Reply
spun10th
Posts: 6
Joined: 10 Apr 2018 01:51

EFA displaying firewall/router LAN IP as from address

Post by spun10th »

I am running EFA 3.0.2.3 in a VM. The EFA box is behind a phsense NAT firewall which is forwarding port 25 from our external static IP to EFA's internal LAN IP. EFA forwards mail to an internal Lotus Notes mail server on the same internal network. Internal network is 10.168.1.0/24. Pfsense box LAN IP is 10.168.1.100. Email is flowing correctly but I have noticed that when viewing EFA's web interface ->recent messages, all incoming mail shows that it is from the LAN IP of the pfsense router that is forwarding to EFA (10.168.1.100). When I go to blacklist a message by sender, the from field is filled in automatically with the LAN IP of the pfsense box. This also seems to cause all mail to hit a rule of "-1.00 ALL_TRUSTED Passed through trusted hosts only via SMTP". How can this be fixed? Any ideas?
Attachments
efa2.png
efa2.png (129.08 KiB) Viewed 5374 times
efa 1.png
efa 1.png (128.39 KiB) Viewed 5374 times
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: EFA displaying firewall/router LAN IP as from address

Post by pdwalker »

I have the basically the same setup as you (replace Domino with Exchange), and my efa instance shows me the correct Received From IP, so there must be a difference in our settings.

What are your settings for the following?
1/ trusted_networks setting in /etc/mail/spamassassin/local.cf
2/ mynetworks in /etc/postfix/main.cf
largo
Posts: 22
Joined: 15 Nov 2016 08:49

Re: EFA displaying firewall/router LAN IP as from address

Post by largo »

Hi
Dont use Nat in Your portforwarding rules.
/Largo
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: EFA displaying firewall/router LAN IP as from address

Post by pdwalker »

Hi Largo,

Why not? That's how I do it. I don't need to assign the public IP to the mail server, I only need to map the port 25 traffic thus leaving the other ports for other public services in my network.
spun10th
Posts: 6
Joined: 10 Apr 2018 01:51

Re: EFA displaying firewall/router LAN IP as from address

Post by spun10th »

Here is my /etc/postfix.main.cf:

smtputf8_enable = no

meta_directory = /etc/postfix
shlib_directory = no
mynetworks = 127.0.0.0/8
header_checks = regexp:/etc/postfix/header_checks
myorigin = $mydomain
relay_domains = hash:/etc/postfix/transport
transport_maps = hash:/etc/postfix/transport
local_recipient_maps =
smtpd_helo_required = yes
smtpd_delay_reject = yes
disable_vrfy_command = yes
virtual_alias_maps = hash:/etc/postfix/virtual
default_destination_recipient_limit = 1
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_use_tls = yes
smtpd_use_tls = yes
smtp_tls_CAfile = /etc/postfix/ssl/rsa_smtpd.pem
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/ssl/rsa_smtpd.pem
smtpd_tls_cert_file = /etc/postfix/ssl/rsa_smtpd.pem
smtpd_tls_CAfile = /etc/postfix/ssl/rsa_smtpd.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
smtpd_helo_restrictions = check_helo_access hash:/etc/postfix/helo_access, reject_invalid_hostname
smtpd_sender_restrictions = permit_sasl_authenticated, check_sender_access hash:/etc/postfix/sender_access, reject_non_fqdn_sender, reject_unknown_sender_domain
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain, check_recipient_access hash:/etc/postfix/recipient_access
masquerade_domains = $mydomain
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dhparam.pem
smtpd_tls_ciphers = medium
message_size_limit = 2048000


tls_preempt_cipherlist = yes
tls_medium_cipherlist = ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
# Allowed Domains
smtpd_sender_restrictions = regexp:/etc/postfix/tld_block


I haven't set anything for the mynetworks setting. Would that typically be done by editing the file manually or through the webmin? In my case, my local network is 10.168.1.0/24 so would I remove what's currently there and replace with 10.168.1.0/24?
spun10th
Posts: 6
Joined: 10 Apr 2018 01:51

Re: EFA displaying firewall/router LAN IP as from address

Post by spun10th »

Same story with my /etc/mail/spamassassin/local.cf. I haven't set anything for my networks. I did try to add some rules to block the .stream TLD through the webmin but 'm not sure if it worked (need to look through the recent messages to confirm if any .stream messages have made it through). Here's my current file (the rules I added through webmin are the last 3 lines in the file):

# This is the right place to customize your installation of SpamAssassin.
#
# See 'perldoc Mail::SpamAssassin::Conf' for details of what can be
# tweaked.
#
# Only a small subset of options are listed below
#
###########################################################################

# Add *****SPAM***** to the Subject header of spam e-mails
#
# rewrite_header Subject *****SPAM*****


# Save spam messages as a message/rfc822 MIME attachment instead of
# modifying the original message (0: off, 2: use text/plain instead)
#
# report_safe 1


# Set which networks or hosts are considered 'trusted' by your mail
# server (i.e. not spammers)
#
# trusted_networks 212.17.35.


# Set file-locking method (flock is not safe over NFS, but is faster)
#
# lock_method flock


# Set the threshold at which a message is considered spam (default: 5.0)
#
# required_score 5.0


# Use Bayesian classifier (default: 1)
#
# use_bayes 1


# Bayesian classifier auto-learning (default: 1)
#
# bayes_auto_learn 1


# Set headers which may provide inappropriate cues to the Bayesian
# classifier
#
# bayes_ignore_header X-Bogosity
# bayes_ignore_header X-Spam-Flag
# bayes_ignore_header X-Spam-Status


# Whether to decode non- UTF-8 and non-ASCII textual parts and recode
# them to UTF-8 before the text is given over to rules processing.
#
# normalize_charset 1

# Some shortcircuiting, if the plugin is enabled
#
ifplugin Mail::SpamAssassin::Plugin::Shortcircuit
#
# default: strongly-whitelisted mails are *really* whitelisted now, if the
# shortcircuiting plugin is active, causing early exit to save CPU load.
# Uncomment to turn this on
#
# shortcircuit USER_IN_WHITELIST on
# shortcircuit USER_IN_DEF_WHITELIST on
# shortcircuit USER_IN_ALL_SPAM_TO on
# shortcircuit SUBJECT_IN_WHITELIST on

# the opposite; blacklisted mails can also save CPU
#
# shortcircuit USER_IN_BLACKLIST on
# shortcircuit USER_IN_BLACKLIST_TO on
# shortcircuit SUBJECT_IN_BLACKLIST on

# if you have taken the time to correctly specify your "trusted_networks",
# this is another good way to save CPU
#
# shortcircuit ALL_TRUSTED on

# and a well-trained bayes DB can save running rules, too
#
# shortcircuit BAYES_99 spam
# shortcircuit BAYES_00 ham

endif # Mail::SpamAssassin::Plugin::Shortcircuit
blacklist_from *.stream
required_score 4
blacklist_from *stream
Last edited by spun10th on 10 Apr 2018 19:24, edited 1 time in total.
largo
Posts: 22
Joined: 15 Nov 2016 08:49

Re: EFA displaying firewall/router LAN IP as from address

Post by largo »

Yes you can map it in but do not use NAT since NAT is just doing what it should do, its design to change the address. If you dont whant that to happen turn NAT off.
/Largo
spun10th
Posts: 6
Joined: 10 Apr 2018 01:51

Re: EFA displaying firewall/router LAN IP as from address

Post by spun10th »

Largo,

Thank you for the tip. You were correct. I mistakenly had an outbound NAT rule setup in pfsense that was changing the source address to the LAN address. It is resolved now.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: EFA displaying firewall/router LAN IP as from address

Post by pdwalker »

Oh. I wouldn't have thought of that.

I have just the port forward rule, not outbound nat, so didn't have that problem.
largo
Posts: 22
Joined: 15 Nov 2016 08:49

Re: EFA displaying firewall/router LAN IP as from address

Post by largo »

Glad you solved it 😀
spun10th
Posts: 6
Joined: 10 Apr 2018 01:51

Re: EFA displaying firewall/router LAN IP as from address

Post by spun10th »

pdwalker wrote: 11 Apr 2018 06:32 Oh. I wouldn't have thought of that.

I have just the port forward rule, not outbound nat, so didn't have that problem.
I think most people probably wouldn't run into my problem since this was all due to existing configuration mistakes in the existing network infrastructure. The outbound NAT rule that was causing the issue actually wasn't needed at all but was added to allow vpn clients to access a LAN resource that otherwise wasn't accessible over the vpn. Turns out that it wasn't accessible because the subnet mask on that device was set wrong (/8 instead of /24). Glad this happened though since it gave a reason to dig and figure out what was actually going on!
Post Reply