On 2020-12-15 Jeff Abrahamson wrote:
> I received an obvious fishing mail today from ad...@p27.eu (my own
> domain). I appear not to be running an open relay (say the sorts of
> websites that offer to check these things), and yet this happened:
>
> Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: warning: hostname
> hosted-by.rootlayer.net does not resolve to address 185.222.57.81
> Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: connect from
> unknown[185.222.57.81]
> Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: 8AFC8FF74D:
> client=unknown[185.222.57.81]
> Dec 15 11:58:03 nantes-1 postfix/cleanup[31161]: 8AFC8FF74D:
> message-id=<20201215025803.2e9d962210e40...@p27.eu>
> Dec 15 11:58:03 nantes-1 opendkim[1637]: 8AFC8FF74D: [185.222.57.81]
> [185.222.57.81] not internal
> Dec 15 11:58:03 nantes-1 opendkim[1637]: 8AFC8FF74D: not authenticated
> Dec 15 11:58:03 nantes-1 opendkim[1637]: 8AFC8FF74D: no signature data
> Dec 15 11:58:03 nantes-1 postfix/qmgr[17671]: 8AFC8FF74D:
> from=<ad...@p27.eu>, size=2422, nrcpt=1 (queue active)
> Dec 15 11:58:03 nantes-1 postfix/smtpd[31118]: disconnect from
> unknown[185.222.57.81] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
> Dec 15 11:58:03 nantes-1 dovecot: lda(jeff):
> msgid=<20201215025803.2e9d962210e40...@p27.eu>: saved mail to INBOX
> Dec 15 11:58:03 nantes-1 postfix/local[31162]: 8AFC8FF74D:
> to=<j...@p27.eu>, relay=local, delay=0.12, delays=0.08/0.01/0/0.03,
> dsn=2.0.0, status=sent (delivered to command:
> /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}")
> Dec 15 11:58:03 nantes-1 postfix/qmgr[17671]: 8AFC8FF74D: removed
>
> The received mail had headers that looked like this:
>
> Return-Path: <ad...@p27.eu>
> X-Original-To: j...@p27.eu
> Delivered-To: j...@p27.eu
> Received: from p27.eu (unknown [185.222.57.81])
> by nantes-1.p27.eu (Postfix) with ESMTP id 8AFC8FF74D
> for <j...@p27.eu>; Tue, 15 Dec 2020 11:58:03 +0100 (CET)
> From: p27.eu <ad...@p27.eu>
> To: j...@p27.eu
> Subject: =?UTF-8?B?TGEgc2Vzc2lvbiBhIGV4cGlyw6kg?=p27.eu
> Date: 15 Dec 2020 02:58:03 -0800
> Message-ID: <20201215025803.2e9d962210e40...@p27.eu>
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> boundary="----=_NextPart_000_0012_893BC42D.902C898B"
>
> Am I reading this wrong? Why was that able to happen? I would have
> expected a reject because something that is not my domain claimed to be
> sending mail from my domain without authentication.
Unless I'm misunderstanding something, the mail is being sent to a
(presumably) valid recipient on your server:
X-Original-To: j...@p27.eu
so your mail server is going to accept and deliver it.
Spoofing the envelope from address (Return-Path: <ad...@p27.eu>) is
actually valid (per the SMTP protocol) and a common occurrence for mail
sent by bad actors. You need to explicitly disallow sending from your
own domain(s) for inbound mail in your Postfix config if you don't want
people to be able to send mail with an envelope address of, say
ad...@p27.eu.
Add this check to the restrictions in main.cf:
check_sender_access hash:/etc/postfix/sender_from_my_domains
and put your domains in /etc/postfix/sender_from_my_domains:
p27.eu REJECT No you're not.
.p27.eu REJECT No you're not.
Run postmap on the file to build/update the database file.
Note that this will only prevent senders from spoofing the envelope from
address:
Return-Path: <ad...@p27.eu>
It does not affect the From: header in the mail:
From: p27.eu <ad...@p27.eu>
You need a spam filter if you want to address that as well.
Regards
Ansgar Wiechers
--
"Abstractions save us time working, but they don't save us time learning."
--Joel Spolsky
