Polizi8's questions

To hide a restricted location, e.g.

location /secret/ {
 allow 10.0.0.0/24;
 deny all;
}

one could set

error_page 403 =404 /404.html;
error_page 404 /404.html;

to make impossible to distinguish a non-existing location (404) from a restricted one (403).

Is there a way to perform a similar spoof for subdomains?

I want https://admin.example.org/ to not NOT return 403 if not visited via VPN, but rather show the same of https://nonexistingsubdomain.example.org/ (e.g. a 301 redirect to https://example.org/)

To hide a restricted location, e.g.

location /secret/ {
 allow 10.0.0.0/24;
 deny all;
}

one could set

error_page 403 =404 /404.html;
error_page 404 /404.html;

to make impossible to distinguish a non-existing location (404) from a restricted one (403).

Is there a way to perform a similar spoof for subdomains?

I want https://admin.example.org/, which normally returns 403 if not visited via VPN, to show the same of https://nonexistingsubdomain.example.org/, e.g. a .html page with a redirect to https://example.org/.

If I write via sendmail or SubmissionS client a mail to my virtual account (my domain is example.org), the mail I receive looks like this:

Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from example.org
    by hostname with LMTP
    id 5n+pDaCqAWAOcgAAUprYAg
    (envelope-from <[email protected]>)
    for <[email protected]>; Fri, 15 Jan 2021 15:45:52 +0100
To: [email protected]
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.org;
    s=r; t=1610721951;
    h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
     to:to:cc; bh=91RazCIc2UKGe+HBO/tFDtuL2v1Tzk19s+Q44fL6gEY=;
    b=pmlzcXQJAFHqKAjznCT4Hc77BjyX8QFXrQRTfzCH7UXXsBxNYCuSNrM6wSXAZ54+lAVDIO
    MYEGXwY3+4F1GgbJ/dQVQGYq262FKjcVwQhFHALvI704iGMEt5Uu/kqLHkk09EQKIyBlAf
    btrA42do+0lia6kkPNd2ezVqOR8O6WkH52eVKj8x/+lq3P5N4sCgoiOZcnIWUlyBMlhlFa
    vMWLjc+4DU4nLZxOYZyYS68RVJuDN4Vr5cz6+jNGYvidXkCvtyT99MgmMQ38oKwtbpT+0g
    sNzjOif4PbAWrJ+29IoJa/lV9nkYIKVtMa4CPJ6bqAVj4ITjwGLTwswBK//VdA==
From: [email protected]
Subject: test e-mail
Message-Id: <[email protected]>
Date: Fri, 15 Jan 2021 15:45:51 +0100 (CET)

Mail body

If I send it to an external recipient, the "Authentication-Results" is added.

Authentication-Results: mail2.outsi.de (dis=neutral; info=dmarc domain policy);
    dmarc=pass (dis=neutral p=reject; aspf=r; adkim=r; pSrc=dns) header.from=example.org;
    dkim=pass header.d=example.org header.s=r header.b=O/8zOi6w
Received: from mail.outsi.de ([10.10.10.11])
        by mail2.outsi.de
        with SMTP (SubEthaSMTP 3.1.7) id KJYEI2ZV
        for [email protected];
        Fri, 15 Jan 2021 15:52:36 +0100 (CET)
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=10.10.10.10; helo=example.org; [email protected]; receiver=<UNKNOWN> 
Received: from example.org (example.org [10.10.10.10])
    by mail1.outsi.de (Postfix) with ESMTPS id ACBEF1060308
    for <[email protected]>; Fri, 15 Jan 2021 14:52:36 +0000 (UTC)
To: [email protected]
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.org;
    s=r; t=1610721951;
    h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
     to:to:cc; bh=91RazCIc2UKGe+HBO/tFDtuL2v1Tzk19s+Q44fL6gEY=;
    b=pmlzcXQJAFHqKAjznCT4Hc77BjyX8QFXrQRTfzCH7UXXsBxNYCuSNrM6wSXAZ54+lAVDIO
    MYEGXwY3+4F1GgbJ/dQVQGYq262FKjcVwQhFHALvI704iGMEt5Uu/kqLHkk09EQKIyBlAf
    btrA42do+0lia6kkPNd2ezVqOR8O6WkH52eVKj8x/+lq3P5N4sCgoiOZcnIWUlyBMlhlFa
    vMWLjc+4DU4nLZxOYZyYS68RVJuDN4Vr5cz6+jNGYvidXkCvtyT99MgmMQ38oKwtbpT+0g
    sNzjOif4PbAWrJ+29IoJa/lV9nkYIKVtMa4CPJ6bqAVj4ITjwGLTwswBK//VdA==
From: [email protected]
Subject: test e-mail
Message-Id: <[email protected]>
Date: Fri, 15 Jan 2021 15:45:51 +0100 (CET)

Mail body

How can I make Postfix add this header even to outgoing mail destined to my local domain (example.org)? Milter is Rspamd.

In my "main.cf" I have

# [...]

non_smtpd_milters = $smtpd_milters
milter_default_action = accept

In my "master.cf" I have

smtp             inet  n       -       n       -       -       smtpd
 -o milter_macro_daemon_name=VERIFYING

submissions      inet  n       -       n       -       -       smtpd
 -o syslog_name=postfix/smtps
 -o smtpd_tls_wrappermode=yes
 -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
 -o milter_macro_daemon_name=ORIGINATING

# [...]

I have a remote server (B) that forwards certain incoming traffic to another port of a different server (A, dest).
With "masquerade" I only see traffic coming from the forward server (B), is it possible to see traffic coming from the original sources (C)? If I replace "masquerade" with "accept" I can't reach anymore port 8080 of destination (A).

Sketch:

C -> B:25 -> A:8080
# A receives C requests as if B made them
# Unfortunately this breaks some implementations like SPF

NFTables configuration:

# define destination address
define dest = 10.0.0.2

# table for smtp forwarding
table ip smtp {
 chain pre {
  type nat hook prerouting priority -100
  tcp dport 25 dnat to $dest:8080
 }
 chain post {
  type nat hook postrouting priority 100
  ip daddr $dest masquerade
 }
}