HOWTO Setup a recovery email account with postfix and procmail

Environment

  • Centos 5.5
  • Postfix 2.3.3
  • Procmail 3.22

Problem

Lastpass.com had a vulnerability mentioned here which inspired the lastpass team to create a Security Email option. This allows you to require that emails sent from lastpass containing a link to disable multifactor authentication on your account, be sent to a non-primary email address. This way if an attacker sniffs/phishes/keylogs your primary email password (which is used frequently and as a consequence is at high risk) they can't also disable your multi-factor authentication and get into your lastpass account.

In order to take advantage of this feature, you need a second email account somewhere which won't get deleted for lack of use (since the only time it should ever be used is to login and recover your lastpass account when you've lost/had stolen your multi-factor authentication token). You also need to be notified when this email account receives an email (to know someone is attempting to hack your account) but you need for the contents of that email to not be sent to your primary email account because it contains the link to disable your multi-factor authentication.

Solution

  • Create a DNS zone to use : recoveryemails.example.com
  • Create an MX record for that zone, sending email to a server you control. In my case running CentOS 5.5
    [Sun Jan 02 14:43:06 john_doe@myhost ~ ]$ dig recoveryemails.example.com MX
    
    ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 <<>> recoveryemails.example.com MX
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55457
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5
    
    ;; QUESTION SECTION:
    ;recoveryemails.example.com.    IN      MX
    
    ;; ANSWER SECTION:
    recoveryemails.example.com. 38400 IN    MX      10 myhost.example.com.
    
    ;; AUTHORITY SECTION:
    example.com.      408     IN      NS      ns1.example.com.
    
    ;; Query time: 2552 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sun Jan  2 14:43:17 2011
    ;; MSG SIZE  rcvd: 237
    
  • Install postfix and procmail
    sudo yum install postfix procmail
    
  • Add the new zone to the postfix virtual domains list
    sudo bash -c "cat >> /etc/postfix/main.cf <<EOF
    virtual_alias_domains = recoveryemails.example.com
    virtual_alias_maps = hash:/etc/postfix/virtual
    EOF"
    
  • Map a specific recovery email address to your local linux user account
    sudo bash -c "cat >> /etc/postfix/virtual <<EOF
    john_doe@recoveryemails.example.com    john_doe
    EOF"
    
  • Rebuild the virtual domain DB and reload postfix
    sudo postmap /etc/postfix/virtual
    sudo /sbin/service postfix reload
    
  • Test that email is being delivered to your new email address by sending an email to john_doe@recoveryemails.example.com
  • Check for that email by logging into the Linux box as the john_doe user that you referenced in the /etc/postfix/virtual mapping above, and running
    mail
    
  • You should see the email that you sent
  • Create a small script that will email your primary email address with a short message indicating that new email has arrived. Here's an example :
    [Sun Jan 02 14:53:54 john_doe@myhost ~ ]$ cat send-recovery-email-notification.bash
    #!/bin/bash
    /usr/sbin/sendmail -t <<EOF
    From: "myhost Administrator" <admin@myhost.example.com>
    To: john_doe@gmail.com
    Subject: New Account Recovery Email
    
    You've received a new recovery email.
    It has a subject of "$2"
    It was sent from "$1".
    EOF
    
  • Make it executable
    chmod 755 send-recovery-email-notification.bash
    
  • Test your script by running it and passing it two parameters. Confirm that you receive a notification email at your primary email address (in this example john_doe@gmail.com)
  • Create a procmail rc file instructing procmail to capture a few values from the email (from and subject) and call the notification script you've made
    [Sun Jan 02 14:55:16 john_doe@myhost ~ ]$ cat .procmailrc
    :0
    * ^From:\s*\/.*
    {
     FROM = "$MATCH"
    }
    
    :0
    * ^Subject:\s*\/.*
    {
     SUBJECT = "$MATCH"
    }
    
    :0 c:                # the last colon means use a lockfile. c means copy so that the mail is still delivered
    * ^To:.*@recoveryemails.example.com
    | /home/john_doe/send-recovery-email-notification.bash "$FROM" "$SUBJECT"
    
  • Create a .forward file instructing your MTA to use procmail
    [Sun Jan 02 14:57:56 john_doe@myhost ~ ]$ cat .forward
    "|exec /usr/bin/procmail"
    
  • Test that procmail is calling your script by sending an email to your recovery email address (in this example john_doe@recoveryemails.example.com) and confirm that you receive a notification at your primary email address
  • Log into Lastpass and set your Security Email to your new recovery address (in this example john_doe@recoveryemails.example.com)
  • Test the whole process by logging out of lastpass and then starting the login process and clicking the "If you lost your YubiKey device, click here to disable YubiKey authentication". Confirm that this generates an email, which is sent to your new email account, that your primary email account receives a notification saying that there is a new email, and that you can view this email using the "mail" command on your linux host

This means that you must protect the password associated with the linux account since if compromised it can be used to disable your lastpass multifactor authentication. I recommend you create a user account specifically for this recovery process. Don't use an account you normally use, use one which you would only ever log in as in the event that you lose your multi-factor authentication device. Set a strong password and DO NOT store this password in your lastpass account. In the event that you lose your multi-factor authentication device, you won't be able to login to lastpass in order to get the password for this linux user account. I recommend printing the password out and storing it somewhere safe
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.